Data Remanence
90 views
Skip to first unread message
Daniel Howard
Jan 11, 2024, 4:30:02 PMJan 11
to ganeti
Dear Ganeti Friends, I need to answer this question: when a VM gets created, is it possible that from within the VM, one could read the contents of a previous VM?
Our setup is logical volumes on DRBD. The physical media are encrypted with LUKS.
From what I have seen, if a user uses something like fallocate to allocate a new file, the data read is zeros.
As a root user, I can see that if I log into a VM, I can, for example, "sudo hd /dev/vda" and see the same data I would see if I run, for example, "sudo hd /dev/xenvg/8e11bbde-50c4-4ac6-915e-a9fd2f4e13f1.disk0_data" on the host node.
The concern is whether it would be possible for confidential data to leak from one user to another. I have been having a heck of a time googling this concern. Is there a best practices concept I want to read up on? I am happy to hear whatever you know.
Thanks,
-danny
Steffen Zieger
Jan 12, 2024, 4:36:33 AMJan 12
to gan...@googlegroups.com
Hi Daniel,
As Ganeti is only using standard tools, it's possible to see old data within a VM.
There's a cluster-wide setting to wipe disks:
There's a cluster-wide setting to wipe disks:
The--prealloc-wipe-diskssets a cluster wide configuration value for wiping disks prior to allocation and size changes (gnt-instance grow-disk). This increases security on instance level as the instance can't access untouched data from its underlying storage.
HTH
Steffen
--
You received this message because you are subscribed to the Google Groups "ganeti" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ganeti+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ganeti/81a7b466-121b-432e-961f-33995b7ab2f6n%40googlegroups.com.
Daniel Howard
Jan 12, 2024, 1:10:45 PMJan 12
to gan...@googlegroups.com
Steffen, this answer is perfect. Thank you! And praise to the Ganeti community for already having thought this through!
Thanks,
-danny
To view this discussion on the web visit https://groups.google.com/d/msgid/ganeti/CAEqg01a6fYrXw843NJJ6Be0w45XTwsymcsiCmYomxzG0HAfqAg%40mail.gmail.com.
Rudolph Bott
Jan 12, 2024, 4:13:21 PMJan 12
to gan...@googlegroups.com
Hi Daniel,
we have also been using that option for quite a while now. We have standard sizes for our instances (e.g. most have the same disk size unless there are specific requirements). That also means that after an instance gets deleted, a new one will appear sooner or later with the exact same disk size (and hence be placed at the exact same location on the phyiscal disk). Our older Ganeti clusters were using PXE boot along automated Debian installers which would fail when they detect the partition table or LVM signatures present on disk from a previous instance. We got rid of that problem using --prealloc-wipe-disks and have been using that ever since.
Cheers,
Rudi
To view this discussion on the web visit https://groups.google.com/d/msgid/ganeti/CAEqg01a6fYrXw843NJJ6Be0w45XTwsymcsiCmYomxzG0HAfqAg%40mail.gmail.com.
--
Rudolph Bott - bo...@sipgate.de
Telefon: +49 (0)211-63 55 55-55
Telefax: +49 (0)211-63 55 55-22
sipgate GmbH - Gladbacher Str. 74 - 40219 Düsseldorf
HRB Düsseldorf 39841 - Geschäftsführer: Thilo Salmon, Tim Mois
Steuernummer: 106/5724/7147, Umsatzsteuer-ID: DE219349391
Reply all
Reply to author
Forward
0 new messages