From e3477d92faeaf718cb6cb3b325e58d31b5de139d Mon Sep 17 00:00:00 2001 From: Giulio Fidente Date: Thu, 16 Jan 2020 13:19:41 +0100 Subject: [PATCH] Run tripleo_lvmfilter role to restrict block devices visible to LVM2 Calls an ansible role to create an LVM2 filter. Change-Id: Ia01d23e252bc48b7cc6c66cd39138e6844b90a69 Depends-On: I9781007559e074f2b102f6f90c1aed6def1b02be Closes-Bug: 1855704 (cherry picked from commit 0bd041a6dce3aa572a2a681f222bd8753c1a6b4a) (cherry picked from commit 4747cc41c4729cd3357b702ac69dcc773a473cef) --- ci/environments/scenario001-standalone.yaml | 5 ++ ci/environments/scenario002-standalone.yaml | 4 ++ .../iscsid/iscsid-container-puppet.yaml | 51 +++++++++++++++++++ .../automated-lvmfilter-3bee670c0108585a.yaml | 23 +++++++++ 4 files changed, 83 insertions(+) create mode 100644 releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml diff --git a/ci/environments/scenario001-standalone.yaml b/ci/environments/scenario001-standalone.yaml index f578df4ff2..1ed836439a 100644 --- a/ci/environments/scenario001-standalone.yaml +++ b/ci/environments/scenario001-standalone.yaml @@ -191,3 +191,8 @@ parameter_defaults: foo: bar NfsUrl: 127.0.0.1 CephMsgrSecureMode: true + LVMFilterEnabled: true + LVMFilterAllowlist: + - /dev/loop2 + - /dev/loop3 + - /dev/loop4 diff --git a/ci/environments/scenario002-standalone.yaml b/ci/environments/scenario002-standalone.yaml index a386724dad..a3b5e4684f 100644 --- a/ci/environments/scenario002-standalone.yaml +++ b/ci/environments/scenario002-standalone.yaml @@ -52,3 +52,7 @@ parameter_defaults: SwiftCeilometerPipelineEnabled: false BarbicanSimpleCryptoGlobalDefault: true ContainerCli: podman + StandaloneParameters: + LVMFilterEnabled: true + LVMFilterAllowlist: + - /dev/allowed diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml index e2d96caf91..706f92bf13 100644 --- a/deployment/iscsid/iscsid-container-puppet.yaml +++ b/deployment/iscsid/iscsid-container-puppet.yaml @@ -36,12 +36,56 @@ parameters: DefaultPasswords: default: {} type: json + LVMFilterEnabled: + default: false + description: Enables configuration of LVM2 with a filter so that devices not + in use on the host or explicitly allowed are ignored by + LVM2. Can be configured per-role. + When disabled, the proposed lvm.conf file will be created + regardless and left in /tmp/tripleo_lvmfilter.conf for + debugging purposes. + type: boolean + tags: + - role_specific + LVMFilterAllowlist: + default: [] + description: A list of block devices which should be allowed in the LVM2 + `global_filter`. Supports regular expressions, like `/dev/sd.*` + and can be configured per-role. Any block device in use at boot + time will be automatically allowed. + type: comma_delimited_list + tags: + - role_specific + LVMFilterDenylist: + default: ['.*'] + description: A list of block devices which should be disallowed in the LVM2 + `global_filter`. Supports regular expressions, like `/dev/sd.*` + and can be configured per-role. + type: comma_delimited_list + tags: + - role_specific resources: ContainersCommon: type: ../containers-common.yaml + RoleParametersValue: + type: OS::Heat::Value + properties: + type: json + value: + map_replace: + - map_replace: + - tripleo_tripleo_lvmfilter_enabled: LVMFilterEnabled + tripleo_tripleo_lvmfilter_devices_allowlist: LVMFilterAllowlist + tripleo_tripleo_lvmfilter_devices_denylist: LVMFilterDenylist + - values: {get_param: [RoleParameters]} + - values: + LVMFilterEnabled: {get_param: LVMFilterEnabled} + LVMFilterAllowlist: {get_param: LVMFilterAllowlist} + LVMFilterDenylist: {get_param: LVMFilterDenylist} + outputs: role_data: description: Role data for the Iscsid role. @@ -49,6 +93,13 @@ outputs: service_name: iscsid config_settings: {} service_config_settings: {} + deploy_steps_tasks: + - name: Run lvmfilter role + include_role: + name: tripleo_lvmfilter + when: + - step|int == 1 + ansible_group_vars: {get_attr: [RoleParametersValue, value]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: iscsid diff --git a/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml b/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml new file mode 100644 index 0000000000..629bb76ed9 --- /dev/null +++ b/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml @@ -0,0 +1,23 @@ +--- +features: + - | + To isolate LVM volumes created by compute guests, within Cinder volumes, from + the LVM volumes created/managed by the host itself, a new task has been + introduced to create an allowlist and denylist of devices which should be + accessible (or not) to the host, configured in lvm.conf using the + global_filter key. + The allowlist is generated gathering the list of existing in-use physical + disks (or partitions) and appending to it any user provided device passed + via `LVMFilterAllowlist` parameter. + The denylist is configured via `LVMFilterDenylist` and defaults to ['.*'], + which means it blocks any device not explicitly allowed. + Both the list parameters can be specified per-role. + The feature is, by default, disabled and can be enabled passing + `LVMFilterEnabled: true`; when disabled the existing lvm.conf won't be + touched and a version of it which includes the global_filter will be left, + for debugging, in `/tmp/tripleo_lvmfilter.conf`. +fixes: + - | + As per launchpad bug 1855704, the lvmfilter task aims at hiding to the + host the LVM2 volumes created by compute guests in Cinder volumes or + Glance images.