|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] domU leaks disk volume configs into to dom0 - iscsi / lvm
On 05/22/2017 12:21 PM, Mike wrote: > Hi, > > My environment is linux / ubuntu 16, and I have noticed that iscsi block > devices used by guests are scanned by lvm on the dom0. If any volume > groups / disk labels are found, LVM will add them to dom0, which could > potentaly allow one domu to access a disk resource of another unrelated domu. > > I found this discussion from 2012 which recognized the problem: > > https://bugs.launchpad.net/ubuntu/+source/lvm2/+bug/995709 > > I have also noted other side effects. For example, when shutting down a > guest with iscsi backed storage, lvm doesn't seem to release the mappings > and they hang around for eternity (till reboot). > > Is there some xen specfic iscsi config options or such that addresses > these issues? > I don't see how the dom0 accessing a device will give access to a different domU, but it is a potential security problem if there's a vulnerability with LVM. I wouldn't expect there to be a xen-specific tool, but you can add a filter line to /etc/lvm/lvm.conf that rejects iscsi and then LVM should ignore those volumes. Alternately, "accept" only what you need and reject everything else. --Sarah _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx https://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |