Provisioning Template to Wipe Disks

Support
1

Hi All,

Apologies if this went to the wrong forum. I’m looking for a way to wipe the HDs on all my systems remotely. Essentially reboot the node, have it PXE boot to a script that wipes the disk. Has anyone ever or know of a way to do this using provisioning templates or another means through foreman?

Thank you in advance,
-Jay

2

Hey, if you use red hat, you can create a kickstart that has %pre section which is executed before anything starts. There you can wipe the drive using dd if=/dev/zero of=/dev/xyz or similar.

Note modern SSD might not do what you want, there are special commands to wipe SSDs. It is different vendor to vendor, that will not be available in RHEL DVD installation media for sure.

Share your template with us once you get it working!

3

Hi, I was working on the same problem. This template detects SSD or NVME and acts accordingly. I tried to get nvme format to work but it failed with an error that the disk was in use even though I verified that the disk wasn’t mounted. So I went with the more heavy handed “dd” against NVME disks partition 1. Which is the only partition that has sensitive data in our org.

<%#
kind: provision
name: wipe-ssd-nvme
model: ProvisioningTemplate
oses:

  • AlmaLinux
  • CentOS
  • CentOS_Stream
  • Fedora
  • RedHat
  • Rocky
    locations:
  • redacted
    organizations:
  • default
    -%>

auth --useshadow --passalgo=sha512

System bootloader configuration

bootloader --location=mbr

Partition clearing information

clearpart --all --initlabel

Use text mode install

text

Firewall configuration

firewall --disable

Run the Setup Agent on first boot

firstboot --disable

System keyboard

keyboard us

System language

lang en_US

Use network installation

url --url=http://redacted/pulp/content/MFE/Library/custom/rocky9/rocky92-x86_64-baseos/

repo --install --name=rocky9-x86_64-baseos --baseurl=http://redacted/pulp/content/MFE/Library/custom/rocky9/rocky9-x86_64-baseos/
repo --install --name=rocky92-x86_64-baseos --baseurl=http://redacted/pulp/content/MFE/Library/custom/rocky9/rocky92-x86_64-baseos/

Reboot after installation

reboot

#Root password
rootpw --iscrypted redacted

SELinux configuration

selinux --disabled

System timezone

timezone America/Vancouver

Clear the Master Boot Record

zerombr

Allow anaconda to partition the system as needed

part /boot/efi --fstype vfat --size=200
part /boot --fstype ext2 --size=750
part swap --recommended
part pv.00 --size=1 --grow

volume_name variable passed from provisioning template.

volgroup vg_root pv.00

logvol / --fstype ext4 --name=lv_root --vgname=vg_root --size=10240 --grow

%pre
%end

%packages
nvme-cli
%end

%post --log=/root/post.log
<%= snippet ‘built’ %> # foreman snippet that sets “pending installation” to “installed”
%end

%post --nochroot

Log file location

LOGFILE=“/mnt/sysimage/root/wipe_log.txt”

Start logging

exec > $LOGFILE 2>&1

Disable gpgcheck which is enabled by default in kickstart.

sed -i 's/^gpgcheck.//g’ /mnt/sysimage/etc/yum.repos.d/ && sed -i ‘s/enabled=1/enabled=1 \ngpgcheck=0/g’ /mnt/sysimage/etc/yum.repos.d/*

dnf install -y nvme-cli util-linux

for DEV in /mnt/sysimage/sys/block/*; do
DEVICE_NAME=$(basename $DEV)

# Skip loop devices
if [[ "$DEVICE_NAME" == loop* || "$DEVICE_NAME" == dm-* ]]; then
    continue
fi

# Check if the device is NVMe, SSD, or HDD
if [[ "$DEVICE_NAME" == nvme* ]]; then
    echo "NVMe drive detected ($DEVICE_NAME). Performing secure erase..."
    dd if=/mnt/sysimage/dev/urandom of=/mnt/sysimage/dev/nvme0n1 bs=4M status=progress
    # nvme format /mnt/sysimage/dev/$DEVICE_NAME --ses=1
else
    ROTATIONAL=$(cat /mnt/sysimage/sys/block/$DEVICE_NAME/queue/rotational)
    if [[ "$ROTATIONAL" == 0 ]]; then
        echo "SSD drive detected ($DEVICE_NAME). Performing secure wipe using blkdiscard..."
        blkdiscard -f /mnt/sysimage/dev/$DEVICE_NAME
    else
        echo "HDD drive detected ($DEVICE_NAME). Skipping..."
    fi
fi

done
sync
%end

I tried to keep it as unparameterized as possible other than the “built” snippet to remove “pending installation”

I was wondering if I could get this to work without assigning to a group and OS and reinstalling an OS first before wiping it, but it failed before I added those. Maybe it was unrelated, but I figured it only adds a couple of minutes and can’t hurt overwriting with a fresh install before doing the wipe anyway. Anyway, I used this against 75 rental machines before we sent them back and the disks showed being raw and hosts failed to boot.