Closed
Bug 1044175
Opened 10 years ago
Closed 10 years ago
provide openstack cloud-init with an entropy service
Categories
(Infrastructure & Operations :: RelOps: General, task)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dividehex, Assigned: dividehex)
References
Details
Cloud-init needs entropy to generate host ssh keys upon first boot of a fresh instance (both virtual and baremetal). For right now (openstack staging), we should probably just allow access to ubuntus public entropy service. But for future use, we might be interested in hosting our own. Either way this probably needs a secreview.
I see a potential issue with creating the secure connection to obtain the entropy, since the TLS connection itself requires local entropy to work. This is probably one of the risks to accept depending on how the service works. AS per discussion during the Relops meeting I've added a 45min (only 30 are planned to be used) for an RRA on friday, 1 august
Assignee | ||
Comment 2•10 years ago
|
||
for some background here: I'd like to look at hosting our own entropy service within releng/relop. Particularly, the sofware Pollen and Pollinate which is used currently by Ubuntu to seed the linux RNG of VMs (and baremetal) on startup via cloud-init. This would only affect our current openstack test environment and only Ubuntu 14.04 (and could be backported to 12.04 and maybe other non-ubuntu dists). In our case, it might be beneficial to build and host a service that can be used by any future releng/relops projects that need a secure source of entropy. Client: https://launchpad.net/pollinate Server: https://launchpad.net/pollen Great blog post about it: http://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html
Assignee | ||
Comment 3•10 years ago
|
||
wontfix since openstack has been sidelined. We will reevaluate this in the future.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•