Bug 1303484 - [Docs] [VMM] [RFE] Document how to confirm a virtual disk has been deleted correctly when 'wipe after delete' is selected
[Docs] [VMM] [RFE] Document how to confirm a virtual disk has been deleted co...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ovirt-3.6.4
: ---
Assigned To: Byron Gravenorst
Megan Lewis
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2016-01-31 20:09 EST by Andrew Dahms
Modified: 2016-04-19 21:29 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-04-19 21:29:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Docs
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andrew Dahms 2016-01-31 20:09:58 EST
When users delete a virtual disk, they have the option to select 'wipe after delete', which ensures the contents of the disk are deleted. Simple instructions on how users can confirm that this operation has taken place must be added to the Virtual Machine Management guide.
Comment 1 Lucy Bopf 2016-02-07 19:11:00 EST
Assigning to Byron for review.

Byron, we will need to reach out to engineering to find out how users can confirm that a disk's contents have been wiped.
Comment 6 Nir Soffer 2016-03-02 18:10:47 EST
Note that the method described above is not practical if another vm is using a disk on the same vg, or new disk is created while you check the data on the pv.

If another vm is running, and its disk becomes too full, we extend the vm disk, using free extents on the vg. The new space used for the extension may use the old disk extents. Same for new disk, it may use the old disk extents. When we check the data in the pv, we may see data from the other vm data copied into the new disk.

In normal production environment, it is not possible to verify that disk were wiped by checking actual data on a pv. Checking the logs as explained in comment 3 is the best way.
Comment 12 Idan Shaby 2016-03-14 08:57:20 EDT
Hi Yoshinori,

Wipe after delete is a property of the disk, not a property of the deletion operation.

When you set this property to true for a disk, as Nir said, we guarantee that:
*** New disks that will be created on the same storage will not expose data from old ones. ***

That's the bottom line, but in case that you want to understand why and when we wipe, these are the implementation details:
On block storage, we implement it by writing zeros on the lv (the disk) before we remove it. That is why the engine sends postZero='true' to vdsm.
On file storage, as Nir said, the file system already guarantees not to expose data from old files when creating new files. So writing zeros is not needed and thus the engine sends postZero='false' to vdsm.

When I wrote comment 3, I thought that we were talking about block storage (because only then writing zeros is relevant), my apologies.

So why do we let the user set this property on File based disks at all?
Because as I said earlier, in case that a disk's wipe after delete is set to true, we know that whenever we delete this disk, new disks that will be created on the same storage will not expose data from old ones. So as long as this disk relies on a file storage, we will send postZero='false', but if this disk is moved to a block storage, we will send postZero='true'.

If you need any further information, don't hesitate to ask.
Comment 13 Byron Gravenorst 2016-03-22 21:19:48 EDT
*** Documentation link:



**** Git link:


*** What's changed:

Administration Guide:

- Added new information to check file logs to confirm that data has been wiped.

- Also mentioned wipe_after_delete only works on block storage.

Virtual Machine Management Guide:

- Added paragraph refering to the Admin Guide for information about checking the logs

*** Notes:

Due to comment 6 I have decided that writing an article to use those instructions to check a PV has no value, due to not being able to work in a normal production environment. If anyone feels strongly that this should be added then I'll gladly do so.

Moving to ON_QA

Note You need to log in before you can comment on or make changes to this bug.