Is rbd_discard enough to wipe an RBD image?

Is rbd_discard enough to wipe an RBD image?

[Wido den Hollander]

Hi,

I'm busy implementing the volume wiping method of the libvirt storage
pool backend and instead of writing to the whole RBD image with zeroes
I'm using rbd_discard.

Using a 4MB length I'm starting at offset 0 and work my way through the
whole RBD image.

A quick try shows me that my partition table + filesystem are gone on
the RBD image after I've run rbd_discard.

I just want to know if this is sufficient to wipe a RBD image? Or would
it be better to fully fill the image with zeroes?

-- 
Wido den Hollander
42on B.V.
Ceph trainer and consultant

Phone: +31 (0)20 700 9902
Skype: contact42on

Re: Is rbd_discard enough to wipe an RBD image?

[Alexandre DERUMIER]

>>I just want to know if this is sufficient to wipe a RBD image?

AFAIK, ceph write zeroes in the rados objects with discard is used.

They are an option for skip zeroes write if needed

OPTION(rbd_skip_partial_discard, OPT_BOOL, false) // when trying to discard a range inside an object, set to true to skip zeroing the range.
----- Mail original -----
De: "Wido den Hollander" <wido@42on.com>
À: "ceph-devel" <ceph-devel@vger.kernel.org>
Envoyé: Dimanche 20 Décembre 2015 22:21:50
Objet: Is rbd_discard enough to wipe an RBD image?

Hi, 

I'm busy implementing the volume wiping method of the libvirt storage 
pool backend and instead of writing to the whole RBD image with zeroes 
I'm using rbd_discard. 

Using a 4MB length I'm starting at offset 0 and work my way through the 
whole RBD image. 

A quick try shows me that my partition table + filesystem are gone on 
the RBD image after I've run rbd_discard. 

I just want to know if this is sufficient to wipe a RBD image? Or would 
it be better to fully fill the image with zeroes? 

-- 
Wido den Hollander 
42on B.V. 
Ceph trainer and consultant 

Phone: +31 (0)20 700 9902 
Skype: contact42on 
-- 
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in 
the body of a message to majordomo@vger.kernel.org 
More majordomo info at http://vger.kernel.org/majordomo-info.html 
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Is rbd_discard enough to wipe an RBD image?

[Jason Dillaman]

You will have to ensure that your writes are properly aligned with the object size (or object set if fancy striping is used on the RBD volume).  In that case, the discard is translated to remove operations on each individual backing object.  The only time zeros are written to disk is if you specify an offset somewhere in the middle of an object (i.e. the whole object cannot be deleted nor can it be truncated) -- this is the partial discard case controlled by that configuration param.  

-- 

Jason Dillaman 


----- Original Message -----
> From: "Alexandre DERUMIER" <aderumier@odiso.com>
> To: "Wido den Hollander" <wido@42on.com>
> Cc: "ceph-devel" <ceph-devel@vger.kernel.org>
> Sent: Monday, December 21, 2015 9:25:15 AM
> Subject: Re: Is rbd_discard enough to wipe an RBD image?
> 
> >>I just want to know if this is sufficient to wipe a RBD image?
> 
> AFAIK, ceph write zeroes in the rados objects with discard is used.
> 
> They are an option for skip zeroes write if needed
> 
> OPTION(rbd_skip_partial_discard, OPT_BOOL, false) // when trying to discard a
> range inside an object, set to true to skip zeroing the range.
> ----- Mail original -----
> De: "Wido den Hollander" <wido@42on.com>
> À: "ceph-devel" <ceph-devel@vger.kernel.org>
> Envoyé: Dimanche 20 Décembre 2015 22:21:50
> Objet: Is rbd_discard enough to wipe an RBD image?
> 
> Hi,
> 
> I'm busy implementing the volume wiping method of the libvirt storage
> pool backend and instead of writing to the whole RBD image with zeroes
> I'm using rbd_discard.
> 
> Using a 4MB length I'm starting at offset 0 and work my way through the
> whole RBD image.
> 
> A quick try shows me that my partition table + filesystem are gone on
> the RBD image after I've run rbd_discard.
> 
> I just want to know if this is sufficient to wipe a RBD image? Or would
> it be better to fully fill the image with zeroes?
> 
> --
> Wido den Hollander
> 42on B.V.
> Ceph trainer and consultant
> 
> Phone: +31 (0)20 700 9902
> Skype: contact42on
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Is rbd_discard enough to wipe an RBD image?

