provide openstack cloud-init with an entropy service

RESOLVED WONTFIX

Status

Infrastructure & Operations
RelOps
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: dividehex, Assigned: dividehex)

Tracking

Details

(Assignee)

Description

3 years ago
Cloud-init needs entropy to generate host ssh keys upon first boot of a fresh instance (both virtual and baremetal).

For right now (openstack staging), we should probably just allow access to ubuntus public entropy service.  But for future use, we might be interested in hosting our own.  Either way this probably needs a secreview.
I see a potential issue with creating the secure connection to obtain the entropy, since the TLS connection itself requires local entropy to work. This is probably one of the risks to accept depending on how the service works.

AS per discussion during the Relops meeting I've added a 45min (only 30 are planned to be used) for an RRA on friday, 1 august
(Assignee)

Comment 2

3 years ago
for some background here:
I'd like to look at hosting our own entropy service within releng/relop. Particularly, the sofware Pollen and Pollinate which is used currently by Ubuntu to seed the linux RNG of VMs (and baremetal) on startup via cloud-init.
This would only affect our current openstack test environment and only Ubuntu 14.04 (and could be backported to 12.04 and maybe other non-ubuntu dists).  In our case, it might be beneficial to build and host a service that can be used by any future releng/relops projects that need a secure source of entropy. 

Client: https://launchpad.net/pollinate
Server: https://launchpad.net/pollen

Great blog post about it: http://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html
(Assignee)

Comment 3

3 years ago
wontfix since openstack has been sidelined.  We will reevaluate this in the future.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.