Closed Bug 1044175 Opened 10 years ago Closed 10 years ago

provide openstack cloud-init with an entropy service

Categories

(Infrastructure & Operations :: RelOps: General, task)

x86_64
Windows 7
task
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: dividehex, Assigned: dividehex)

References

Details

Cloud-init needs entropy to generate host ssh keys upon first boot of a fresh instance (both virtual and baremetal).

For right now (openstack staging), we should probably just allow access to ubuntus public entropy service.  But for future use, we might be interested in hosting our own.  Either way this probably needs a secreview.
I see a potential issue with creating the secure connection to obtain the entropy, since the TLS connection itself requires local entropy to work. This is probably one of the risks to accept depending on how the service works.

AS per discussion during the Relops meeting I've added a 45min (only 30 are planned to be used) for an RRA on friday, 1 august
for some background here:
I'd like to look at hosting our own entropy service within releng/relop. Particularly, the sofware Pollen and Pollinate which is used currently by Ubuntu to seed the linux RNG of VMs (and baremetal) on startup via cloud-init.
This would only affect our current openstack test environment and only Ubuntu 14.04 (and could be backported to 12.04 and maybe other non-ubuntu dists).  In our case, it might be beneficial to build and host a service that can be used by any future releng/relops projects that need a secure source of entropy. 

Client: https://launchpad.net/pollinate
Server: https://launchpad.net/pollen

Great blog post about it: http://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html
wontfix since openstack has been sidelined.  We will reevaluate this in the future.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.