From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 8 Jun 2018 19:24:50 +0000 (+0200)
Subject: Merge pull request #18 from realraum/rng
X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=4c46c36430f77d8dae880e898e405d52cf6d60df;hp=967929ca1cff85deb09a3c83352489854fcc5cb1;p=noc.git

Merge pull request #18 from realraum/rng

Provide entropy on the virtualization platforms
---

diff --git a/ansible/host_playbooks/testvm.yml b/ansible/host_playbooks/testvm.yml
index 261bb7e..58a4868 100644
--- a/ansible/host_playbooks/testvm.yml
+++ b/ansible/host_playbooks/testvm.yml
@@ -5,3 +5,4 @@
   - role: base
   - role: vm/grub
   - role: vm/network
+  - role: vm/guest
diff --git a/ansible/roles/vm/guest/defaults/main.yml b/ansible/roles/vm/guest/defaults/main.yml
new file mode 100644
index 0000000..b4deefa
--- /dev/null
+++ b/ansible/roles/vm/guest/defaults/main.yml
@@ -0,0 +1,3 @@
+rngd_config:
+  HRNGDEVICE: /dev/hwrng
+  RNGDOPTIONS: '"-s 256 -W 80%"'
diff --git a/ansible/roles/vm/guest/handlers/main.yml b/ansible/roles/vm/guest/handlers/main.yml
new file mode 100644
index 0000000..5b57f3b
--- /dev/null
+++ b/ansible/roles/vm/guest/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart rngd
+  service:
+    name: rng-tools
+    state: restarted
diff --git a/ansible/roles/vm/guest/tasks/main.yml b/ansible/roles/vm/guest/tasks/main.yml
new file mode 100644
index 0000000..780a276
--- /dev/null
+++ b/ansible/roles/vm/guest/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: Install rngd
+  apt:
+    name: rng-tools
+    state: present
+
+- name: Configure rngd [1/2]
+  lineinfile:
+    path: /etc/default/rng-tools
+    line: '{{ item.key }}={{ item.value }}'
+    regexp: '^#?{{ item.key }}={{ item.value }}'
+  with_dict: '{{ rngd_config }}'
+  loop_control:
+    label: "{{ item.key }}"
+  notify: restart rngd
+
+- name: Configure rngd [2/2]
+  lineinfile:
+    path: /etc/default/rng-tools
+    regexp: '^{{ item.key }}=(?!{{ item.value }})'
+    state: absent
+  with_dict: '{{ rngd_config }}'
+  loop_control:
+    label: "{{ item.key }}"
+  notify: restart rngd
diff --git a/ansible/roles/vm/host/handlers/main.yml b/ansible/roles/vm/host/handlers/main.yml
index 158f4dc..f6b5f80 100644
--- a/ansible/roles/vm/host/handlers/main.yml
+++ b/ansible/roles/vm/host/handlers/main.yml
@@ -3,3 +3,8 @@
   service:
     name: openbsd-inetd
     state: restarted
+
+- name: restart haveged
+  service:
+    name: haveged
+    state: restarted
diff --git a/ansible/roles/vm/host/tasks/main.yml b/ansible/roles/vm/host/tasks/main.yml
index 248f855..a7b018c 100644
--- a/ansible/roles/vm/host/tasks/main.yml
+++ b/ansible/roles/vm/host/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: install tftpd and python-libvirt
+- name: install dependencies
   apt:
     name:
       - atftpd
@@ -7,8 +7,16 @@
       - qemu-kvm
       - libvirt-bin
       - python-libvirt
+      - haveged
     state: present
 
+- name: configure haveged
+  lineinfile:
+    regexp: "^#?DAEMON_ARGS"
+    line: 'DAEMON_ARGS="-w 3072"'
+    path: /etc/default/haveged
+  notify: restart haveged
+
 - name: configure tftpd via inetd
   lineinfile:
     regexp: "^#?({{ vm_host.network.ip }}:)?tftp"
diff --git a/ansible/roles/vm/install/templates/libvirt-domain.xml.j2 b/ansible/roles/vm/install/templates/libvirt-domain.xml.j2
index 2bf4b57..c8a2d95 100644
--- a/ansible/roles/vm/install/templates/libvirt-domain.xml.j2
+++ b/ansible/roles/vm/install/templates/libvirt-domain.xml.j2
@@ -28,6 +28,12 @@
 {% endif %}
   <devices>
     <emulator>/usr/bin/kvm</emulator>
+    <!-- Provide a virtualized RNG to the guest -->
+    <rng model='virtio'>
+      <!-- Allow consuming up to 10kb/s, measured over 2s -->
+      <rate period="2000" bytes="20480"/>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
 
 {% if 'virtio' in hostvars[vmname].vm_install_cooked.disks %}
 {%   for device, lv in hostvars[vmname].vm_install_cooked.disks.virtio.items() %}