Feeds

'Catastrophic' server disk-destroying glitch menaced Google cloud

'Shame on you!' screams one developer as race-condition bug discovered

Internet Security Threat Report 2014

Google has squashed a bug in its public cloud that threatened to accidentally delete users' virtual disks – an error so serious that one security researcher termed it potentially "catastrophic".

The web king today admitted that one of its server migration commands could have "erroneously and permanently" deleted persistent disks attached to virtual instances; the admission was sent out in an email from the Google Compute Engine Team to users of the service on Friday. Coincidentally, Google only just updated its persistent disk feature on Tuesday.

Today's email read:

We discovered a serious issue with the gcutil moveinstances command: with the release of the new auto-delete feature for persistent disks, there is an unintended interaction that can result in accidental deletion of the disk(s) of the instance being moved.

What this means is that if a cloud user enabled auto-delete on a persistent disk in their Google server storage, then moved a virtual server via the command-line management tool gcutil to another Google data center, the system may have accidentally deleted the attached disk before the transfer was fully carried out.

"Now that it is possible to set a persistent disk to be auto-deleted when an instance is deleted, the persistent disk is automatically deleted before gcutil can take a persistent disk snapshot," Google explained. "This results in gcutil moveinstances erroneously and permanently deleting the disk(s) of instances that have enabled the auto-delete feature, without first creating a persistent disk snapshot."

In response to the email, one member of the support mailing list replied directly to Google with the words: "Shame on you!"

This bug will likely reaffirm the paranoia of admins who worry about the reliability of public clouds – after all, if an operator as sophisticated as Google is prone to gaffes like this, then who can you trust?

"This is as catastrophic an error in a public cloud platform as you can get," independent security researcher Kenn White told The Register.

White encapsulated the terror of the problem in a tweet, where he pointed out: "So I make an API call to move VMs w/ 'persistent' volumes and — depending on my command line client version — my VM is accidentally nuked?"

The disclosure of the grave error follows Google making a dramatic price cut to its Drive cloud storage systems ahead of an expected new fleet of cloud services that will launch on March 25.

The bug affected all versions of gcutil prior to version 1.14.2, which was just released and people should upgrade to it, Google said. A spokeswoman added:

Yesterday we found a bug in our command-line tool and worked quickly to resolve the issue. Although we have not received any reports of this issue affecting users, we sent a proactive message immediately to alert our users to the potential issue, and to ask them to update the command line tool.

®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
SAVE ME, NASA system builder, from my DEAD WORKSTATION
Anal-retentive hardware nerd in paws-on workstation crisis
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.