** Description changed: + [Impact] + + * In cloud images, the ESP is currently mounted with default (0755) + permissions. This means anyone can read the ESP partition. This can + cause security issues as sensitive data might be put in this + partition[1] + + * The root filesystem partition uses defaults mount options. In case + of filesystem error, it is safer to use `remount-ro`. Also for cloud + usage (where storage can be expensive) it makes sense to mount the + root filesystem with `discard`. This will also align cloud images + fstab with what we have elsewhere. + + [Test Plan] + + * Start a GCE or a KVM instance + + * Check `/etc/fstab` content + + [Where problems could occur] + + * Some users can have automation in place change those defaults. This + change might break their automation. + + * `error=remount-ro` might create issues for certain user. Especially if + the filesystem superblock default was set to `error=continue`. For + those users, any error that was previously ignored will make the + filesystem read-only. + + * `discard` parameter might have an impact on i/o throughput and reduce + read/write speed. Also some particular disk might have issues with + TRIM commands[2]. + + [0] https://bugs.launchpad.net/cloud-images/+bug/1881006/comments/11 + [1] http://cloud-images.ubuntu.com/daily/server/focal/current/ + [2] https://wiki.debian.org/SSDOptimization#WARNING + + [original description] + The default fstab entries for ubuntu cloud images are: LABEL=cloudimg-rootfs / ext4 defaults 0 0 LABEL=UEFI /boot/efi vfat defaults 0 0 These entries do not align with the defaults that we use elsewhere. We should decide on the defaults for fstab, and apply those consistently across all Ubuntu images. -- quoted from ~xnox: I expect [these entries] to be: LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1 LABEL=UEFI /boot/efi vfat umask=0077 0 1
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1902103 Title: Ensure default fstab options are sane and consistent across all images To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/1902103/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
