yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1218994] Re: file based disk images do not get scrubbed on delete

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Mon, 30 Mar 2015 14:53:56 -0000
Reply-to: Bug 1218994 <1218994@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marking as Opinion because the solution here really needs to be
encryption at rest so that a crashed nova compute doesn't leave customer
data out there.

** Changed in: nova
       Status: Triaged => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1218994

Title:
  file based disk images do not get scrubbed on delete

Status in OpenStack Compute (Nova):
  Opinion

Bug description:
  Right now, LVM backed instances can be scrubbed (overwritten with
  zeros using dd) upon deletion.  However, there is no such option with
  file backed images.  While it is true that fallocate can handle some
  of this by returning 0s to the instance when reading any unwritten
  parts of the file, there are some cases where it is not desirable to
  enable fallocate.

  What would be preferred would be a similar the options cinder has
  implemented, so the operator can choose to shred or zero out the file,
  based on their organizations own internal data policies.   A zero out
  option satisfies those that must ensure they scrub tenant data upon
  deletion, and shred would satisfy those beholden to DoD 5220-22.

  This would of course make file backed disks vulnerable to
  https://bugs.launchpad.net/nova/+bug/889299 but that might not be a
  bad thing considering its quite old.

  Attached an initial patch for nova/virt/libvirt/driver.py that
  performs the same LVM zero scrub routine to disk backed files, however
  it lacks any flags to enable or disable it right now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1218994/+subscriptions