Merge "Make /dev/kvm permissions handling more robust"

2020-07-22 12:32:40 +00:00 · 2020-07-22 12:32:40 +00:00 · b0407ffb17
commit b0407ffb17
parent 8fc8dec3f7 202365e702
4 changed files with 42 additions and 0 deletions
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@ -413,6 +413,11 @@ libvirt_tls_manage_certs: true
 # ability for people to override the hostname to use.
 migration_hostname: "{{ ansible_nodename }}"

+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# We can't get the id too effectively from the images so hardcoding here.
+# It does not change that often (in fact, most likely never ever).
+qemu_user_gid: 42427
+
 ####################
 # Kolla
 ####################
--- a/ansible/roles/nova-cell/tasks/config-host.yml
+++ b/ansible/roles/nova-cell/tasks/config-host.yml
@ -22,3 +22,30 @@
  when:
    - set_sysctl | bool
    - inventory_hostname in groups[nova_cell_compute_group]
+
+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# This part can actually run on any distro and lets us drop the hardcoded
+# chown and chmod from the nova-libvirt image extend_start and make the process
+# more robust.
+- name: Install udev kolla kvm rules
+  become: true
+  template:
+    src: "99-kolla-kvm.rules.j2"
+    dest: "/etc/udev/rules.d/99-kolla-kvm.rules"
+    mode: "0644"
+  when:
+    - nova_compute_virt_type == 'kvm'
+    - inventory_hostname in groups[nova_cell_compute_group]
+
+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# This part only really makes sense on Ubuntu and would end up being confusing
+# on others. This service changes /dev/kvm permissions.
+- name: Mask qemu-kvm service
+  become: true
+  systemd:
+    name: qemu-kvm.service
+    masked: true
+  when:
+    - nova_compute_virt_type == 'kvm'
+    - ansible_distribution == 'Ubuntu'
+    - inventory_hostname in groups[nova_cell_compute_group]
--- a/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2
+++ b/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2
@ -0,0 +1,4 @@
+# Part of Kolla Ansible OpenStack Nova deployment.
+
+# This ensures the /dev/kvm has proper permissions.
+KERNEL=="kvm", GROUP="{{ qemu_user_gid }}", MODE="0660"
--- a/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml
+++ b/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes handling of `/dev/kvm` permissions to be more robust against
+    host-level actions.
+    `LP#1681461 <https://launchpad.net/bugs/1681461>`__