Browse Source

Run tripleo_lvmfilter role to restrict block devices visible to LVM2

Calls an ansible role to create an LVM2 filter.

Change-Id: Ia01d23e252bc48b7cc6c66cd39138e6844b90a69
Depends-On: I9781007559e074f2b102f6f90c1aed6def1b02be
Closes-Bug: 1855704
changes/97/697997/29
Giulio Fidente 2 years ago
parent
commit
0bd041a6dc
  1. 5
      ci/environments/scenario001-standalone.yaml
  2. 4
      ci/environments/scenario002-standalone.yaml
  3. 51
      deployment/iscsid/iscsid-container-puppet.yaml
  4. 23
      releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml

5
ci/environments/scenario001-standalone.yaml

@ -186,3 +186,8 @@ parameter_defaults:
foo: bar
NfsUrl: 127.0.0.1
CephMsgrSecureMode: true
LVMFilterEnabled: true
LVMFilterAllowlist:
- /dev/loop2
- /dev/loop3
- /dev/loop4

4
ci/environments/scenario002-standalone.yaml

@ -66,3 +66,7 @@ parameter_defaults:
- test_volume:/testvol
StandaloneExtraGroupVars:
cinder_fake_group_var_one: var_one_override
StandaloneParameters:
LVMFilterEnabled: true
LVMFilterAllowlist:
- /dev/allowed

51
deployment/iscsid/iscsid-container-puppet.yaml

@ -36,12 +36,56 @@ parameters:
DefaultPasswords:
default: {}
type: json
LVMFilterEnabled:
default: false
description: Enables configuration of LVM2 with a filter so that devices not
in use on the host or explicitly allowed are ignored by
LVM2. Can be configured per-role.
When disabled, the proposed lvm.conf file will be created
regardless and left in /tmp/tripleo_lvmfilter.conf for
debugging purposes.
type: boolean
tags:
- role_specific
LVMFilterAllowlist:
default: []
description: A list of block devices which should be allowed in the LVM2
`global_filter`. Supports regular expressions, like `/dev/sd.*`
and can be configured per-role. Any block device in use at boot
time will be automatically allowed.
type: comma_delimited_list
tags:
- role_specific
LVMFilterDenylist:
default: ['.*']
description: A list of block devices which should be disallowed in the LVM2
`global_filter`. Supports regular expressions, like `/dev/sd.*`
and can be configured per-role.
type: comma_delimited_list
tags:
- role_specific
resources:
ContainersCommon:
type: ../containers-common.yaml
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- tripleo_tripleo_lvmfilter_enabled: LVMFilterEnabled
tripleo_tripleo_lvmfilter_devices_allowlist: LVMFilterAllowlist
tripleo_tripleo_lvmfilter_devices_denylist: LVMFilterDenylist
- values: {get_param: [RoleParameters]}
- values:
LVMFilterEnabled: {get_param: LVMFilterEnabled}
LVMFilterAllowlist: {get_param: LVMFilterAllowlist}
LVMFilterDenylist: {get_param: LVMFilterDenylist}
outputs:
role_data:
description: Role data for the Iscsid role.
@ -49,6 +93,13 @@ outputs:
service_name: iscsid
config_settings: {}
service_config_settings: {}
deploy_steps_tasks:
- name: Run lvmfilter role
include_role:
name: tripleo_lvmfilter
when:
- step|int == 1
ansible_group_vars: {get_attr: [RoleParametersValue, value]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: iscsid

23
releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml

@ -0,0 +1,23 @@
---
features:
- |
To isolate LVM volumes created by compute guests, within Cinder volumes, from
the LVM volumes created/managed by the host itself, a new task has been
introduced to create an allowlist and denylist of devices which should be
accessible (or not) to the host, configured in lvm.conf using the
global_filter key.
The allowlist is generated gathering the list of existing in-use physical
disks (or partitions) and appending to it any user provided device passed
via `LVMFilterAllowlist` parameter.
The denylist is configured via `LVMFilterDenylist` and defaults to ['.*'],
which means it blocks any device not explicitly allowed.
Both the list parameters can be specified per-role.
The feature is, by default, disabled and can be enabled passing
`LVMFilterEnabled: true`; when disabled the existing lvm.conf won't be
touched and a version of it which includes the global_filter will be left,
for debugging, in `/tmp/tripleo_lvmfilter.conf`.
fixes:
- |
As per launchpad bug 1855704, the lvmfilter task aims at hiding to the
host the LVM2 volumes created by compute guests in Cinder volumes or
Glance images.
Loading…
Cancel
Save