From b85994069b91eeae234d8135d4a9ec1d8c5c3a3d Mon Sep 17 00:00:00 2001 From: Evan Broder Date: Sat, 24 Jan 2009 04:16:39 -0500 Subject: [PATCH] Overwrite all content of a VM's LV before deleting it. svn path=/trunk/packages/invirt-remote/; revision=1987 --- debian/changelog | 7 +++++++ host/usr/sbin/invirt-lvm | 43 ++++++++++++++++++++++++++++--------------- 2 files changed, 35 insertions(+), 15 deletions(-) diff --git a/debian/changelog b/debian/changelog index d57d3c3..9f0c1d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +invirt-remote (0.3.0) unstable; urgency=low + + * Instead of immediately deleting LVs, overwrite them with zeros to + avoid leaking information from one VM to another. + + -- Evan Broder Wed, 21 Jan 2009 02:57:30 -0500 + invirt-remote (0.2.2) unstable; urgency=low * config.{authn[0] => kerberos}.realm diff --git a/host/usr/sbin/invirt-lvm b/host/usr/sbin/invirt-lvm index 6367216..22a7805 100755 --- a/host/usr/sbin/invirt-lvm +++ b/host/usr/sbin/invirt-lvm @@ -1,7 +1,10 @@ #!/usr/bin/env python import sys -import os.path +import time +import os +import random +import string from subprocess import call, PIPE, Popen from invirt.config import structs as config @@ -44,20 +47,31 @@ if subcommand == "lvremove": def error(): print >>sys.stderr, "Error removing LV %s\n" % lvname sys.exit(1) - # I know this is the wrong answer, but sometimes the first - # lvchange -a n fails for no particularly good reason, so this is - # a pretty good workaround - call(["/sbin/lvchange", "-a", "n", lvpath]) - rv = call(["/sbin/lvchange", "-a", "n", lvpath]) - if rv != 0: - error() - rv = call(["/sbin/lvchange", "-a", "ey", lvpath]) - if rv != 0: - error() - rv = call(["/sbin/lvremove", "--force", lvpath]) - if rv != 0: - error() + + # Rename the LV to something else so we can wipe it before reusing + # the space + while True: + new_lvname = "old_%s_%s" % (lvname, ''.join(random.choice(string.ascii_letters) for i in xrange(6))) + new_lvpath = "/dev/%s/%s" % (vg, new_lvname) + p = Popen(["/sbin/lvrename", lvpath, new_lvpath], stdout=PIPE, stderr=PIPE) + rv = p.wait() + if rv == 5 and 'already exists in volume group' in p.stderr.read(): + continue + elif rv != 0: + error() + else: + break ensureoff(machine) + + # Fork. The child process wipes the LV and then deletes + # it. There's not really anything sane to do with errors (since + # this is running non-interactively), so let's just drop them on + # the floor for now. + if os.fork() == 0: + call(["/bin/dd", "if=/dev/zero", "of=%s" % new_lvpath]) + call(["/sbin/lvchange", "-a", "n", new_lvpath]) + call(["/sbin/lvchange", "-a", "ey", new_lvpath]) + call(["/sbin/lvremove", "--force", new_lvpath]) elif subcommand == "lvresize": size = sys.argv[4] ensureoff(machine) @@ -85,5 +99,4 @@ elif subcommand == "lvcreate": if rv != 0: print >>sys.stderr, "Error creating LV %s\n" %(lvname,) sys.exit(1) - -- 1.7.9.5