On April 18, 2016 4:26:24 AM PDT, "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote: >On Mon, Apr 18, 2016 at 01:07:40PM +0200, Hubert Kario wrote: >> On Monday 18 April 2016 02:46:19 H. Peter Anvin wrote: >> > Another thing that really needs to be addressed, but is a separate >> > issue: invalidating and reseeding the entropy pool after a snapshot >> > event. >> >> definitely agreed >> >> though just reseeding would be sufficient - the goal is to make the >> output unpredictable and unique between multiple machines starting >from >> the same snapshot, feeding enough random data to make the entropy >pool >> unique again is sufficient to achieve that > >If you're spawning multiple machines from the same base snapshot, >the seeding of RNG is just one of many many things that need >dealing with. eg new /etc/machine-id, new ssh host keys, changing >MAC address of NICs with corresponding guest config file changes, >many other application specific identifiers / keys intended to >be unique per machine. As such, libvirt explicitly tries to >prevent you spawning multiple machines from the same snapshot. > >That all said, Microsoft HyperV has defined a concept of a >"Virtual Machine Generation ID" and specified various hypervisor >operations which should result in this value changing[1]. For example >restoring from a snapshot should always change the genid, as would >restoring from backup, or cloned from another image, or failed over >during disaster recovery. > >This vm genid is exposed to the guest via ACPI and there's an >notification whenever it changes. > >There are patches for QEMU[2] to support this feature in a manner that >is compatible with the hyperv spec, but they are sadly still not >merged :-( > >So it would be possible for the Linux kernel to re-initialize its >RNG after snapshot by hooking into the vm-genid ACPI notification. > > >Regards, >Daniel > >[1] >https://lists.nongnu.org/archive/html/qemu-devel/2014-10/msg00489.html >[2] https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05599.html There are multiple machines, and there are snapshots restored. -- Sent from my Android device with K-9 Mail. Please excuse brevity and formatting. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list