[RHEVM] "Wipe after delete" option of RHEV VM disk
Hi
Would anyone be able to tell me the purpose of the "Wipe after delete" option is for a RHEV VM disk ?
The documentation states "Enhanced security for deletion of sensative material when the disk is deleted"
In my mind, this should done by default. Not as an option.
The alternative is what, exactly ?
Cheers
Responses
Hi Richard,
Wipe after delete will wipe the entire disk contents rather than just removing file references from the filesystem, ie. it will '0' out the contents. Usually when you remove a file from a filesystem (in this case a virtual hard disk) the reference is removed and the blocks are marked as free but the contents isn't wiped/removed from the blocks.
The reason this option exists is because if a VM (or virtual disk) is 'deleted' on a physical disk and a new VM (or virtual disk) created, a user in the new VM could potentially dump the contents of 'free space' and find sensitive information left over from the previous VM.
The downside to 'wiping' (and likely why it isn't configured by default) is that it is expensive in regards to IO/disk access/writes. Every block of the filesystem needs to be overwritten which can take a long time to complete, depending on disk subsystem.
I agree that an explanation of the risk should be more prominent. In many environments this would pose no risk/issue due to the nature of the VMs being created, but completely agree that for a multi tenanted VM farm the wipe option would be a necessity.
Interesting that you mention LVM metadata as one of the issues, I have had problems in the past (not specifically RHEV related) with residual LVM data on a broken RAID... definitely something to keep an eye out for.
Hey Richard:
-
To set "Wipe after delete" as the default option, you can use the
SANWipeAfterDeleteoption inrhevm-config. For example, to enable that as the default option, you would run:rhevm-config -s SANWipeAfterDelete=true service ovirt-engine restart -
The most common reason to use "Wipe on delete" is to zero out the data for security purposes. It shouldn't be required just to get a clean disk (without metadata). To be honest, I can't think of a scenario where creating a new vDisk and attaching it to VM would show existing metadata. This definitely sounds like something we should look into a bit more. I recommend opening a case on this. Are you able to recreate the scenario easily?
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
