Skip to content

fix(reseed): unique machine-id per clone + entropy hygiene#8

Merged
CMGS merged 2 commits into
mainfrom
fix/reseed-machine-id-uniqueness
Jul 4, 2026
Merged

fix(reseed): unique machine-id per clone + entropy hygiene#8
CMGS merged 2 commits into
mainfrom
fix/reseed-machine-id-uniqueness

Conversation

@CMGS

@CMGS CMGS commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Problem

The reseed verb exists so byte-identical snapshot clones don't share CRNG state — but the machine-id half was self-defeating. systemd-machine-id-setup in a VM derives the id from the SMBIOS product_uuid, which a snapshot clone inherits verbatim, and cocoon assigns no per-clone SMBIOS UUID. So every clone regenerated the same machine-id. The random path only fired when the tool failed, not when it succeeded with a shared DMI id.

Fix

  • Always write a fresh random machine-id; drop the DMI-derived systemd-machine-id-setup path entirely. randomMachineID extracted as a pure, tested function (uniqueness is the whole point).
  • Write the new id first, then best-effort drop the stale D-Bus copy — removes the empty-/etc/machine-id window a failing drop step used to leave (found by review).
  • Zero the single-use host entropy (req.Data + the ioctl buffer) after the mix.
  • Note the agent's 512-byte entropy cap on client.Reseed.

Verification

GOWORK=off build/test/-race (agent+client) green; lint 0 issues on linux/darwin/windows; fmt-check clean. New TestRandomMachineID asserts canonical format + uniqueness.

Reviewed by an adversarial Opus pass (two should-fix + two nits, all addressed). No backward-compat kept per owner direction.

CMGS added 2 commits July 4, 2026 03:03
systemd-machine-id-setup derives the machine-id from the SMBIOS
product_uuid in a VM, which a snapshot clone inherits verbatim — so
every clone regenerated the SAME id, silently defeating the reseed
verb's whole purpose (cocoon assigns no per-clone SMBIOS UUID). Always
write a fresh random id instead and drop the DMI-derived path. Writing
the new id first also removes the empty-machine-id window a failing
drop-dbus step used to leave. Zero the single-use host entropy after
the mix, and note the agent's 512-byte cap on the client.
A surviving /var/lib/dbus/machine-id keeps serving the old id to dbus
consumers after a clone; a drop failure is a real uniqueness gap, so
surface it at Warn instead of Debug.
@CMGS CMGS merged commit 036836f into main Jul 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant