Red Hat Bugzilla – Bug 1303484
[Docs] [VMM] [RFE] Document how to confirm a virtual disk has been deleted correctly when 'wipe after delete' is selected
Last modified: 2016-04-19 21:29:45 EDT
When users delete a virtual disk, they have the option to select 'wipe after delete', which ensures the contents of the disk are deleted. Simple instructions on how users can confirm that this operation has taken place must be added to the Virtual Machine Management guide.
Assigning to Byron for review.
Byron, we will need to reach out to engineering to find out how users can confirm that a disk's contents have been wiped.
Note that the method described above is not practical if another vm is using a disk on the same vg, or new disk is created while you check the data on the pv.
If another vm is running, and its disk becomes too full, we extend the vm disk, using free extents on the vg. The new space used for the extension may use the old disk extents. Same for new disk, it may use the old disk extents. When we check the data in the pv, we may see data from the other vm data copied into the new disk.
In normal production environment, it is not possible to verify that disk were wiped by checking actual data on a pv. Checking the logs as explained in comment 3 is the best way.
Wipe after delete is a property of the disk, not a property of the deletion operation.
When you set this property to true for a disk, as Nir said, we guarantee that:
*** New disks that will be created on the same storage will not expose data from old ones. ***
That's the bottom line, but in case that you want to understand why and when we wipe, these are the implementation details:
On block storage, we implement it by writing zeros on the lv (the disk) before we remove it. That is why the engine sends postZero='true' to vdsm.
On file storage, as Nir said, the file system already guarantees not to expose data from old files when creating new files. So writing zeros is not needed and thus the engine sends postZero='false' to vdsm.
When I wrote comment 3, I thought that we were talking about block storage (because only then writing zeros is relevant), my apologies.
So why do we let the user set this property on File based disks at all?
Because as I said earlier, in case that a disk's wipe after delete is set to true, we know that whenever we delete this disk, new disks that will be created on the same storage will not expose data from old ones. So as long as this disk relies on a file storage, we will send postZero='false', but if this disk is moved to a block storage, we will send postZero='true'.
If you need any further information, don't hesitate to ask.
*** Documentation link:
**** Git link:
*** What's changed:
- Added new information to check file logs to confirm that data has been wiped.
- Also mentioned wipe_after_delete only works on block storage.
Virtual Machine Management Guide:
- Added paragraph refering to the Admin Guide for information about checking the logs
Due to comment 6 I have decided that writing an article to use those instructions to check a PV has no value, due to not being able to work in a normal production environment. If anyone feels strongly that this should be added then I'll gladly do so.
Moving to ON_QA