** Description changed: [Impact] * In cloud images, the ESP is currently mounted with default (0755) permissions. This means anyone can read the ESP partition. This can cause security issues as sensitive data might be put in this partition[0] * The root filesystem partition uses defaults mount options. In case of filesystem error, it is safer to use `remount-ro`. Also for cloud usage (where storage can be expensive) it makes sense to mount the root filesystem with `discard`. This will also align cloud images fstab with what we have elsewhere. [Test Plan] - * Start a GCE or a KVM instance + * Build an uefi image from the ubuntu-cpc project in livecd-rootfs + + * Launch in KVM * Check `/etc/fstab` content + + * Check that mount options are reflected in 'mount' command output + + * Ensure a non-root user can not access /boot/efi + + * Check 'tune2fs -l $root_fs_dev' output for 'Error behavior' to match + remount-ro [Where problems could occur] * Some users can have automation in place change those defaults. This change might break their automation. * `error=remount-ro` might create issues for certain user. Especially if the filesystem superblock default was set to `error=continue`. For those users, any error that was previously ignored will make the filesystem read-only. * `discard` parameter might have an impact on i/o throughput and reduce read/write speed. Also some particular disk might have issues with TRIM commands[1]. [original description] The default fstab entries for ubuntu cloud images are: LABEL=cloudimg-rootfs / ext4 defaults 0 0 LABEL=UEFI /boot/efi vfat defaults 0 0 These entries do not align with the defaults that we use elsewhere. We should decide on the defaults for fstab, and apply those consistently across all Ubuntu images. -- quoted from ~xnox: I expect [these entries] to be: LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1 LABEL=UEFI /boot/efi vfat umask=0077 0 1 - [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11 [1] https://wiki.debian.org/SSDOptimization#WARNING
** Description changed: [Impact] * In cloud images, the ESP is currently mounted with default (0755) permissions. This means anyone can read the ESP partition. This can cause security issues as sensitive data might be put in this partition[0] * The root filesystem partition uses defaults mount options. In case of filesystem error, it is safer to use `remount-ro`. Also for cloud usage (where storage can be expensive) it makes sense to mount the root filesystem with `discard`. This will also align cloud images fstab with what we have elsewhere. [Test Plan] - * Build an uefi image from the ubuntu-cpc project in livecd-rootfs + * Build an uefi image from the ubuntu-cpc project in livecd-rootfs * Launch in KVM * Check `/etc/fstab` content - * Check that mount options are reflected in 'mount' command output + * Check that mount options are reflected in 'mount' command output - * Ensure a non-root user can not access /boot/efi - - * Check 'tune2fs -l $root_fs_dev' output for 'Error behavior' to match - remount-ro + * Ensure a non-root user can not access /boot/efi [Where problems could occur] * Some users can have automation in place change those defaults. This change might break their automation. * `error=remount-ro` might create issues for certain user. Especially if the filesystem superblock default was set to `error=continue`. For those users, any error that was previously ignored will make the filesystem read-only. * `discard` parameter might have an impact on i/o throughput and reduce read/write speed. Also some particular disk might have issues with TRIM commands[1]. [original description] The default fstab entries for ubuntu cloud images are: LABEL=cloudimg-rootfs / ext4 defaults 0 0 LABEL=UEFI /boot/efi vfat defaults 0 0 These entries do not align with the defaults that we use elsewhere. We should decide on the defaults for fstab, and apply those consistently across all Ubuntu images. -- quoted from ~xnox: I expect [these entries] to be: LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1 LABEL=UEFI /boot/efi vfat umask=0077 0 1 [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11 [1] https://wiki.debian.org/SSDOptimization#WARNING ** Description changed: [Impact] * In cloud images, the ESP is currently mounted with default (0755) permissions. This means anyone can read the ESP partition. This can cause security issues as sensitive data might be put in this partition[0] * The root filesystem partition uses defaults mount options. In case of filesystem error, it is safer to use `remount-ro`. Also for cloud usage (where storage can be expensive) it makes sense to mount the root filesystem with `discard`. This will also align cloud images fstab with what we have elsewhere. [Test Plan] * Build an uefi image from the ubuntu-cpc project in livecd-rootfs * Launch in KVM * Check `/etc/fstab` content * Check that mount options are reflected in 'mount' command output * Ensure a non-root user can not access /boot/efi + + * Check 'lsblk -D' output to see that there is a non-zero discard block + size for the root device (this check may be imperfect, the goal is to + check that discard from fstab is enabled if available from the + underlying block device) [Where problems could occur] * Some users can have automation in place change those defaults. This change might break their automation. * `error=remount-ro` might create issues for certain user. Especially if the filesystem superblock default was set to `error=continue`. For those users, any error that was previously ignored will make the filesystem read-only. * `discard` parameter might have an impact on i/o throughput and reduce read/write speed. Also some particular disk might have issues with TRIM commands[1]. [original description] The default fstab entries for ubuntu cloud images are: LABEL=cloudimg-rootfs / ext4 defaults 0 0 LABEL=UEFI /boot/efi vfat defaults 0 0 These entries do not align with the defaults that we use elsewhere. We should decide on the defaults for fstab, and apply those consistently across all Ubuntu images. -- quoted from ~xnox: I expect [these entries] to be: LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1 LABEL=UEFI /boot/efi vfat umask=0077 0 1 [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11 [1] https://wiki.debian.org/SSDOptimization#WARNING -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1902103 Title: Ensure default fstab options are sane and consistent across all images To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/1902103/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