[Josh Durgin]

On 12/21/2015 07:09 AM, Jason Dillaman wrote:
> You will have to ensure that your writes are properly aligned with the object size (or object set if fancy striping is used on the RBD volume).  In that case, the discard is translated to remove operations on each individual backing object.  The only time zeros are written to disk is if you specify an offset somewhere in the middle of an object (i.e. the whole object cannot be deleted nor can it be truncated) -- this is the partial discard case controlled by that configuration param.
>

I'm curious what's using the virVolWipe stuff - it can't guarantee it's
actually wiping the data in many common configurations, not just with
ceph but with any kind of disk, since libvirt is usually not consuming
raw disks, and with modern flash and smr drives even that is not enough.
There's a recent patch improving the docs on this [1].

If the goal is just to make the data inaccessible to the libvirt user,
removing the image is just as good.

That said, with rbd there's not much cost to zeroing the image with
object map enabled - it's effectively just doing the data removal step
of 'rbd rm' early.

Josh

[1] http://comments.gmane.org/gmane.comp.emulators.libvirt/122235

Re: Is rbd_discard enough to wipe an RBD image?

[Wido den Hollander]

On 12/21/2015 04:50 PM, Josh Durgin wrote:
> On 12/21/2015 07:09 AM, Jason Dillaman wrote:
>> You will have to ensure that your writes are properly aligned with the
>> object size (or object set if fancy striping is used on the RBD
>> volume).  In that case, the discard is translated to remove operations
>> on each individual backing object.  The only time zeros are written to
>> disk is if you specify an offset somewhere in the middle of an object
>> (i.e. the whole object cannot be deleted nor can it be truncated) --
>> this is the partial discard case controlled by that configuration param.
>>
> 
> I'm curious what's using the virVolWipe stuff - it can't guarantee it's
> actually wiping the data in many common configurations, not just with
> ceph but with any kind of disk, since libvirt is usually not consuming
> raw disks, and with modern flash and smr drives even that is not enough.
> There's a recent patch improving the docs on this [1].
> 
> If the goal is just to make the data inaccessible to the libvirt user,
> removing the image is just as good.
> 
> That said, with rbd there's not much cost to zeroing the image with
> object map enabled - it's effectively just doing the data removal step
> of 'rbd rm' early.
> 

I was looking at the features the RBD storage pool driver is missing in
libvirt and it is:

- Build from Volume. That's RBD cloning
- Uploading and Downloading Volume
- Wiping Volume

The thing about wiping in libvirt is that the volume still exists
afterwards, it is just empty.

My discard code now works, but I wanted to verify. If I understand Jason
correctly it would be a matter of figuring out the 'order' of a image
and call rbd_discard in a loop until you reach the end of the image.

I just want libvirt to be as feature complete as possible when it comes
to RBD.

Wido

> Josh
> 
> [1] http://comments.gmane.org/gmane.comp.emulators.libvirt/122235
> -- 
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Wido den Hollander
42on B.V.
Ceph trainer and consultant

Phone: +31 (0)20 700 9902
Skype: contact42on

Re: Is rbd_discard enough to wipe an RBD image?

[Josh Durgin]

On 12/21/2015 11:00 AM, Wido den Hollander wrote:
> My discard code now works, but I wanted to verify. If I understand Jason
> correctly it would be a matter of figuring out the 'order' of a image
> and call rbd_discard in a loop until you reach the end of the image.

You'd need to get the order via rbd_stat(), convert it to object size 
(i.e. (1 << order)), and fetch stripe_count with rbd_get_stripe_count().

Then do the discards in (object size * stripe_count) chunks. This
ensures you discard entire objects. This is the size you'd want to use
for import/export as well, ideally.

> I just want libvirt to be as feature complete as possible when it comes
> to RBD.

I see, makes sense.

Josh

Re: Is rbd_discard enough to wipe an RBD image?

[Wido den Hollander]

On 12/21/2015 11:20 PM, Josh Durgin wrote:
> On 12/21/2015 11:00 AM, Wido den Hollander wrote:
>> My discard code now works, but I wanted to verify. If I understand Jason
>> correctly it would be a matter of figuring out the 'order' of a image
>> and call rbd_discard in a loop until you reach the end of the image.
> 
> You'd need to get the order via rbd_stat(), convert it to object size
> (i.e. (1 << order)), and fetch stripe_count with rbd_get_stripe_count().
> 
> Then do the discards in (object size * stripe_count) chunks. This
> ensures you discard entire objects. This is the size you'd want to use
> for import/export as well, ideally.
> 

Thanks! I just implemented this, could you take a look?

https://github.com/wido/libvirt/commit/b07925ad50fdb6683b5b21deefceb0829a7842dc

>> I just want libvirt to be as feature complete as possible when it comes
>> to RBD.
> 
> I see, makes sense.
> 
> Josh
> -- 
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Wido den Hollander
42on B.V.
Ceph trainer and consultant

Phone: +31 (0)20 700 9902
Skype: contact42on