[openstack-dev] [OSSN-0084] Data retained after deletion of a ScaleIO volume
Jay S Bryant
jungleboyj at gmail.com
Thu Jul 12 16:21:51 UTC 2018
On 7/11/2018 1:20 AM, Luke Hinds wrote:
>
>
> On Tue, Jul 10, 2018 at 9:08 PM, Jim Rollenhagen
> <jim at jimrollenhagen.com <mailto:jim at jimrollenhagen.com>> wrote:
>
> On Tue, Jul 10, 2018 at 3:28 PM, Martin Chlumsky
> <martin.chlumsky at gmail.com <mailto:martin.chlumsky at gmail.com>> wrote:
>
> It is the workaround that is right and the discussion part
> that is wrong.
>
> I am familiar with this bug. Using thin volumes
> _and/or_ enabling zero padding DOES ensure data contained
> in a volume is actually deleted.
>
>
> Great, that's super helpful. Thanks!
>
> Is there someone (Luke?) on the list that can send a correction
> for this OSSN to all the lists it needs to go to?
>
> // jim
>
>
> It can, but I would want to be sure we get an agreed consensus. The
> note has already gone through a review cycle where a cinder core
> approved the contents:
>
> https://review.openstack.org/#/c/579094/
>
> If someone wants to put forward a patch with the needed amendments , I
> can send out a correction to the lists.
>
All,
I have forwarded this note on to Helen Walsh at Dell EMC (Walsh, Helen
<Helen.Walsh at dell.com>) as they do not monitor the mailing list as
closely. Hopefully we can get her engaged to ensure we get the right
update out there.
Thanks!
>
> On Tue, Jul 10, 2018 at 10:41 AM Jim Rollenhagen
> <jim at jimrollenhagen.com <mailto:jim at jimrollenhagen.com>> wrote:
>
> On Tue, Jul 10, 2018 at 4:20 AM, Luke Hinds
> <lhinds at redhat.com <mailto:lhinds at redhat.com>> wrote:
>
> Data retained after deletion of a ScaleIO volume
> ---
>
> ### Summary ###
> Certain storage volume configurations allow newly
> created volumes to
> contain previous data. This could lead to leakage of
> sensitive
> information between tenants.
>
> ### Affected Services / Software ###
> Cinder releases up to and including Queens with
> ScaleIO volumes
> using thin volumes and zero padding.
>
>
> According to discussion in the bug, this bug occurs with
> ScaleIO volumes using thick volumes and with zero padding
> disabled.
>
> If the bug is with thin volumes and zero padding, then the
> workaround seems quite wrong. :)
>
> I'm not super familiar with Cinder, so could some Cinder
> folks check this out and re-issue a more accurate OSSN,
> please?
>
> // jim
>
>
> ### Discussion ###
> Using both thin volumes and zero padding does not
> ensure data contained
> in a volume is actually deleted. The default volume
> provisioning rule is
> set to thick so most installations are likely not
> affected. Operators
> can check their configuration in `cinder.conf` or
> check for zero padding
> with this command `scli --query_all`.
>
> #### Recommended Actions ####
>
> Operators can use the following two workarounds, until
> the release of
> Rocky (planned 30th August 2018) which resolves the issue.
>
> 1. Swap to thin volumes
>
> 2. Ensure ScaleIO storage pools use zero-padding with:
>
> `scli --modify_zero_padding_policy
> (((--protection_domain_id <ID> |
> --protection_domain_name <NAME>)
> --storage_pool_name <NAME>) | --storage_pool_id <ID>)
> (--enable_zero_padding | --disable_zero_padding)`
>
> ### Contacts / References ###
> Author: Nick Tait
> This OSSN :
> https://wiki.openstack.org/wiki/OSSN/OSSN-0084
> <https://wiki.openstack.org/wiki/OSSN/OSSN-0084>
> Original LaunchPad Bug :
> https://bugs.launchpad.net/ossn/+bug/1699573
> <https://bugs.launchpad.net/ossn/+bug/1699573>
> Mailing List : [Security] tag on
> openstack-dev at lists.openstack.org
> <mailto:openstack-dev at lists.openstack.org>
> OpenStack Security Project :
> https://launchpad.net/~openstack-ossg
> <https://launchpad.net/%7Eopenstack-ossg>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage
> questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>
> --
> Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
> e: lhinds at redhat.com <mailto:lhinds at redhat.com> | irc: lhinds
> @freenode |t: +44 12 52 36 2483
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180712/0e75a5e0/attachment.html>
More information about the OpenStack-dev
mailing list