Run tripleo_lvmfilter role to restrict block devices visible to LVM2

Calls an ansible role to create an LVM2 filter. Change-Id: Ia01d23e252bc48b7cc6c66cd39138e6844b90a69 Depends-On: I9781007559e074f2b102f6f90c1aed6def1b02be Closes-Bug: 1855704
2020-01-16 13:19:41 +01:00 · 2020-01-16 13:19:41 +01:00 · 0bd041a6dc
commit 0bd041a6dc
parent 698d360cd0
4 changed files with 83 additions and 0 deletions
--- a/ci/environments/scenario001-standalone.yaml
+++ b/ci/environments/scenario001-standalone.yaml
@ -186,3 +186,8 @@ parameter_defaults:
    foo: bar
  NfsUrl: 127.0.0.1
  CephMsgrSecureMode: true
+  LVMFilterEnabled: true
+  LVMFilterAllowlist:
+    - /dev/loop2
+    - /dev/loop3
+    - /dev/loop4
--- a/ci/environments/scenario002-standalone.yaml
+++ b/ci/environments/scenario002-standalone.yaml
@ -66,3 +66,7 @@ parameter_defaults:
    - test_volume:/testvol
  StandaloneExtraGroupVars:
    cinder_fake_group_var_one: var_one_override
+  StandaloneParameters:
+    LVMFilterEnabled: true
+    LVMFilterAllowlist:
+      - /dev/allowed
--- a/deployment/iscsid/iscsid-container-puppet.yaml
+++ b/deployment/iscsid/iscsid-container-puppet.yaml
@ -36,12 +36,56 @@ parameters:
  DefaultPasswords:
    default: {}
    type: json
+  LVMFilterEnabled:
+    default: false
+    description: Enables configuration of LVM2 with a filter so that devices not
+                 in use on the host or explicitly allowed are ignored by
+                 LVM2. Can be configured per-role.
+                 When disabled, the proposed lvm.conf file will be created
+                 regardless and left in /tmp/tripleo_lvmfilter.conf for
+                 debugging purposes.
+    type: boolean
+    tags:
+      - role_specific
+  LVMFilterAllowlist:
+    default: []
+    description: A list of block devices which should be allowed in the LVM2
+                 `global_filter`. Supports regular expressions, like `/dev/sd.*`
+                 and can be configured per-role. Any block device in use at boot
+                 time will be automatically allowed.
+    type: comma_delimited_list
+    tags:
+      - role_specific
+  LVMFilterDenylist:
+    default: ['.*']
+    description: A list of block devices which should be disallowed in the LVM2
+                 `global_filter`. Supports regular expressions, like `/dev/sd.*`
+                 and can be configured per-role.
+    type: comma_delimited_list
+    tags:
+      - role_specific

 resources:

  ContainersCommon:
    type: ../containers-common.yaml

+  RoleParametersValue:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        map_replace:
+          - map_replace:
+            - tripleo_tripleo_lvmfilter_enabled: LVMFilterEnabled
+              tripleo_tripleo_lvmfilter_devices_allowlist: LVMFilterAllowlist
+              tripleo_tripleo_lvmfilter_devices_denylist: LVMFilterDenylist
+            - values: {get_param: [RoleParameters]}
+          - values:
+              LVMFilterEnabled: {get_param: LVMFilterEnabled}
+              LVMFilterAllowlist: {get_param: LVMFilterAllowlist}
+              LVMFilterDenylist: {get_param: LVMFilterDenylist}
+
 outputs:
  role_data:
    description: Role data for the Iscsid role.
@ -49,6 +93,13 @@ outputs:
      service_name: iscsid
      config_settings: {}
      service_config_settings: {}
+      deploy_steps_tasks:
+      - name: Run lvmfilter role
+        include_role:
+          name: tripleo_lvmfilter
+        when:
+        - step|int == 1
+      ansible_group_vars: {get_attr: [RoleParametersValue, value]}
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: iscsid
--- a/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml
+++ b/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml
@ -0,0 +1,23 @@
+---
+features:
+  - |
+    To isolate LVM volumes created by compute guests, within Cinder volumes, from
+    the LVM volumes created/managed by the host itself, a new task has been
+    introduced to create an allowlist and denylist of devices which should be
+    accessible (or not) to the host, configured in lvm.conf using the
+    global_filter key.
+    The allowlist is generated gathering the list of existing in-use physical
+    disks (or partitions) and appending to it any user provided device passed
+    via `LVMFilterAllowlist` parameter.
+    The denylist is configured via `LVMFilterDenylist` and defaults to ['.*'],
+    which means it blocks any device not explicitly allowed.
+    Both the list parameters can be specified per-role.
+    The feature is, by default, disabled and can be enabled passing
+    `LVMFilterEnabled: true`; when disabled the existing lvm.conf won't be
+    touched and a version of it which includes the global_filter will be left,
+    for debugging, in `/tmp/tripleo_lvmfilter.conf`.
+fixes:
+  - |
+    As per launchpad bug 1855704, the lvmfilter task aims at hiding to the
+    host the LVM2 volumes created by compute guests in Cinder volumes or
+    Glance images.