RackHD secure erase feature design

Owned by Krein
Last updated: May 03, 2017
3 min read

Secure Erase Design Chart


Secure Erase HOW-TO steps:

  1. Build secure erase overlay

    RackHD secure erase uses vendor tools perccli or storcli. Since they are not open source tools, RackHD can't include perccli and storcli into a released overlay. Thus user has to build secure erase overlay themselves. For details on how to build secure erase overlay with perccli and storcli, please refer to RackHD on-imagebuilder read-me document: 

    https://github.com/RackHD/on-imagebuilder/blob/master/README.md

    If user wants to use a perccli that is not storcli_1.17.08_all.deb or storcli that is not perccli_1.11.03-1_all.deb, configure file on-imagebuilder/var/oem/secure_erase_overlay.yml should be edited to use the new package names. On-imagebuilder read-me also includes details on how to use tools with different names.

  2. Move secure erase overlay to RackHD static file folder

    Secure erase overlay is named secure.erase.overlay.cpio.gz by default. It should be moved to RackHD static file folder. 

    By default RackHD static file folder is /var/renasar/on-http/static/http/common/.  User can also setup independent static file server, in this case overlay should be moved to user specified static file server path. For more details on static file server setup, please refer to: 

    http://rackhd.readthedocs.io/en/latest/rackhd/static_file_server.html


  3. Get driveId catalog

    Use below command to get driveId catalog for specified node:

    curl <server>/api/current/nodes/<nodeId>/catalogs/driveId

    Disk parameters for secure erase should be retrieved from RackHD driveId catalogs. If RAID operation is done outside RackHD, please re-run discovery on the node:

    curl -X POST -H 'Content-Type: application/json' -d '{"name": "Graph.Discovery", "options":{"defaults":{"nodeId": "55b6afba024fd1b349afc148"}}}' <server>/api/current/nodes/55b6afba024fd1b349afc148/workflows

    Below is an example of RackHD driveId catalog, you can use devName or identifier as secure erase payload disk identification.

    {
        "createdAt": "2016-09-30T07:38:09.861Z",
        "data": [
             {
                 "devName": "sdg",
                 "esxiWwid": "t10.ATA_____SATADOM2DSL_3ME__________________________TW02PTHF482935730079",
                 "identifier": 0,
                 "linuxWwid": "/dev/disk/by-id/ata-SATADOM-SL_3ME_TW02PTHF482935730079",
                 "scsiId": "6:0:0:0",
                 "virtualDisk": ""
             }
        ],
        "id": "eadd5581-382b-490b-b70d-a845cf590493",
        "node": "57ee15ff09011929051819e1",
        "source": "driveId",
        "updatedAt": "2016-09-30T07:38:09.861Z"
    }


  4. Inject SKU packs

    Dell servers have different secure erase workflow from other servers, to do secure erase on a Dell server, user has to inject related SKU pack with below command if a node has SKU id:

    curl -T pack.tar.gz <server>/api/current/skus/<skuid>/pack

    User can also create a SKU with pack if a node doesn't have SKU id:

    curl -X POST --data-binary @pack.tar.gz <server>/api/current/skus/pack


  5. Run secure erase workflow

    Run secure erase workflow with below command:

    curl -X POST -H 'Content-Type: application/json' -d @params.json <server>/api/current/nodes/<identifier>/workflows?name=Graph.Drive.SecureErase

    Below is an example of params.json: 

    {
        "options": {
            "drive-secure-erase":{
                "eraseSettings": [
                    {
                        "disks":["sdb"],
                        "tool":"sg_format",
                        "arg": "0"
                    },    
                    {
                        "disks":["sda"],
                        "tool":"scrub",
                        "arg": "nnsa"
                        }
                ]},
            "disk-scan-delay": {
                "duration": 10000
            }
        }
    }

    For more details on secure erase workflow and its required payload parameters, please refer to: 

    http://rackhd.readthedocs.io/en/latest/rackhd/secure_erase.html

    Beside doing secure erase, secure erase workflow will also update drive related catalogs like driveId and megaraid related sources. 


  6. Get secure erase progress

    Secure erase is a long run task that takes hours or even days, it is forbid to power cycle a node without completing secure erase. During secure erase task, RackHD will report erasing progress via AMQP every minute, you can subscribe progress messages on RackHD server via below AMQP info:

            Exchange: on.events

            Routing Key: graph.progress.updated.information.<graphId>.<nodeId>

    RackHD provides a tool to filter AMQP messages in below link:

    https://github.com/RackHD/on-tools/tree/master/dev_tools

    You can also subscribe AMQP messages via webhook. For more details on RackHD webhook and AMQP events, please refer to: 

    http://rackhd.readthedocs.io/en/latest/rackhd/event_notification.html