Merge "Add tripleo-lvmfilter role to restrict visible block devices for LVM2" into stable/train
This commit is contained in:
commit
d94193253d
|
@ -0,0 +1,6 @@
|
||||||
|
========================
|
||||||
|
Role - tripleo_lvmfilter
|
||||||
|
========================
|
||||||
|
|
||||||
|
.. ansibleautoplugin::
|
||||||
|
:role: tripleo_ansible/roles/tripleo_lvmfilter
|
|
@ -0,0 +1,102 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# Copyright 2019 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
DOCUMENTATION = """
|
||||||
|
module: lvm2_physical_devices_facts
|
||||||
|
short_description: Gather list of block devices in use by LVM2
|
||||||
|
version_added: '1.0.0'
|
||||||
|
description: Gather list of block devices in use by LVM2 as PVs
|
||||||
|
author:
|
||||||
|
- "Giulio Fidente (@gfidente)"
|
||||||
|
"""
|
||||||
|
|
||||||
|
EXAMPLES = """
|
||||||
|
- name: Get list of LVM2 PVs
|
||||||
|
lvm2_physical_devices_facts:
|
||||||
|
"""
|
||||||
|
|
||||||
|
RETURN = """
|
||||||
|
ansible_facts:
|
||||||
|
description: List of PVs in use
|
||||||
|
returned: always
|
||||||
|
type: dict
|
||||||
|
contains:
|
||||||
|
lvm2_active_pvs:
|
||||||
|
description: List of LVM2 volumes hosting active LVs
|
||||||
|
type: list
|
||||||
|
returned: always but it might be empty
|
||||||
|
sample: ['/dev/sdb2']
|
||||||
|
"""
|
||||||
|
|
||||||
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
|
||||||
|
|
||||||
|
def get_vgs_with_active_lvs(module):
|
||||||
|
command = ['lvs', '--noheadings', '--options', 'vg_name', '--select', 'lv_active=active']
|
||||||
|
rc, out, err = module.run_command(command)
|
||||||
|
if rc != 0:
|
||||||
|
module.fail_json(msg="Failed to run LVM2 lvs command", err=err)
|
||||||
|
if not out:
|
||||||
|
return []
|
||||||
|
vgs = list(set(out.split()))
|
||||||
|
return vgs
|
||||||
|
|
||||||
|
|
||||||
|
def get_pvs_in_use_by_active_vg(module, active_vg):
|
||||||
|
command = ['vgs', '--noheadings', '--options', 'pv_name', active_vg]
|
||||||
|
rc, out, err = module.run_command(command)
|
||||||
|
if rc != 0:
|
||||||
|
module.fail_json(msg="Failed to run LVM2 vgs command for %s" % (active_vg), err=err)
|
||||||
|
if not out:
|
||||||
|
return []
|
||||||
|
pvs = list(set(out.split()))
|
||||||
|
return pvs
|
||||||
|
|
||||||
|
|
||||||
|
def run_module():
|
||||||
|
module_args = {}
|
||||||
|
|
||||||
|
result = dict(
|
||||||
|
changed=False,
|
||||||
|
ansible_facts=dict(),
|
||||||
|
)
|
||||||
|
|
||||||
|
module = AnsibleModule(
|
||||||
|
argument_spec=module_args,
|
||||||
|
supports_check_mode=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
if module.check_mode:
|
||||||
|
module.exit_json(**result)
|
||||||
|
|
||||||
|
active_vgs = get_vgs_with_active_lvs(module)
|
||||||
|
active_pvs = []
|
||||||
|
for vg in active_vgs:
|
||||||
|
active_pvs.extend(get_pvs_in_use_by_active_vg(module, vg))
|
||||||
|
pvs = {'lvm2_active_pvs': list(set(active_pvs))}
|
||||||
|
result['ansible_facts'] = pvs
|
||||||
|
|
||||||
|
module.exit_json(**result)
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
run_module()
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
# All variables intended for modification should be placed in this file.
|
||||||
|
|
||||||
|
# All variables within this role should have a prefix of "tripleo_tripleo_lvmfilter"
|
||||||
|
tripleo_tripleo_lvmfilter_enabled: false
|
||||||
|
tripleo_tripleo_lvmfilter_devices_allowlist: []
|
||||||
|
tripleo_tripleo_lvmfilter_devices_denylist: []
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
- name: Refresh LVM caches
|
||||||
|
become: true
|
||||||
|
command: vgscan
|
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
galaxy_info:
|
||||||
|
author: OpenStack
|
||||||
|
description: TripleO OpenStack Role -- tripleo_lvmfilter
|
||||||
|
company: Red Hat
|
||||||
|
license: Apache-2.0
|
||||||
|
min_ansible_version: 2.7
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
platforms:
|
||||||
|
- name: CentOS
|
||||||
|
versions:
|
||||||
|
- 7
|
||||||
|
- 8
|
||||||
|
|
||||||
|
galaxy_tags:
|
||||||
|
- tripleo
|
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
driver:
|
||||||
|
name: docker
|
||||||
|
|
||||||
|
log: true
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: centos8
|
||||||
|
hostname: centos8
|
||||||
|
image: centos:8
|
||||||
|
dockerfile: Dockerfile
|
||||||
|
pkg_extras: python*-setuptools
|
||||||
|
volumes:
|
||||||
|
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
|
||||||
|
environment: &env
|
||||||
|
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||||
|
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||||
|
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
log: true
|
||||||
|
env:
|
||||||
|
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||||
|
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH:-/usr/share/ansible/roles}:${HOME}/zuul-jobs/roles"
|
||||||
|
ANSIBLE_LIBRARY: "${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}"
|
||||||
|
ANSIBLE_FILTER_PLUGINS: "${ANSIBLE_FILTER_PLUGINS:-/usr/share/ansible/plugins/filter}"
|
||||||
|
|
||||||
|
scenario:
|
||||||
|
test_sequence:
|
||||||
|
- destroy
|
||||||
|
- create
|
||||||
|
- prepare
|
||||||
|
- converge
|
||||||
|
- check
|
||||||
|
- verify
|
||||||
|
- destroy
|
||||||
|
|
||||||
|
verifier:
|
||||||
|
name: testinfra
|
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
roles:
|
||||||
|
- role: "tripleo_lvmfilter"
|
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
- name: Prepare
|
||||||
|
hosts: all
|
||||||
|
vars:
|
||||||
|
test_deps_extra_packages:
|
||||||
|
- lvm2
|
||||||
|
roles:
|
||||||
|
- role: test_deps
|
|
@ -0,0 +1,67 @@
|
||||||
|
---
|
||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
- name: gather package facts
|
||||||
|
package_facts:
|
||||||
|
manager: auto
|
||||||
|
- name: gather allowed block devices list
|
||||||
|
when: "'lvm2' in ansible_facts.packages"
|
||||||
|
block:
|
||||||
|
- name: collect in-use lvm2 devices list
|
||||||
|
become: true
|
||||||
|
lvm2_physical_devices_facts:
|
||||||
|
- name: set allowed_devices
|
||||||
|
set_fact:
|
||||||
|
allowed_devices: "{{ (ansible_facts['lvm2_active_pvs'] | default([]) | list)
|
||||||
|
| intersect(ansible_devices.keys())
|
||||||
|
+ (tripleo_tripleo_lvmfilter_devices_allowlist | default([]))
|
||||||
|
| unique }}"
|
||||||
|
- name: create lvm.conf with global_filter
|
||||||
|
when:
|
||||||
|
- allowed_devices is defined
|
||||||
|
- (allowed_devices | length) > 0
|
||||||
|
block:
|
||||||
|
- name: build lvm2 allow list
|
||||||
|
set_fact:
|
||||||
|
lvm2_allow_list: "\"{{ allowed_devices | map('regex_replace', '(.+)', 'a|\\1|')
|
||||||
|
| join('\",\"') }}\""
|
||||||
|
- name: build lvm2 deny list
|
||||||
|
set_fact:
|
||||||
|
lvm2_deny_list: "\"{{ tripleo_tripleo_lvmfilter_devices_denylist | default([])
