A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable multipath I/O redundancy on a host by writing multipathing=false to Host.other_config. The SM drivers read this key during initialization at SR.py:456-467 and switch to single-path I/O when the value is "false". Setting multipathhandle to null loads the no-op mpath_null.py module, achieving the same effect. If the single remaining storage path fails, all VMs on that storage become unavailable. The field has only UI keys protected via map_keys_roles - all infrastructure keys including multipathing are writable by pool-operator.
Host.other_config is a Map(String, String) field writable by pool-operator. The multipathing and multipathhandle keys control the host's multipath I/O configuration for storage access.
The code path:
pool-operator calls Host.add_to_other_config(host, "multipathing", "false")xapi_host_helpers.ml:601-611 detects the change and syncs to the first-class Host.multipathing fieldSR._mpathinit() at SR.py:456-467 reads the valueSR.py:462 checks: if hconf.get('multipathing') == "true" - the value is now "false"SR.py:465-467: multipathing is disabled, mpathhandle is set to "null"mpath_null.py module is loaded, which has empty implementations of all multipath methodsAdditionally, the multipathing key is consumed by:
mpathcount.py:244-248 - multipath monitoring is disabledxapi_host_helpers.ml:601-611 - syncs to Host.multipathing first-class field, which controls /var/run/nonpersistent/multipath_enabledMissing RBAC protection. Host.other_config only protects UI keys (folder, XenCenter.CustomFields.*) via map_keys_roles. The multipathing key inherits the class default _R_POOL_OP.
Missing write-time validation. No validation verifies that disabling multipathing is safe (e.g., whether multipath-dependent SRs exist on the host).
Silent degradation. Disabling multipathing produces no warning, no alert, and no operator notification. The storage continues to function on a single path until that path fails.
No operational safeguard. No check prevents disabling multipathing when the host has active SRs that depend on multiple paths for redundancy.
mpathcount monitoring disabled, path failures go undetected| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| Multipath disable | Single-path I/O, loss of storage redundancy | pool-operator, multipath-configured host | Source-traced |
| Path failure cascade | After multipath disable, single path failure causes complete storage outage | pool-operator, multipath host with path degradation | Modeled |
| Monitoring blind spot | mpathcount monitoring disabled, path failures not detected | pool-operator | Source-traced |
| BOC-1 chain | vm-admin uses BOC-1 S3 to self-grant pool-operator, then disables multipathing | vm-admin, BOC-1 | Source-traced |
Host.other_config for changes to the multipathing keymultipathing set to "false" on hosts with multipath-dependent SRsmpathcount process status - absence indicates monitoring disruption/var/run/nonpersistent/multipath_enabled on each hostdisclosure/vendor-detection-guidance.mdHost.other_config records for unexpected multipathing and multipathhandle valuesProtect the key via map_keys_roles. Add multipathing and multipathhandle to Host.other_config map_keys_roles at _R_POOL_ADMIN in datamodel_host.ml.
Add operational guard. Prevent disabling multipathing when the host has active SRs that require multipath I/O. Require explicit confirmation or pool-admin role for the change.
Add monitoring alert. Generate a pool-wide alert when multipathing is disabled on any host.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
SR.py:456-467 (multipathing read during init), SR.py:462 (string comparison), mpath_null.py (no-op module), xapi_host_helpers.ml:601-611 (event watcher sync), datamodel_host.ml:2929-2934 (field definition)disclosure/advisories/hoc-security-advisory.md (HOC-3)research/investigations/host-other-config.mdDiscovered and reported by Jakob Wolffhechel, Moksha.