[BUG] The show-configuration flag will report `ResourceDisk.EnableSwapEncryption = True` on Ubuntu
soyfrien opened this issue · comments
Describe the bug: A clear and concise description of what the bug is.
If running waagent --show-configuration, by default you will see an option, that doesn't appear in /etc/waagent.conf, as disabled.
$ waagent --show-configuration
AutoUpdate.Enabled = False
AutoUpdate.GAFamily = Prod
...
ResourceDisk.EnableSwap = True
ResourceDisk.EnableSwapEncryption = False
It sounds useful when using swap on the resource disk, as it seems possible that these drives may wind up on VMs of other users, so you manually add it to /etc/waagent.conf.
$ waagent --show-configuration
AutoUpdate.Enabled = True
AutoUpdate.GAFamily = Prod
...
ResourceDisk.EnableSwap = True
ResourceDisk.EnableSwapEncryption = True
This could give a false sense of security because it does not seem to do anything on Ubuntu. (Related: #1775)
Distro and WALinuxAgent details (please complete the following information):
- Distro and Version: Ubuntu 20.04.4 LTS
- WALinuxAgent version:
WALinuxAgent-2.7.1.0 running on ubuntu 20.04
Python: 3.8.10
Goal state agent: 2.7.1.0
Additional context
It would be helpful if the show-configuration function informed relevant users of this behavior, or only display or parse the option on certain distros. Actually, even having the option commented out with supporting comments on its usage might be the simplest fix.
@anhvoms could you take a look?
Slightly related: Compliance Policy assignment/benchmark might lead someone to enabling the encryption in config to get the policy to pass (or be disregardable):