Cloud-init needs entropy to generate host ssh keys upon first boot of a fresh instance (both virtual and baremetal). For right now (openstack staging), we should probably just allow access to ubuntus public entropy service. But for future use, we might be interested in hosting our own. Either way this probably needs a secreview.
I see a potential issue with creating the secure connection to obtain the entropy, since the TLS connection itself requires local entropy to work. This is probably one of the risks to accept depending on how the service works. AS per discussion during the Relops meeting I've added a 45min (only 30 are planned to be used) for an RRA on friday, 1 august
for some background here: I'd like to look at hosting our own entropy service within releng/relop. Particularly, the sofware Pollen and Pollinate which is used currently by Ubuntu to seed the linux RNG of VMs (and baremetal) on startup via cloud-init. This would only affect our current openstack test environment and only Ubuntu 14.04 (and could be backported to 12.04 and maybe other non-ubuntu dists). In our case, it might be beneficial to build and host a service that can be used by any future releng/relops projects that need a secure source of entropy. Client: https://launchpad.net/pollinate Server: https://launchpad.net/pollen Great blog post about it: http://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html
wontfix since openstack has been sidelined. We will reevaluate this in the future.