Dear Ganeti Friends, I need to answer this question: when a VM gets created, is it possible that from within the VM, one could read the contents of a previous VM?
Our setup is logical volumes on DRBD. The physical media are encrypted with LUKS.
From what I have seen, if a user uses something like fallocate to allocate a new file, the data read is zeros.
As a root user, I can see that if I log into a VM, I can, for example, "sudo hd /dev/vda" and see the same data I would see if I run, for example, "sudo hd /dev/xenvg/8e11bbde-50c4-4ac6-915e-a9fd2f4e13f1.disk0_data" on the host node.
The concern is whether it would be possible for confidential data to leak from one user to another. I have been having a heck of a time googling this concern. Is there a best practices concept I want to read up on? I am happy to hear whatever you know.
Thanks,
-danny