[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] domU leaks disk volume configs into to dom0 - iscsi / lvm

On 05/22/2017 12:21 PM, Mike wrote:
> Hi,
>     My environment is linux / ubuntu 16, and I have noticed that iscsi block 
> devices used by guests are scanned by lvm on the dom0. If any volume
> groups / disk labels are found, LVM will add them to dom0, which could 
> potentaly allow one domu to access a disk resource of another unrelated domu.
>     I found this discussion from 2012 which recognized the problem:
>     https://bugs.launchpad.net/ubuntu/+source/lvm2/+bug/995709
>     I have also noted other side effects. For example, when shutting down a 
> guest with iscsi backed storage, lvm doesn't seem to release the mappings
> and they hang around for eternity (till reboot).
>     Is there some xen specfic iscsi config options or such that addresses 
> these issues?

I don't see how the dom0 accessing a device will give access to a different 
domU, but it is a potential security problem if there's a vulnerability
with LVM.

I wouldn't expect there to be a xen-specific tool, but you can add a filter 
line to /etc/lvm/lvm.conf that rejects iscsi and then LVM should ignore
those volumes. Alternately, "accept" only what you need and reject everything 


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.