<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 7/11/2018 1:20 AM, Luke Hinds wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKrSGQRKcinp0F+cW1UHFeva11L_4fzowKKqqxz0C_5FmhHRqg@mail.gmail.com">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 10, 2018 at 9:08 PM, Jim
Rollenhagen <span dir="ltr"><<a
href="mailto:jim@jimrollenhagen.com" target="_blank"
moz-do-not-send="true">jim@jimrollenhagen.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span class="gmail-">On Tue,
Jul 10, 2018 at 3:28 PM, Martin Chlumsky <span
dir="ltr"><<a
href="mailto:martin.chlumsky@gmail.com"
target="_blank" moz-do-not-send="true">martin.chlumsky@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">It is the workaround that is
right and the discussion part that is wrong.
<div><br>
I am familiar with this bug. Using thin
volumes <u>and/or</u> enabling zero padding
DOES ensure data contained<span>
<div>in a volume is actually deleted.</div>
</span></div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>Great, that's super helpful. Thanks!</div>
<div><br>
</div>
<div>Is there someone (Luke?) on the list that can
send a correction for this OSSN to all the lists
it needs to go to?</div>
<span class="gmail-HOEnZb"><font color="#888888">
<div><br>
</div>
<div>// jim</div>
</font></span></div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>It can, but I would want to be sure we get an agreed
consensus. The note has already gone through a review
cycle where a cinder core approved the contents:<br>
<br>
<a href="https://review.openstack.org/#/c/579094/"
moz-do-not-send="true">https://review.openstack.org/#/c/579094/</a><br>
<br>
</div>
<div>If someone wants to put forward a patch with the needed
amendments , I can send out a correction to the lists.<br>
<br>
</div>
</div>
</div>
</div>
</blockquote>
All,<br>
<br>
I have forwarded this note on to Helen Walsh at Dell EMC (Walsh,
Helen <a class="moz-txt-link-rfc2396E" href="mailto:Helen.Walsh@dell.com"><Helen.Walsh@dell.com></a>) as they do not monitor the
mailing list as closely. Hopefully we can get her engaged to ensure
we get the right update out there.<br>
<br>
Thanks!<br>
<br>
<blockquote type="cite"
cite="mid:CAKrSGQRKcinp0F+cW1UHFeva11L_4fzowKKqqxz0C_5FmhHRqg@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div class="gmail-h5">
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div
class="gmail-m_-7507044785861391530HOEnZb">
<div class="gmail-m_-7507044785861391530h5"><br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Jul 10, 2018 at
10:41 AM Jim Rollenhagen <<a
href="mailto:jim@jimrollenhagen.com"
target="_blank"
moz-do-not-send="true">jim@jimrollenhagen.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Tue,
Jul 10, 2018 at 4:20 AM, Luke
Hinds <span dir="ltr"><<a
href="mailto:lhinds@redhat.com"
target="_blank"
moz-do-not-send="true">lhinds@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Data
retained after deletion of a
ScaleIO volume<br>
---<br>
<br>
### Summary ###<br>
Certain storage volume
configurations allow newly
created volumes to<br>
contain previous data. This
could lead to leakage of
sensitive<br>
information between tenants.<br>
<br>
### Affected Services /
Software ###<br>
Cinder releases up to and
including Queens with ScaleIO
volumes<br>
using thin volumes and zero
padding.<br>
</blockquote>
<div><br>
</div>
</div>
</div>
</div>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>According to discussion in
the bug, this bug occurs with
ScaleIO volumes using thick
volumes and with zero padding
disabled.</div>
<div><br>
</div>
<div>If the bug is with thin
volumes and zero padding, then
the workaround seems quite
wrong. :)</div>
<div><br>
</div>
<div>I'm not super familiar with
Cinder, so could some Cinder
folks check this out and
re-issue a more accurate OSSN,
please?</div>
</div>
</div>
</div>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>// jim</div>
</div>
</div>
</div>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
### Discussion ###<br>
Using both thin volumes and
zero padding does not ensure
data contained<br>
in a volume is actually
deleted. The default volume
provisioning rule is<br>
set to thick so most
installations are likely not
affected. Operators<br>
can check their configuration
in `cinder.conf` or check for
zero padding<br>
with this command `scli
--query_all`.<br>
<br>
#### Recommended Actions ####<br>
<br>
Operators can use the
following two workarounds,
until the release of<br>
Rocky (planned 30th August
2018) which resolves the
issue.<br>
<br>
1. Swap to thin volumes<br>
<br>
2. Ensure ScaleIO storage
pools use zero-padding with:<br>
<br>
`scli
--modify_zero_padding_policy<br>
(((--protection_domain_id
<ID> |<br>
--protection_domain_name
<NAME>)<br>
--storage_pool_name
<NAME>) |
--storage_pool_id <ID>)<br>
(--enable_zero_padding |
--disable_zero_padding)`<br>
<br>
### Contacts / References ###<br>
Author: Nick Tait<br>
This OSSN : <a
href="https://wiki.openstack.org/wiki/OSSN/OSSN-0084"
rel="noreferrer"
target="_blank"
moz-do-not-send="true">https://wiki.openstack.org/wik<wbr>i/OSSN/OSSN-0084</a><br>
Original LaunchPad Bug : <a
href="https://bugs.launchpad.net/ossn/+bug/1699573"
rel="noreferrer"
target="_blank"
moz-do-not-send="true">https://bugs.launchpad.net/oss<wbr>n/+bug/1699573</a><br>
Mailing List : [Security] tag
on <a
href="mailto:openstack-dev@lists.openstack.org"
target="_blank"
moz-do-not-send="true">openstack-dev@lists.openstack.<wbr>org</a><br>
OpenStack Security Project : <a
href="https://launchpad.net/%7Eopenstack-ossg" rel="noreferrer"
target="_blank"
moz-do-not-send="true">https://launchpad.net/~opensta<wbr>ck-ossg</a><br>
<br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing
List (not for usage questions)<br>
Unsubscribe: <a
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer"
target="_blank"
moz-do-not-send="true">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer"
target="_blank"
moz-do-not-send="true">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br>
</blockquote>
</div>
</div>
</div>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List
(not for usage questions)<br>
Unsubscribe: <a
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank"
moz-do-not-send="true">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</blockquote>
</div>
</div>
</div>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for
usage questions)<br>
Unsubscribe: <a
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank"
moz-do-not-send="true">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank" moz-do-not-send="true">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><span style="font-size:12.8px">Luke
Hinds | NFV Partner Engineering | CTO Office |
Red Hat</span><br style="font-size:12.8px">
<span style="font-size:12.8px">e: </span><a
href="mailto:lhinds@redhat.com"
style="color:rgb(17,85,204);font-size:12.8px"
target="_blank" moz-do-not-send="true">lhinds@redhat.com</a><span
style="font-size:12.8px"> | irc: lhinds
@freenode |</span><span style="font-size:12.8px">
t: </span>+44 12 52 36 2483<br
style="font-size:12.8px">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>