Virtio-rng passthrough by default? (and security of the RAW section)

Hello, ONe developers,

after several years of using ONe, I still have a problem that some of my users stumble upon getting sufficient entropy in their VMs. It has been previously discussed here, 4 years ago:

Is this still the recommended solution for this problem? I have discovered that in the meantime, some of the parameters which were previously settable only in the RAW = section of the template got their own sections in Sunstone (CPU host-passthrough model, APIC, etc.). It would be nice to have virtio-rng added there, preferably with a fixed source /dev/urandom, or settable on a host-by-host basis, not selected by an unprivileged Sunstone user. Maybe even enable virtio-rng by default, so that it would not be necessary to set it up inside each template.

Speaking about the RAW section - I think it a huge, wide-open security hole - as a starter, I was able to add /etc/passwd as a virtio-rng source instead of /dev/urandom, so I think every qemu-readable file on the host can be made accessible inside the guest by an unprivileged ONe user, qemu can be made to connect to an arbitrary IP addres using the console section, etc. As such, I would like to be able to disable it for ordinary users.

Thanks,

-Yenya

Hello @Yenya,

Regarding to the virtio-rng, maybe you can open a GitHub ticket (https://github.com/OpenNebula/one/issues/new/choose) so the team can take this request into account when defining the roadmap.

About the security issue with the RAW section, this attribute is defined by default as a restricted attribute in oned.conf which means that non admin users are not allowed to modify it. Please check that you have the following line uncomented in your oned.conf:

VM_RESTRICTED_ATTR = "RAW"

If not please add the line and restart OpenNebula service.