[Bug 1902103] Re: Ensure default fstab options are sane and consistent across all images
Gauthier Jolly
1902103 at bugs.launchpad.net
Fri Mar 12 13:45:41 UTC 2021
** Description changed:
+ [Impact]
+
+ * In cloud images, the ESP is currently mounted with default (0755)
+ permissions. This means anyone can read the ESP partition. This can
+ cause security issues as sensitive data might be put in this
+ partition[1]
+
+ * The root filesystem partition uses defaults mount options. In case
+ of filesystem error, it is safer to use `remount-ro`. Also for cloud
+ usage (where storage can be expensive) it makes sense to mount the
+ root filesystem with `discard`. This will also align cloud images
+ fstab with what we have elsewhere.
+
+ [Test Plan]
+
+ * Start a GCE or a KVM instance
+
+ * Check `/etc/fstab` content
+
+ [Where problems could occur]
+
+ * Some users can have automation in place change those defaults. This
+ change might break their automation.
+
+ * `error=remount-ro` might create issues for certain user. Especially if
+ the filesystem superblock default was set to `error=continue`. For
+ those users, any error that was previously ignored will make the
+ filesystem read-only.
+
+ * `discard` parameter might have an impact on i/o throughput and reduce
+ read/write speed. Also some particular disk might have issues with
+ TRIM commands[2].
+
+ [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11
+ [1] http://cloud-images.ubuntu.com/daily/server/focal/current/
+ [2] https://wiki.debian.org/SSDOptimization#WARNING
+
+ [original description]
+
The default fstab entries for ubuntu cloud images are:
LABEL=cloudimg-rootfs / ext4 defaults 0 0
LABEL=UEFI /boot/efi vfat defaults 0 0
These entries do not align with the defaults that we use elsewhere. We
should decide on the defaults for fstab, and apply those consistently
across all Ubuntu images.
--
quoted from ~xnox: I expect [these entries] to be:
LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1
LABEL=UEFI /boot/efi vfat umask=0077 0 1
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1902103
Title:
Ensure default fstab options are sane and consistent across all images
Status in cloud-images:
New
Status in curtin package in Ubuntu:
Confirmed
Status in livecd-rootfs package in Ubuntu:
Fix Released
Status in maas package in Ubuntu:
Confirmed
Status in subiquity package in Ubuntu:
Confirmed
Status in ubiquity package in Ubuntu:
Confirmed
Bug description:
[Impact]
* In cloud images, the ESP is currently mounted with default (0755)
permissions. This means anyone can read the ESP partition. This can
cause security issues as sensitive data might be put in this
partition[1]
* The root filesystem partition uses defaults mount options. In case
of filesystem error, it is safer to use `remount-ro`. Also for cloud
usage (where storage can be expensive) it makes sense to mount the
root filesystem with `discard`. This will also align cloud images
fstab with what we have elsewhere.
[Test Plan]
* Start a GCE or a KVM instance
* Check `/etc/fstab` content
[Where problems could occur]
* Some users can have automation in place change those defaults. This
change might break their automation.
* `error=remount-ro` might create issues for certain user. Especially if
the filesystem superblock default was set to `error=continue`. For
those users, any error that was previously ignored will make the
filesystem read-only.
* `discard` parameter might have an impact on i/o throughput and reduce
read/write speed. Also some particular disk might have issues with
TRIM commands[2].
[0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11
[1] http://cloud-images.ubuntu.com/daily/server/focal/current/
[2] https://wiki.debian.org/SSDOptimization#WARNING
[original description]
The default fstab entries for ubuntu cloud images are:
LABEL=cloudimg-rootfs / ext4 defaults 0 0
LABEL=UEFI /boot/efi vfat defaults 0 0
These entries do not align with the defaults that we use elsewhere. We
should decide on the defaults for fstab, and apply those consistently
across all Ubuntu images.
--
quoted from ~xnox: I expect [these entries] to be:
LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1
LABEL=UEFI /boot/efi vfat umask=0077 0 1
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/1902103/+subscriptions
More information about the foundations-bugs
mailing list