[PVE-User] VM's LVM leaked to HN: zd, md, lv

Igor Podlesny pve-user at poige.ru
Fri Jun 7 17:28:45 CEST 2019


Proxmox' LVM config has filters:

        global_filter = [ "r|/dev/zd.*|", "r|/dev/mapper/pve-.*|" ]

But turns out mdadm hasn't any. That's how it looks with lsblk:

zd16               230:16   0     16G  0 disk
├─zd16p1           230:17   0    953M  0 part
└─zd16p2           230:18   0   15.1G  0 part
  └─md125            9:125  0   15.1G  0 raid1
    └─pve--vgVM123 253:5    0      8G  0 lvm

When installing PVE nodes I used "pve-..." schema for ZFS pools name
expecting to have that kind of leakage prevented but in vain as it
turned out now. Moreover, it might be impractical to impose such
constraints to pools' names due to difficulties with ZFS pools
renames.

It's not clear how to filter it out for that chain: ZDs aren't
distinguishable by anything but numbers so even ZFS pool names can't
be easily used. I suppose some backtracking can be used for that but
not sure if it's feasible. Prohibit all ZFS based MDs may be? Seems
reasonable. At least LVM's filter is that wide.

Should it be part of Proxmox or not is up to its developers of course.
I'm merely letting you know about that leakage. No requests, no
complaints, just knowledge shared.

-- 
End of message. Next message?



More information about the pve-user mailing list