From owner-freebsd-current@FreeBSD.ORG Tue Apr 13 16:28:45 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E85316A4CE for ; Tue, 13 Apr 2004 16:28:45 -0700 (PDT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FECE43D53 for ; Tue, 13 Apr 2004 16:28:45 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (IDENT:brdavis@localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.12.10/8.12.3) with ESMTP id i3DNSHkS023477; Tue, 13 Apr 2004 16:28:18 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.12.10/8.12.3/Submit) id i3DNSHgW023475; Tue, 13 Apr 2004 16:28:17 -0700 Date: Tue, 13 Apr 2004 16:28:16 -0700 From: Brooks Davis To: Charles Swiger Message-ID: <20040413232816.GB25818@Odin.AC.HMC.Edu> References: <200404131550.i3DFocIn099231@grimreaper.grondar.org> <428207C0-8D7B-11D8-B697-003065ABFD92@mac.com> <20040413191058.GF20550@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) on odin.ac.hmc.edu cc: freebsd-current@freebsd.org Subject: Re: dev/random X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 23:28:45 -0000 --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mark and I are discussing some modifications to the rc files to improve the situation, hopefully we'll have something basic ready to go in the next 24-hrs or so. On Tue, Apr 13, 2004 at 05:02:07PM -0400, Charles Swiger wrote: > On Apr 13, 2004, at 3:10 PM, Brooks Davis wrote: > >On Tue, Apr 13, 2004 at 02:49:14PM -0400, Charles Swiger wrote: > >>Why not set $entropy_dir in rc.conf and kickstart /dev/random using > >>much higher quality entropy available when the machine was shutdown > >>last? > > > >You don't get to assume the existance of rc.conf until after > >initdiskless runs. >=20 > And Mark Murray referred me to diskless workstations as well. OK. >=20 > From what I remember, one used BOOTP and TFTPD to provide a standalone=20 > executable (for an X11 terminal, say) or a kernel, and the latter would= =20 > then perform an NFS mount to obtain a root filesystem and an init=20 > program to run, which would then call the RC mechanism to mount more=20 > filesystems and do whatever else is needed to boot the system. We are also working to better support ro-root systems which adds another complication. Recent commits to initdiskless by luigi and phk have made improvements here. > [ By the way, I did not find documentation in rc.8 which mentions=20 > initdiskless as a special case, but perhaps it might be worth referring= =20 > to diskless.8 from the former manpage. ] >=20 > Anyway, if /etc/rc.d/initdiskless is available, you've got a root=20 > filesystem to read from, so can't one nudge the diskless client's=20 > /dev/random using entropy from a file stored on it? You can use a file At this point, but what file should you use? You almost certaintly don't have a /var and there's a good change / isn't writable at all and starting all your hosts with the same entropy is definatly a bad idea. You also may not have anything in /etc other then what is provided by make distribution. > Or perhaps the /usr/share/examples/diskless/clone_root script could=20 > call mknod to create a clone of the server's /dev/random device under=20 > the diskless root directory, to provide different "real" entropy for=20 > each diskless client? I'm not sure what you're getting at here. /dev is devfs even in single user so mknod isn't applicable. It's not optional. In any case, clone_root is totally inappropriate to many diskless setups so I never use it and I'm pretty sure the CF people don't either. There are lots of ways to make a configuration that uses initdiskless. I'd hate to make clone_roots too magic. > Both of these suggestions are made under the assumption that one can't=20 > simply make /dev/random readable without being nudged, and one cannot=20 > utilize rcNG dependencies to start /etc/rc.d/random properly (ie,=20 > before something want to use /dev/random) for the reason that Brooks=20 > mentioned above. :-) To be clear, the problem is not that you can't open /dev/random for read, it's that read() blocks until sufficent entropy arrives. It's worth noting that the quality of entropy needed in initdiskless is pretty minimal. rand() would actually be fine here other then the fact that use of rand should not be encouraged. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAfHePXY6L6fI4GtQRAglcAKDjiAcfQlTSi18qI9rRt7DrWIToowCfalii uV0OoQ7/KPLRKWJseDKB0ls= =KRnI -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw--