KVM supports VirtIO random number generator (RNG) which is a paravirtualized device that is exposed as a hardware RNG device to the guest. On the host, it can be hooked up to a real hardware RNG device or host’s /dev/random, if hardware RNG is not available.
IBM Power servers comes equipped with hardware RNG and I’ll show you how to use it with OpenStack instances running on PowerKVM.
Three things needs to be done for using hardware RNG with OpenStack:
1. Make necessary changes to Nova configuration on the compute node having the hardware RNG device.
2. Make necessary changes to Glance image to be used for the instances.
3. Make necessary changes to Nova flavor configuration.
1. Nova configuration changes in the compute node
Following is the nova.conf changes for the PowerKVM compute node
***/etc/nova/nova.conf ***
# A path to a device that will be used as source of entropy on
# the host. Permitted options are: /dev/random or /dev/hwrng
# (string value)
rng_dev_path=/dev/hwrng
2. Glance image changes
In order for the virtio-rng device to be added to KVM instance, hw_rng=virtio property should be set in Glance image metadata:
# glance image-update --property hw_rng_model=virtio 40c5c497-2d39-472f-8ecb-8c72423abe56 # glance show 40c5c497-2d39-472f-8ecb-8c72423abe56 URI: http://172.21.19.85:9292/v1/images/40c5c497-2d39-472f-8ecb-8c72423abe56 Id: 40c5c497-2d39-472f-8ecb-8c72423abe56 Public: Yes Protected: No Name: rhel-cloud Status: active Size: 1240596480 Disk format: qcow2 Container format: bare Minimum Ram Required (MB): 0 Minimum Disk Required (GB): 0 Owner: ece648b685c94cc689e9be4c6e5b84bc Property 'architecture': ppc64 Property 'hw_rng_model': virtio Created at: 2014-11-05T07:26:44 Updated at: 2014-11-05T10:33:03
3. Nova flavor changes
The cloud administrator will have the option to limit or disable the use of this device by setting the following flavor attributes:
extra_specs:
hw_rng:allowed=True – Allow virtio-rng to be added to instances.
hw_rng:rate_bytes – The allowed amount of bytes for the the guest to read from the host’s entropy per period.
hw_rng:rate_period – Sets the duration of a read period in seconds.
Check the existing flavors.
Enable use of hardware random number generator for a specific flavor.
# nova flavor-list +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True | | 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True | | 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | | 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True | | 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True | | 6 | hadoop | 61440 | 50 | 0 | | 6 | 1.0 | True | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ # nova flavor-key 2 set hw_rng:allowed=True
4. Booting an Instance
Now let us boot an instance with the flavor and the appropriate image.
# nova boot --flavor 2 --image 40c5c497-2d39-472f-8ecb-8c72423abe56 --nic net-id=43b6c73b-f977-49ac-ad71-a7af6b2f05e6 --availability-zone <availability-zone-name> rhel-cloud-vm
5. Validation
Let us check the instance definition on the compute node to see if hardware RNG got added or not.
First login to the compute node and get the instance id
# virsh list Id Name State ---------------------------------------------------- 25 instance-00000028 running 26 instance-00000026 running 27 instance-00000025 running 28 instance-00000024 running 30 instance-0000002c running
Check the XML definition for the instance to see if hardware RNG is added to the instance or not.
#virsh dumpxml 30 [snip] <rng model='virtio'> <backend model='random'>/dev/hwrng</backend> <alias name='rng0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </rng> [snip]
Login to the instance and check if virtio-rng is used as a source of entropy or not:
# cat /sys/devices/virtual/misc/hw_random/rng_available pseries-rng virtio
Additionally you can check what is the current hwrng device in use by the kernel:
# cat /sys/devices/virtual/misc/hw_random/rng_current pseries-rng