|
||||||
|
| map('regex_replace', '(.+)', 'r|\\1|') | join('\",\"') }}\""
|
||||||
|
- name: build lvm2 filter
|
||||||
|
set_fact:
|
||||||
|
filter: "{{ lvm2_allow_list + ',' + lvm2_deny_list }}"
|
||||||
|
- name: regenerate lvm config
|
||||||
|
become: true
|
||||||
|
command: >
|
||||||
|
lvmconfig -f /tmp/tripleo_lvmfilter.conf
|
||||||
|
--mergedconfig --withgeneralpreamble --withspaces --withsummary --withcomments --ignorelocal --showdeprecated
|
||||||
|
--config devices/global_filter='[{{ filter }}]'
|
||||||
|
- name: copy new lvm.conf in place
|
||||||
|
become: true
|
||||||
|
copy:
|
||||||
|
remote_src: true
|
||||||
|
src: /tmp/tripleo_lvmfilter.conf
|
||||||
|
dest: /etc/lvm/lvm.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
backup: true
|
||||||
|
when: tripleo_tripleo_lvmfilter_enabled
|
||||||
|
notify:
|
||||||
|
- Refresh LVM caches
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Copyright 2019 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from collections import Counter
|
||||||
|
from unittest import mock
|
||||||
|
|
||||||
|
from tripleo_ansible.ansible_plugins.modules import lvm2_physical_devices_facts as lvm2
|
||||||
|
from tripleo_ansible.tests import base as tests_base
|
||||||
|
|
||||||
|
|
||||||
|
class TestLvm2PhysicalDevicesFacts(tests_base.TestCase):
|
||||||
|
|
||||||
|
def test_get_pvs(self):
|
||||||
|
mock_module = mock.Mock()
|
||||||
|
|
||||||
|
mock_module.run_command.return_value = (0, ' myvgname\n myvgname\n', '')
|
||||||
|
result = lvm2.get_vgs_with_active_lvs(mock_module)
|
||||||
|
self.assertEqual(['myvgname'], result)
|
||||||
|
|
||||||
|
mock_module.run_command.return_value = (0, ' /dev/sdb1\n /dev/sdb2\n', '')
|
||||||
|
result = lvm2.get_vgs_with_active_lvs(mock_module)
|
||||||
|
self.assertEqual(Counter(['/dev/sdb1', '/dev/sdb2']), Counter(result))
|
|
@ -47,6 +47,7 @@
|
||||||
- tripleo-ansible-centos-7-molecule-tripleo-nova-image-cache
|
- tripleo-ansible-centos-7-molecule-tripleo-nova-image-cache
|
||||||
- tripleo-ansible-centos-8-molecule-tripleo_nvdimm
|
- tripleo-ansible-centos-8-molecule-tripleo_nvdimm
|
||||||
- tripleo-ansible-centos-8-molecule-tripleo_ha_wrapper
|
- tripleo-ansible-centos-8-molecule-tripleo_ha_wrapper
|
||||||
|
- tripleo-ansible-centos-8-molecule-tripleo_lvmfilter
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- tripleo-ansible-centos-8-molecule-aide
|
- tripleo-ansible-centos-8-molecule-aide
|
||||||
|
@ -94,6 +95,7 @@
|
||||||
- tripleo-ansible-centos-7-molecule-tripleo-nova-image-cache
|
- tripleo-ansible-centos-7-molecule-tripleo-nova-image-cache
|
||||||
- tripleo-ansible-centos-8-molecule-tripleo_nvdimm
|
- tripleo-ansible-centos-8-molecule-tripleo_nvdimm
|
||||||
- tripleo-ansible-centos-8-molecule-tripleo_ha_wrapper
|
- tripleo-ansible-centos-8-molecule-tripleo_ha_wrapper
|
||||||
|
- tripleo-ansible-centos-8-molecule-tripleo_lvmfilter
|
||||||
name: tripleo-ansible-molecule-jobs
|
name: tripleo-ansible-molecule-jobs
|
||||||
- job:
|
- job:
|
||||||
files:
|
files:
|
||||||
|
@ -269,7 +271,13 @@
|
||||||
parent: tripleo-ansible-centos-8-base
|
parent: tripleo-ansible-centos-8-base
|
||||||
vars:
|
vars:
|
||||||
tripleo_role_name: tripleo-upgrade-hiera
|
tripleo_role_name: tripleo-upgrade-hiera
|
||||||
|
- job:
|
||||||
|
files:
|
||||||
|
- ^tripleo_ansible/roles/tripleo_lvmfilter/.*
|
||||||
|
name: tripleo-ansible-centos-8-molecule-tripleo_lvmfilter
|
||||||
|
parent: tripleo-ansible-centos-8-base
|
||||||
|
vars:
|
||||||
|
tripleo_role_name: tripleo_lvmfilter
|
||||||
- job:
|
- job:
|
||||||
files:
|
files:
|
||||||
- ^tripleo_ansible/roles/tripleo-network-config/.*
|
- ^tripleo_ansible/roles/tripleo-network-config/.*
|
||||||
|
|
Loading…
Reference in New Issue