qemu: Add rng virtio device

[jcvenegas]

Kata Containers does not provide good entropy. Enable a paravirtual rng device to provide a random number generator source.

Depens on: kata-containers/govmm#45

Fixes: #445

[jodh-intel]

lgtm

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 5m 25s

[katacontainersbot]

PSS Measurement:
Qemu: 165775 KB
Proxy: 4085 KB
Shim: 8761 KB

Memory inside container:
Total Memory: 2043464 KB
Free Memory: 2003728 KB

[devimc]

I wonder if this works with vm templating
cc @bergwolf

[WeiZhang555]

Retrigger CI now...

[bergwolf]

Does it require a new version of QEMU? I'm getting this error
docker: Error response from daemon: OCI runtime create failed: qemu-system-x86_64-v2.11.1-template: Property '.static-prt' not found: unknown
w/ or w/o vm templating.

[jodh-intel]

@bergwolf - looks like you are using a "special build" of qemu? fwics, you have to use qemu-lite or qemu-vanilla for this feature.

[bergwolf]

@jodh-intel I was using self-built qemu-lite. I guess I was missing some qemu feature configs. I'll retry with kata's qemu-lite package.

[jodh-intel]

@bergwolf - ack. OOI did you build using https://github.com/kata-containers/packaging/blob/master/scripts/configure-hypervisor.sh?

[jodh-intel]

@bergwolf - see #445 (comment).

[bergwolf]

@jodh-intel I was using q35 not pc yet still hit the problem described in #445 (comment). So qemu-lite breaks virtio rng device?

[jodh-intel]

On an Ubuntu 18.04 test box, this PR:

• works with qemu-lite.
• works with qemu-vanilla.
• fails with the same error you got using the Ubuntu-packaged version of qemu (qemu-system-x86 version 1:2.11+dfsg-1ubuntu7.4).

[jcvenegas]

@bergwolf @jodh-intel yes qemu-lite breaks virtio-rng, meanwhile is fixed, I added created this PR:
kata-containers/qemu#3

[opendev-zuul]

Build succeeded (third-party-check pipeline).

• kata-runsh : SUCCESS in 56m 42s

[opendev-zuul]

Build succeeded (third-party-check pipeline).

• kata-runsh : SUCCESS in 55m 59s

[sboeuf]

@jcvenegas why do you define nostatic_prt as a default option for pc machine type? I thought you said this was only introduced by the very specific qemu-lite branch of qemu. What if we use a vanilla qemu?
I just want to make sure we won't get an error from a vanilla Qemu because we're using a non defined flag by default here.

[jcvenegas]

@sboeuf agree, now that qemu-lite branch static_prt is false by default that would not be an issue, I removed the commit, now I need to debug why is failing the CI. I see my PR working locally. And it used to work the first day I created the PR.

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 8m 50s

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@8f5fec8). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master     #676   +/-   ##
=========================================
  Coverage          ?   64.97%           
=========================================
  Files             ?       85           
  Lines             ?    10925           
  Branches          ?        0           
=========================================
  Hits              ?     7098           
  Misses            ?     3133           
  Partials          ?      694

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 8m 32s

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 9m 47s

[jcvenegas]

update, the PR is failing randomly due to sometimes the boot times take about 30 seconds in the CI machines.

[    0.354048] ACPI: PCI Interrupt Link [LNKB] enabled at IRQ 11
[    0.354752] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[    0.389049] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[    0.441705] console [hvc0] enabled
[   29.446221] brd: module loaded
[   29.448989] loop: module loaded
[   29.450840]  pmem0: p1
[   29.451326] pmem0: detected capacity change from 0 to 536870912
[   29.461476] scsi host0: Virtio SCSI HBA
[   29.532665] random: fast init done
[   29.546490] tun: Universal TUN/TAP device driver, 1.6
[   29.585697] ixgbe: Intel(R) 10 Gigabit PCI Express Network Driver - version 5.1.0-k
[   29.586723] ixgbe: Copyright (c) 1999-2016 Intel Corporation.
[   29.588834] ixgbevf: Intel(R) 10 Gigabit PCI Express Virtual Function Network Driver - version 4.1.0-k

I took a look to the kernel logs and I see the logs jump from [ 0.441705] console [hvc0] enabled
to [ 29.446221] brd: module loaded .

@liujing2 any hint why it is taking so long, the CI are VMs so this is nested virtualization.

[katacontainersbot]

PSS Measurement:
Qemu: 167799 KB
Proxy: 4179 KB
Shim: 8751 KB

Memory inside container:
Total Memory: 2043460 KB
Free Memory: 2003688 KB

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 9m 15s

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 11m 12s

[katacontainersbot]

PSS Measurement:
Qemu: 169661 KB
Proxy: 4139 KB
Shim: 8853 KB

Memory inside container:
Total Memory: 2043460 KB
Free Memory: 2003556 KB

[jcvenegas]

@jodh-intel @bergwolf @sboeuf kata-containers/govmm#45 is ready to merge, needed to update vendor here.

[sboeuf]

@jcvenegas kata-containers/govmm#45 has been merged, please revendor accordingly :)

[katacontainersbot]

PSS Measurement:
Qemu: 156013 KB
Proxy: 4031 KB
Shim: 8793 KB

Memory inside container:
Total Memory: 2043460 KB
Free Memory: 2003628 KB

[jcvenegas]

@sboeuf updated, note that I am not adding a way to restrict the entropy bandwidth of the host, I wonder if this is something is supported via cgroups (for example if runc support it ). In case this is not possible to do it with cgroups, a possible option is to add it as part of our configuration.toml, this could a nice feature to allow administrators restrict the amount of entropy at node level.

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 9m 46s

[sboeuf]

@jcvenegas one comment, but looks fine otherwise!

[sboeuf]

Maybe you could define a const or var at the top of this file to avoid hardcoding this directly from the code. WDYT?

[jcvenegas]

updated, lets wait for the CI again. After that should be ready do merge.

[katacontainersbot]

PSS Measurement:
Qemu: 172014 KB
Proxy: 4100 KB
Shim: 8832 KB

Memory inside container:
Total Memory: 2043460 KB
Free Memory: 2002448 KB

[opendev-zuul]

Build failed (third-party-check pipeline) integration testing with
OpenStack. For information on how to proceed, see
http://docs.openstack.org/infra/manual/developers.html#automated-testing

• kata-runsh : RETRY_LIMIT in 10m 03s

[jodh-intel]

Restarted F27 CI (which fell over due to the problem fixed by #710)...