From f74759eede77b8503a03d3ea24b5a46dafa18307 Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Tue, 6 Feb 2018 08:08:07 +0000 Subject: [PATCH] disk-trim 4.0 updates add introduction relocate some existing content to introduction add generic content add 4.0 and 3.2.1 content update 3.2 content remove reference to WONTFIX bug --- configuration/disk-trim.md | 84 +++++++++++++++++++++++++++++++++----- 1 file changed, 74 insertions(+), 10 deletions(-) diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md index cbb67259..7478fd98 100644 --- a/configuration/disk-trim.md +++ b/configuration/disk-trim.md @@ -8,31 +8,95 @@ redirect_from: - /wiki/DiskTRIM/ --- -VMs have already TRIM enabled by default, but dom0 doesn't. There are some security implications (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but IMO not very serious. +Disk Trim +---------- + +Disk trimming is the procedure by which the operating system informs the underlying storage device of which storage blocks are no longer in use. +It does this by issuing an `ATA_TRIM` command for the block. This is also known as a `discard`. +In this way, the storage device can perform garbage collection of the unused blocks and internally prepare them for reuse. SSDs in general benefit from this, while HDDs do not. + +In a Linux system running on bare metal, this is relatively straight-forward. +When instructed by the operating system, discards are issued by the file-system driver directly to the storage driver and then to the SSD. + +In Qubes, this gets more complex due to virtualization, LUKS, and LVM (and thin pools on R4.0 and up). +If you run `fstrim --all` inside a TemplateVM, the `discard` can follow a path like: + + OS -> File-system Driver -> Virtual Storage Driver -> Backend Storage Driver -> LVM Storage Driver -> LUKS Driver -> Physical Storage Driver -> Physical Storage Device + +If discards are not supported at any one of those layers, it will not make it to the underlying physical device. + +There are some security implications to permitting TRIM (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but in most cases not exploitable. + + +Configuration +---------- + +In all versions of Qubes, you may want to set up a periodic job in `dom0` to trim the disk. + +This can be done from a terminal as root, by creating a `trim` file in `/etc/cron.daily` (or `/etc/cron.weekly`). +Add the following contents: + +``` +#!/bin/bash +/sbin/fstrim --all +``` + +And mark it as executable with `chmod 755 /etc/cron.daily/trim`. + +**Note** Although discards can be issued on every delete by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead. + +If you are using Qubes with LVM, you may also want to set `issue_discards = 1` in `/etc/lvm/lvm.conf`. +Setting this option will permit LVM to issue discards to the SSD when logical volumes are shrunk or deleted. +This is relatively rare in R3.x, but more frequent in R4.x with disposable VMs. + +To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a number of bytes trimmed). + +See also version specific notes below. + + +R4.0 +---------- + +TRIM support is enabled by default at all layers, including LUKS. + +LVM Logical volumes are frequently deleted (every time a disposable VM is shut down, for example) so setting `issue_discards = 1` in `/etc/lvm/lvm.conf` is recommended if using an SSD. + + +R3.2.1 +---------- + +TRIM support is enabled by default at all layers, including LUKS. + + +R3.2 +---------- + +VMs have already TRIM enabled by default, but dom0 doesn't. To enable TRIM in dom0 you need: -1. Get your LUKS device UUID: +1. Get your LUKS device UUID: ~~~ ls /dev/mapper/luks-* ~~~ -2. Add entry to `/etc/crypttab` (replace luks-\ with the device name and the \ with UUID alone): +2. Add entry to `/etc/crypttab` (replace luks-\ with the device name and the \ with UUID alone): ~~~ - luks- UUID= none allow-discards + luks- UUID= none discard ~~~ -3. Add `rd.luks.allow-discards=1` to kernel cmdline (`/etc/default/grub`, GRUB\_CMDLINE\_LINUX line) -4. Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`) -5. Rebuild initrd **in hostonly mode**: +3. Add `rd.luks.options=discard` to kernel cmdline (follow either GRUB2 or EFI, not both): + * GRUB2: `/etc/default/grub`, `GRUB_CMDLINE_LINUX` line and + Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`) + * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s) + +4. Rebuild initrd **in hostonly mode**: ~~~ dracut -H -f ~~~ -6. Add "discard" option to `/etc/fstab` for root device -7. Reboot the system, verify that allow-discards is really enabled (`dmsetup table`) +5. Reboot the system and verify that discards are really enabled. -There is a [bug affecting allow-discards option](https://bugzilla.redhat.com/show_bug.cgi?id=890533), once it will be fixed, first two steps will be no longer needed.