[openstack-dev] [OSSN-0084] Data retained after deletion of a ScaleIO volume

Jay S Bryant jungleboyj at gmail.com
Thu Jul 12 16:21:51 UTC 2018



On 7/11/2018 1:20 AM, Luke Hinds wrote:
>
>
> On Tue, Jul 10, 2018 at 9:08 PM, Jim Rollenhagen 
> <jim at jimrollenhagen.com <mailto:jim at jimrollenhagen.com>> wrote:
>
>     On Tue, Jul 10, 2018 at 3:28 PM, Martin Chlumsky
>     <martin.chlumsky at gmail.com <mailto:martin.chlumsky at gmail.com>> wrote:
>
>         It is the workaround that is right and the discussion part
>         that is wrong.
>
>         I am familiar with this bug. Using thin volumes
>         _and/or_ enabling zero padding DOES ensure data contained
>         in a volume is actually deleted.
>
>
>     Great, that's super helpful. Thanks!
>
>     Is there someone (Luke?) on the list that can send a correction
>     for this OSSN to all the lists it needs to go to?
>
>     // jim
>
>
> It can, but I would want to be sure we get an agreed consensus. The 
> note has already gone through a review cycle where a cinder core 
> approved the contents:
>
> https://review.openstack.org/#/c/579094/
>
> If someone wants to put forward a patch with the needed amendments , I 
> can send out a correction to the lists.
>
All,

I have forwarded this note on to Helen Walsh at Dell EMC (Walsh, Helen 
<Helen.Walsh at dell.com>) as they do not monitor the mailing list as 
closely.  Hopefully we can get her engaged to ensure we get the right 
update out there.

Thanks!

>
>         On Tue, Jul 10, 2018 at 10:41 AM Jim Rollenhagen
>         <jim at jimrollenhagen.com <mailto:jim at jimrollenhagen.com>> wrote:
>
>             On Tue, Jul 10, 2018 at 4:20 AM, Luke Hinds
>             <lhinds at redhat.com <mailto:lhinds at redhat.com>> wrote:
>
>                 Data retained after deletion of a ScaleIO volume
>                 ---
>
>                 ### Summary ###
>                 Certain storage volume configurations allow newly
>                 created volumes to
>                 contain previous data. This could lead to leakage of
>                 sensitive
>                 information between tenants.
>
>                 ### Affected Services / Software ###
>                 Cinder releases up to and including Queens with
>                 ScaleIO volumes
>                 using thin volumes and zero padding.
>
>
>             According to discussion in the bug, this bug occurs with
>             ScaleIO volumes using thick volumes and with zero padding
>             disabled.
>
>             If the bug is with thin volumes and zero padding, then the
>             workaround seems quite wrong. :)
>
>             I'm not super familiar with Cinder, so could some Cinder
>             folks check this out and re-issue a more accurate OSSN,
>             please?
>
>             // jim
>
>
>                 ### Discussion ###
>                 Using both thin volumes and zero padding does not
>                 ensure data contained
>                 in a volume is actually deleted. The default volume
>                 provisioning rule is
>                 set to thick so most installations are likely not
>                 affected. Operators
>                 can check their configuration in `cinder.conf` or
>                 check for zero padding
>                 with this command `scli --query_all`.
>
>                 #### Recommended Actions ####
>
>                 Operators can use the following two workarounds, until
>                 the release of
>                 Rocky (planned 30th August 2018) which resolves the issue.
>
>                 1. Swap to thin volumes
>
>                 2. Ensure ScaleIO storage pools use zero-padding with:
>
>                 `scli --modify_zero_padding_policy
>                     (((--protection_domain_id <ID> |
>                     --protection_domain_name <NAME>)
>                     --storage_pool_name <NAME>) | --storage_pool_id <ID>)
>                     (--enable_zero_padding | --disable_zero_padding)`
>
>                 ### Contacts / References ###
>                 Author: Nick Tait
>                 This OSSN :
>                 https://wiki.openstack.org/wiki/OSSN/OSSN-0084
>                 <https://wiki.openstack.org/wiki/OSSN/OSSN-0084>
>                 Original LaunchPad Bug :
>                 https://bugs.launchpad.net/ossn/+bug/1699573
>                 <https://bugs.launchpad.net/ossn/+bug/1699573>
>                 Mailing List : [Security] tag on
>                 openstack-dev at lists.openstack.org
>                 <mailto:openstack-dev at lists.openstack.org>
>                 OpenStack Security Project :
>                 https://launchpad.net/~openstack-ossg
>                 <https://launchpad.net/%7Eopenstack-ossg>
>
>
>                 __________________________________________________________________________
>                 OpenStack Development Mailing List (not for usage
>                 questions)
>                 Unsubscribe:
>                 OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>                 <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>                 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>                 <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>             __________________________________________________________________________
>             OpenStack Development Mailing List (not for usage questions)
>             Unsubscribe:
>             OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>             <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>             http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>             <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>         __________________________________________________________________________
>         OpenStack Development Mailing List (not for usage questions)
>         Unsubscribe:
>         OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>         <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>         http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>         <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>
> -- 
> Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
> e: lhinds at redhat.com <mailto:lhinds at redhat.com> | irc: lhinds 
> @freenode |t: +44 12 52 36 2483
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180712/0e75a5e0/attachment.html>


More information about the OpenStack-dev mailing list