kvm: add option to run a partition pre-destroy script which wipe vm disk before destroy them

software/kvm/common.cfg

@@ -89,7 +89,7 @@ command =
 [template]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance.cfg.in
-md5sum = f40a938400e789361c95d5a9246bf0ef 
+md5sum = bf5ef731c0d8da0267a4939882b4eeee 
 output = ${buildout:directory}/template.cfg
 mode = 0644
 
@@ -98,7 +98,7 @@ recipe = hexagonit.recipe.download
 ignore-existing = true
 url = ${:_profile_base_location_}/instance-kvm.cfg.jinja2
 mode = 644
-md5sum = a849d4a6060fdb4e9e86917fb77ef153
+md5sum = 4c434dfbf3ead1931c03f1cff4f17095
 download-only = true
 on-update = true
 
@@ -107,7 +107,7 @@ recipe = hexagonit.recipe.download
 ignore-existing = true
 url = ${:_profile_base_location_}/instance-kvm-cluster.cfg.jinja2.in
 mode = 644
-md5sum = d9745bc9bd1d22a640a628c005f88ffb
+md5sum = 7564496147a0e3b8a9f07dc794799a92
 download-only = true
 on-update = true
 

software/kvm/instance-kvm-cluster-input-schema.json

@@ -341,6 +341,20 @@
               "default": "qcow2",
               "enum": ["qcow2", "raw", "vdi", "vmdk", "cloop", "qed"]
             },
+            "wipe-disk-ondestroy": {
+              "title": "Wipe disks when destroy the VM",
+              "description": "Say if disks should be wiped by writing new data over every single bit before delete them. This option is used to securely delete VM disks",
+              "type": "boolean",
+              "default": false
+            },
+            "wipe-disk-iterations": {
+              "title": "Wipe disk iterations",
+              "description": "Number of disk overwrite iterations with random data. Default is 1. WARNING: Increase this value will slow down partition destruction and increase IO.",
+              "type": "integer",
+              "default": 1,
+              "minimum": 1,
+              "maximum": 5
+            },
             "use-tap": {
               "title": "Enable QEMU TAP network interface",
               "description": "Use QEMU TAP network interface, might require a bridge on SlapOS Node.",

software/kvm/instance-kvm-cluster.cfg.jinja2.in

@@ -82,7 +82,11 @@ config-enable-monitor = {{ enable_monitoring }}
 config-monitor-cors-domains = {{ slapparameter_dict.get('monitor-cors-domains', 'monitor.app.officejs.com') }}
 config-monitor-username = ${monitor-instance-parameter:username}
 config-monitor-password = ${monitor-htpasswd:passwd}
-
+# Enable disk wipe options
+{% if kvm_parameter_dict.get('wipe-disk-ondestroy', False) -%}
+config-wipe-disk-ondestroy = True
+config-wipe-disk-iterations = {{ dumps(kvm_parameter_dict.get('wipe-disk-iterations', 1)) }}
+{% endif -%}
 # Enable simple http server on ipv6 so all VMs will access it
 config-document-host = ${apache-conf:ip}
 config-document-port = ${apache-conf:port}

software/kvm/instance-kvm-input-schema.json

@@ -159,6 +159,21 @@
       "enum": ["qcow2", "raw", "vdi", "vmdk", "cloop", "qed"]
     },
 
+    "wipe-disk-ondestroy": {
+      "title": "Wipe disks when destroy the VM",
+      "description": "Say if disks should be wiped by writing new data over every single bit before delete them. This option is used to securely delete VM disks",
+      "type": "boolean",
+      "default": false
+    },
+    "wipe-disk-iterations": {
+      "title": "Wipe disk iterations",
+      "description": "Number of disk overwrite iterations with random data. Default is 1. WARNING: Increase this value will slow down partition destruction and increase IO.",
+      "type": "integer",
+      "default": 1,
+      "minimum": 1,
+      "maximum": 5
+    },
+
     "use-tap": {
       "title": "Use QEMU TAP network interface",
       "description": "Use QEMU TAP network interface, might require a bridge on SlapOS Node.",

software/kvm/instance-kvm.cfg.jinja2

 {% set enable_http = slapparameter_dict.get('enable-http-server', 'False').lower() -%}
 {% set use_tap = slapparameter_dict.get('use-tap', 'False').lower() -%}
 {% set use_nat = slapparameter_dict.get('use-nat', 'True').lower() -%}
+{% set wipe_disk = slapparameter_dict.get('wipe-disk-ondestroy', 'False').lower() -%}
 {% set nat_restrict = slapparameter_dict.get('nat-restrict-mode', 'False').lower() -%}
 {% set name = slapparameter_dict.get('name', 'localhost') -%}
 {% set disable_ansible_promise = slapparameter_dict.get('disable-ansible-promise', 'True').lower() -%}
@@ -42,6 +43,7 @@ services = ${:etc}/service
 promises = ${:etc}/promise
 novnc-conf = ${:etc}/novnc
 run = ${:var}/run
+wipe = ${:run}/slapos/pre-destroy
 ca-dir = ${:srv}/ssl
 public = ${:srv}/public/
 cron-entries = ${:etc}/cron.d
@@ -219,6 +221,19 @@ input = inline:#!/bin/sh
 output = ${directory:promises}/kvm-disk-image-corruption
 mode = 700
 
+{% if wipe_disk == 'true' -%}
+{% do part_list.append('wipe-disk-wrapper') -%}
+{% set wipe_file_list = '${kvm-parameter-dict:disk-path}' -%}
+{% for key, path in storage_dict.items() -%}
+{%   set wipe_file_list  = wipe_file_list  ~ ' ' ~ path ~ '/*' -%}
+{% endfor -%}
+[wipe-disk-wrapper]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:wipe}/slapos_wipe_qemu_disk
+command-line = 
+  {{ wipe_disk_wrapper }} -n {{ slapparameter_dict.get('wipe-disk-iterations', 1) }} -suz --check-pid-file ${kvm-parameter-dict:pid-file-path} --file {{ wipe_file_list }}
+{% endif -%}
+
 [kvm-started-promise]
 recipe = slapos.recipe.template:jinja2
 template = {{ qemu_start_promise_tpl }}

software/kvm/instance.cfg.in

@@ -103,6 +103,7 @@ context =
     raw template_kvm_run ${template-kvm-run:location}/${template-kvm-run:filename}
     raw template_monitor ${monitor2-template:rendered}
     raw websockify_executable_location ${buildout:directory}/bin/websockify
+    raw wipe_disk_wrapper ${buildout:directory}/bin/securedelete
 template-parts-destination = ${template-parts:target}
 template-replicated-destination = ${template-replicated:target}
 import-list = file parts :template-parts-destination