search

kata-containers / runtime

Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
https://katacontainers.io/
Apache License 2.0
2.1k stars 374 forks source link

entropy level is very low when using nemu #987

Closed chavafg closed 5 years ago

chavafg commented 5 years ago

We have a test requires that a container has an entropy level of at least 1000, but when launching a container with nemu, the level is very low:

$ sudo docker run -ti --runtime=kata-runtime busybox sh -c "cat /proc/sys/kernel/random/entropy_avail"
18

Here is the qemu command line used in both cases:

nemu:

root     16051 15996 28 13:42 ?        00:00:04 /usr/local/bin/qemu-system-x86_64_virt -name sandbox-e87790a522bceece54cf5fcef4f662572164cf31038fb1f7cafa5dc6a28819a7 -uuid 5915607f-6d46-4f1e-a726-5ba7f4698713 -machine virt,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp unix:/run/vc/vm/e87790a522bceece54cf5fcef4f662572164cf31038fb1f7cafa5dc6a28819a7/qmp.sock,server,nowait -m 2048M,slots=10,maxmem=17065M -device pcie-pci-bridge,bus=pcie.0,id=pcie-bridge-0,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/e87790a522bceece54cf5fcef4f662572164cf31038fb1f7cafa5dc6a28819a7/console.sock,server,nowait -device nvdimm,id=nv0,memdev=mem0 -object memory-backend-file,id=mem0,mem-path=/usr/share/kata-containers/kata-containers-image_clearlinux_1.4.0_agent_0ff30063f7e.img,size=536870912 -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng,rng=rng0,romfile= -device virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev socket,id=charch0,path=/run/vc/vm/e87790a522bceece54cf5fcef4f662572164cf31038fb1f7cafa5dc6a28819a7/kata.sock,server,nowait -device virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= -fsdev local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/e87790a522bceece54cf5fcef4f662572164cf31038fb1f7cafa5dc6a28819a7,security_model=none -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device driver=virtio-net-pci,netdev=network-0,mac=02:42:ac:11:00:02,disable-modern=true,mq=on,vectors=4,romfile= -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -kernel /usr/share/kata-containers/vmlinuz-4.14.67.18-141.container -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=4 init=/usr/lib/systemd/systemd systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket agent.log=debug -bios /usr/share/nemu/firmware/OVMF.fd -smp 1,cores=1,threads=1,sockets=1,maxcpus=4

qemu:

root     16547 16495 31 13:44 ?        00:00:02 /usr/bin/qemu-system-x86_64 -name sandbox-8716653f19dcace4eea56323d4353b8ac49933baab8281beb76c25d6ed1c26b4 -uuid ae93951d-d1c8-4dee-b576-a1d96a1d7926 -machine pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp unix:/run/vc/vm/8716653f19dcace4eea56323d4353b8ac49933baab8281beb76c25d6ed1c26b4/qmp.sock,server,nowait -m 2048M,slots=10,maxmem=17065M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/8716653f19dcace4eea56323d4353b8ac49933baab8281beb76c25d6ed1c26b4/console.sock,server,nowait -device nvdimm,id=nv0,memdev=mem0 -object memory-backend-file,id=mem0,mem-path=/usr/share/kata-containers/kata-containers-image_clearlinux_1.4.0_agent_0ff30063f7e.img,size=536870912 -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng,rng=rng0,romfile= -device virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev socket,id=charch0,path=/run/vc/vm/8716653f19dcace4eea56323d4353b8ac49933baab8281beb76c25d6ed1c26b4/kata.sock,server,nowait -device virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= -fsdev local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/8716653f19dcace4eea56323d4353b8ac49933baab8281beb76c25d6ed1c26b4,security_model=none -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device driver=virtio-net-pci,netdev=network-0,mac=02:42:ac:11:00:02,disable-modern=true,mq=on,vectors=4,romfile= -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -kernel /usr/share/kata-containers/vmlinuz-4.14.67.18-141.container -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=4 init=/usr/lib/systemd/systemd systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket agent.log=debug -smp 1,cores=1,threads=1,sockets=1,maxcpus=4
sboeuf commented 5 years ago

/cc @rbradford @sameo any idea about the entropy difference between virt and pc?

sboeuf commented 5 years ago

Fixed by https://github.com/intel/nemu/pull/208