57aeac354b
Note speaks of two workarounds, but only one is listed (unless upgrade is considered workaround). Also rocky is not released yet, so cannot be a recommended action operators can take in thd moment of time. This patch is just to fine tune the above, the rest looks good though. Change-Id: I931c5737d6e0a6ed5ae912693bad6b49438c80e1
41 lines
1.5 KiB
Plaintext
41 lines
1.5 KiB
Plaintext
Data retained after deletion of a ScaleIO volume
|
|
---
|
|
|
|
### Summary ###
|
|
Certain storage volume configurations allow newly created volumes to
|
|
contain previous data. This could lead to leakage of sensitive
|
|
information between tenants.
|
|
|
|
### Affected Services / Software ###
|
|
Cinder releases up to and including Queens with ScaleIO volumes
|
|
using thin volumes and zero padding.
|
|
|
|
### Discussion ###
|
|
Using both thin volumes and zero padding does not ensure data contained
|
|
in a volume is actually deleted. The default volume provisioning rule is
|
|
set to thick so most installations are likely not affected. Operators
|
|
can check their configuration in `cinder.conf` or check for zero padding
|
|
with this command `scli --query_all`.
|
|
|
|
#### Recommended Actions ####
|
|
|
|
Operators can use the following two workarounds, until the release of
|
|
Rocky (planned 30th August 2018) which resolves the issue.
|
|
|
|
1. Swap to thin volumes
|
|
|
|
2. Ensure ScaleIO storage pools use zero-padding with:
|
|
|
|
`scli --modify_zero_padding_policy
|
|
(((--protection_domain_id <ID> |
|
|
--protection_domain_name <NAME>)
|
|
--storage_pool_name <NAME>) | --storage_pool_id <ID>)
|
|
(--enable_zero_padding | --disable_zero_padding)`
|
|
|
|
### Contacts / References ###
|
|
Author: Nick Tait
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0084
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1699573
|
|
Mailing List : [Security] tag on openstack-dev@lists.openstack.org
|
|
OpenStack Security Project : https://launchpad.net/~openstack-ossg
|