On Fri, 28 Feb 2014, Sumit Bose wrote:
Hi,
I just tried to install FreeIPA on a fresh F20 VM and
'ipa-server-install --setup-dns' failed to start FreeIPA finally after
everything was configured.
The reason was that starting named timed out because
generate-rndc-key.sh was basically blocking because there was no entropy
for /dev/random left to generate a proper key. I wonder if it would make
sense to call generate-rndc-key.sh during ipa-server-install if
--setup-dns is given to avoid this.
Let the administrators solve this problem for their VMs. Qemu provides
virtualization for RNG already that allows you to push entropy from the
host system where you can use hardware generators like in new Intel
systems.
For example, I'm using following hook in oVirt to provide entropy for
my virtual machines:
$ cat /usr/libexec/vdsm/hooks/before_vm_start/99_hwrng
#!/usr/bin/python
import os
import sys
import traceback
import hooking
if True:
try:
domxml = hooking.read_domxml()
domain = domxml.getElementsByTagName('devices')[0]
# Add hugepages to libvirt xml
hwrng = domxml.createElement('rng')
hwrng.setAttribute('model', 'virtio')
rate = domxml.createElement('rate')
rate.setAttribute('period', '8192')
rate.setAttribute('bytes', '8192')
hwrng.appendChild(rate)
backend = domxml.createElement('backend')
backend.setAttribute('model', 'random')
hwrng.appendChild(backend)
domain.appendChild(hwrng)
hooking.write_domxml(domxml)
except:
sys.stderr.write('rng: [unexpected error]: %s\n' %
traceback.format_exc())
sys.exit(2)
See http://wiki.qemu-project.org/Features/VirtIORNG and
http://libvirt.org/formatdomain.html#elementsRng
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
