[Bug 1902103] Re: Ensure default fstab options are sane and consistent across all images

Fri Mar 12 21:21:18 UTC 2021

@gjolly,

I've taken a look at the 'Where problems could occur' section of the SRU
template and I'm concerned about the risk of regression for users
altering mount options for the root file system.

My concerns involve the root filesystem line alone.  I think 'discard'
is nice-to-have but not worth the risk of breaking users that alter the
line via code.  I'm not convinced we should change the error option from
'continue' to 'remount-ro' in an SRU either; first because it could
break automation that users have to change the line and second it
changes behavior for error handling that could break user assumptions of
systems already in production should they deploy with a newly built
image and they'll be unlikely to have image qualification tests that
trigger an IO error.  I recommend SRU'ing without the changes for the
root filesystem.

The change to the fstab line for the EFI file system pertains to a
security improvement which I like to see.  I think the risk is much
lower that a user has automation changing mount options for this file
system.  The other risk is one of behavior. Will users have a non-root
user accessing the EFI mountpoint and be broken by this change?  Given
the contents of the file system I don't believe it's unlikely most users
would be accessing this directly. I believe the benefit  from the change
justifies the umask SRU.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1902103

Title:
  Ensure default fstab options are sane and consistent across all images

Status in cloud-images:
  New
Status in curtin package in Ubuntu:
  Confirmed
Status in livecd-rootfs package in Ubuntu:
  Fix Released
Status in maas package in Ubuntu:
  Confirmed
Status in subiquity package in Ubuntu:
  Confirmed
Status in ubiquity package in Ubuntu:
  Confirmed

Bug description:
  [Impact]

   * In cloud images, the ESP is currently mounted with default (0755)
     permissions. This means anyone can read the ESP partition. This can
     cause security issues as sensitive data might be put in this
     partition[0]

   * The root filesystem partition uses defaults mount options. In case
     of filesystem error, it is safer to use `remount-ro`. Also for cloud
     usage (where storage can be expensive) it makes sense to mount the
     root filesystem with `discard`. This will also align cloud images
     fstab with what we have elsewhere.

  [Test Plan]

   * Build an uefi image from the ubuntu-cpc project in livecd-rootfs

   * Launch in KVM

   * Check `/etc/fstab` content

   * Check that mount options are reflected in 'mount' command output

   * Ensure a non-root user can not access /boot/efi

   * Check 'lsblk -D' output to see that there is a non-zero discard
  block size for the root device (this check may be imperfect, the goal
  is to check that discard from fstab is enabled if available from the
  underlying block device)

  [Where problems could occur]

   * Some users can have automation in place change those defaults. This
     change might break their automation.

   * `error=remount-ro` might create issues for certain user. Especially if
     the filesystem superblock default was set to `error=continue`. For
     those users, any error that was previously ignored will make the
     filesystem read-only.

   * `discard` parameter might have an impact on i/o throughput and reduce
     read/write speed. Also some particular disk might have issues with
     TRIM commands[1].

  [original description]

  The default fstab entries for ubuntu cloud images are:

  LABEL=cloudimg-rootfs / ext4 defaults 0 0
  LABEL=UEFI /boot/efi vfat defaults 0 0

  These entries do not align with the defaults that we use elsewhere. We
  should decide on the defaults for fstab, and apply those consistently
  across all Ubuntu images.

  --

  quoted from ~xnox: I expect [these entries] to be:

  LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1
  LABEL=UEFI /boot/efi vfat umask=0077 0 1

  [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11
  [1] https://wiki.debian.org/SSDOptimization#WARNING

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/1902103/+subscriptions