diff --git a/cinder/volume/drivers/dell_emc/scaleio/driver.py b/cinder/volume/drivers/dell_emc/scaleio/driver.py index 3b9281ac32a..bafc274ec53 100644 --- a/cinder/volume/drivers/dell_emc/scaleio/driver.py +++ b/cinder/volume/drivers/dell_emc/scaleio/driver.py @@ -101,7 +101,13 @@ scaleio_opts = [ 'driver. This replaces the general ' 'max_over_subscription_ratio which has no effect ' 'in this driver.' - 'Maximum value allowed for ScaleIO is 10.0.') + 'Maximum value allowed for ScaleIO is 10.0.'), + cfg.BoolOpt('sio_allow_non_padded_thick_volumes', + default=False, + help='Allow thick volumes to be created in Storage Pools ' + 'when zero padding is disabled. This option should ' + 'not be enabled if multiple tenants will utilize ' + 'thick volumes from a shared Storage Pool.'), ] CONF.register_opts(scaleio_opts, group=configuration.SHARED_CONF_GROUP) @@ -481,6 +487,38 @@ class ScaleIODriver(driver.VolumeDriver): {'id': id, 'name': encoded_name}) return encoded_name + def _is_volume_creation_safe(self, + protection_domain, + storage_pool, + provision_type): + """Checks if volume creation is safe or not + + using thick volumes with zero padding disabled can lead + to existing data being read off of a newly created volume + """ + # if we have been told to allow unsafe volumes + if self.configuration.sio_allow_non_padded_thick_volumes: + return True + + # all thin volumes are safe + if provision_type == 'ThinProvisioned': + return True + + try: + properties = self._get_storage_pool_properties(protection_domain, + storage_pool) + padded = properties['zeroPaddingEnabled'] + except Exception: + msg = (_("Unable to retrieve properties for pool, %(pool)s") % + {'pool': storage_pool}) + raise exception.InvalidInput(reason=msg) + + # zero padded storage pools are safe + if padded: + return True + # if we got here, it's unsafe + return False + def create_volume(self, volume): """Creates a scaleIO volume.""" self._check_volume_size(volume.size) @@ -560,6 +598,23 @@ class ScaleIODriver(driver.VolumeDriver): else: provisioning = "ThickProvisioned" + allowed = self._is_volume_creation_safe(protection_domain_name, + storage_pool_name, + provisioning) + if not allowed: + # Do not allow thick volume creation on this backend. + # Volumes may leak data between tenants. + LOG.error("Volume creation rejected due to " + "zero padding being disabled for pool, %s:%s. " + "This behaviour can be changed by setting " + "the configuration option " + "sio_allow_non_padded_thick_volumes = True.", + protection_domain_name, + storage_pool_name) + msg = _("Volume creation rejected due to " + "unsafe backend configuration.") + raise exception.VolumeBackendAPIException(data=msg) + # units.Mi = 1024 ** 2 volume_size_kb = volume.size * units.Mi params = {'protectionDomainId': domain_id, diff --git a/doc/source/configuration/tables/cinder-emc_sio.inc b/doc/source/configuration/tables/cinder-emc_sio.inc index 7e433562561..2cde935b07d 100644 --- a/doc/source/configuration/tables/cinder-emc_sio.inc +++ b/doc/source/configuration/tables/cinder-emc_sio.inc @@ -17,8 +17,12 @@ * - Configuration option = Default value - Description - * - **[DEFAULT]** - - + * - ``sio_allow_non_padded_thick_volumes`` = ``False`` + + - (Boolean) Allow thick volumes to be created in Storage Pools + when zero padding is disabled. This option should + not be enabled if multiple tenants will utilize + thick volumes from a shared Storage Pool. * - ``sio_max_over_subscription_ratio`` = ``10.0`` diff --git a/releasenotes/notes/scaleio-zeropadding-a0273c56c4d14fca.yaml b/releasenotes/notes/scaleio-zeropadding-a0273c56c4d14fca.yaml new file mode 100644 index 00000000000..bd488c94957 --- /dev/null +++ b/releasenotes/notes/scaleio-zeropadding-a0273c56c4d14fca.yaml @@ -0,0 +1,10 @@ +--- + +security: + - | + Removed the ability to create thick volumes in a ScaleIO Storage Pool + that has zero-padding disabled; creation of thin volumes from these + pools is allowed. A new configuration option has been added to + override this new behavior and allow thick volumes, but should not + be enabled if multiple tenants will utilize thick volumes from a shared + Storage Pool.