MAAS does not securely wipe nodes between provisioning

I think this falls under the nascent node lifecycle work, e.g. the decommission and recommission steps in http://goo.gl/ov8oqs. Like we have already to commission a node, we would have configurable steps when a node is taken out of service, or when it's being released to the pool.

As per bug #1336484 which I've duped into here, it needs to be "All physical media will need to have its data securely erased with a DoD 3-Pass Short Wipe (DoD 5220 22M) immediately after being taken out of service. "

How would people feel about making this a global configuration item?

On 2 July 2014 01:27, Julian Edwards <email address hidden> wrote:
> How would people feel about making this a global configuration item?

Who is "people"?

In Austin, we talked about introducing a decommissioning phase to the
node lifecycle; making this a global option seems to fit perfectly.
Making it a global option means we'll have to work out how to do it
for other OSes, but that shouldn't be too hard to achieve — I suppose
we could even do an ephemeral boot to wipe everything, but I'm getting
into implementation details now.

On 02/07/14 16:59, Graham Binns wrote:
> On 2 July 2014 01:27, Julian Edwards <email address hidden> wrote:
>> How would people feel about making this a global configuration item?
>
> Who is "people"?

Subscribers :)

> In Austin, we talked about introducing a decommissioning phase to the
> node lifecycle; making this a global option seems to fit perfectly.
> Making it a global option means we'll have to work out how to do it
> for other OSes, but that shouldn't be too hard to achieve — I suppose
> we could even do an ephemeral boot to wipe everything, but I'm getting
> into implementation details now.

OSes are irrelevant - you can reboot The One And Only OS in the
ephemeral environment and run a secure wipe prog.

You might have even just said that but I'm making it explicit :)

On 2 July 2014 08:21, Julian Edwards <email address hidden> wrote:
> You might have even just said that but I'm making it explicit :)

I did, but I obfuscated it by being sleepy. Thanks for clarifying it
for everyone else :)

Hi! From my point of view, a global would be fine.

I can imagine cases where only one group of nodes might need this and it would be overkill for the others. This would have a speed impact when deprovisioning.

Depending on how you implement this, you might be able to provide some additional tunables such as "how many passes"? (e.g. shred -vzf -n X /dev/sda where X is the number of passes (default of 3) for a non-journaled filesystem.)

Several SSDs support "Secure Erase" so you could do this as the disk/controller level vs using an OS command but this may end up being too custom.

If it's of any benefit, I'd be happy to brainstorm and/or review the implementation details with you when you work on this item.

This is now supported in 1.7. It is not enabled by default, but can be enabled on the settings page. All disks will be wiped when a node is released.

Just a minor note here - the feature in MAAS is called Disk Erasing - it doesn't make any claims to meet any security standards for disk erasure though, and isn't advertised as "secure disk wipe".

Fixing the status as per Blake's comment.