Browse Source

rootwrap: update ln --symbolic filter for FS and FC type volume drivers

Cinder change I03f8cae05cc117e14f7482115de685fc9f3fa54a sets the
'encrypted' key for all cinder volume drivers connection_info. When run
through the encrypted volume tests in Tempest, this hits the encryption
providers in Nova that fail for certain types of volume drivers, like
file system and fibre channel, due to the rootwrap filter not matching.

This change updates the symbolic link rootwrap filter so it works with
file system and fibre channel type volume backends rather than just
iSCSI.

The /dev/mapper/ prefix is always set in the encryptor modules, so that
can remain as before.

The symbolic link path is a complete wildcard, however, because the file
system volume backends all have a configurable option for the mount path
prefix, which defaults to $state_path/mnt but may not be that value.

An example call for NFS:

ln --symbolic --force \
/dev/mapper/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc \
/opt/stack/data/nova/mnt/21dd48babac42ae884d1192b8697a041/\
volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc

An example call for fibre channel:

ln --symbolic --force \
/dev/mapper/pci-0000:06:00.0-fc-0x5006016508603f9f-lun-151 \
/dev/disk/by-path/pci-0000:06:00.0-fc-0x5006016508603f9f-lun-151

This change also updates the sg_info and sgscan entries to reference the
correct module since those are not called from nova.virt.libvirt.volume
anymore.

Closes-Bug: #1470142
Related-Bug: #1440227

Change-Id: I181b594a3119f7ad74c595fc7059d521079b1d74
changes/13/197713/1
Matt Riedemann 7 years ago
parent
commit
0facd1f89e
  1. 9
      etc/nova/rootwrap.d/compute.filters

9
etc/nova/rootwrap.d/compute.filters

@ -209,10 +209,15 @@ multipath: CommandFilter, multipath, root
# nova/virt/libvirt/utils.py:
systool: CommandFilter, systool, root
# nova/virt/libvirt/volume.py:
# nova/storage/linuxscsi.py: sginfo -r
sginfo: CommandFilter, sginfo, root
# nova/storage/linuxscsi.py: sg_scan device
sg_scan: CommandFilter, sg_scan, root
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.*
# nova/volume/encryptors/cryptsetup.py:
# nova/volume/encryptors/luks.py:
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/.*, .*
# nova/volume/encryptors.py:
# nova/virt/libvirt/dmcrypt.py:

Loading…
Cancel
Save