Guest disk data security

ib.pl

New Member
Apr 14, 2011
18
0
1
Hello,

Please consider extending virtual disk add/remove (extend may be difficult) functions to wipe (de)allocated space before it's visible to other guests.

We've send similar idea to LVM mailing list

http://www.redhat.com/archives/linux-lvm/2014-October/msg00018.html

but more general solution (compatible with other storage backends) would be better for PVE probably. OpenStack seems to have some solutions for this problem:

https://bugs.launchpad.net/nova/+bug/889299

Thank you for great tool!

Regards,
Pawel

IB Development Team
https://dev.ib.pl/
 
We also have "issue_discards = 1" set in lvm.conf, so data is discarded if the underlying storage supports it.
 
Thank you for pointing the saferemove parameter!

Attached please find our two patches: Storage.pm-ib.patch (saferemove was not working without it) and LVMPlugin.pm-ib.patch (this one allows to limit I/O load during zeroing with new saferemove_throughput parameter - must have in our opinion, especially if you try to remove VM with few disks which executes zeroing in parallel). Please verify and consider fixing upstream.

Patching both PVE33 and PVE2, restarting pvedeamon+pvestatd and setting

pvesm set vg1 -saferemove 1
pvesm set vg1 -saferemove_throughput -20971520

allowed us to have working "cleanup" solution for disk/VM remove actions on vg1. Not perfect solution probably (guest data may go outside guest LV during online backups with lvm snapshots invloved?) but better than leaving all the guest disk data on LV removal.

> We also have "issue_discards = 1" set in lvm.conf, so data is discarded if the underlying storage supports it.

Thanks for this info. But (if I understand correctly) this requires "underlying storage support" which is probably not available in RAID/SATA/SAS/DRBD scenarios. More universal "software" solution (in LVM layer probably?) would be nicer (and hardware tricks with trimming/issue_discards for those who prefer and may use it).

On http://www.redhat.com/archives/linux-lvm/2014-October/msg00021.html there is a hint about using thin provisioning with zeroing enabled which might be interesting if will not introduce other issues (i.e. performance/stability degradation). Zeoring just before giving resource to other party seems to be proven solution in RAM area:

http://security.stackexchange.com/q...-patch-that-wipes-a-process-memory-space-afte

Thank you for help!

Regards,
Pawel

IB Development Team
https://dev.ib.pl/
 

Attachments

  • LVMPlugin.pm.ib.patch.zip
    1 KB · Views: 2
  • Storage.pm.ib.patch.zip
    389 bytes · Views: 2

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!