diff --git a/ci/environments/scenario001-standalone.yaml b/ci/environments/scenario001-standalone.yaml
index 5ff4229343..9ba3f6c8c7 100644
--- a/ci/environments/scenario001-standalone.yaml
+++ b/ci/environments/scenario001-standalone.yaml
@@ -193,3 +193,8 @@ parameter_defaults:
     foo: bar
   NfsUrl: 127.0.0.1
   CephMsgrSecureMode: true
+  LVMFilterEnabled: true
+  LVMFilterAllowlist:
+    - /dev/loop2
+    - /dev/loop3
+    - /dev/loop4
diff --git a/ci/environments/scenario002-standalone.yaml b/ci/environments/scenario002-standalone.yaml
index b89cabb0c4..a58c04f317 100644
--- a/ci/environments/scenario002-standalone.yaml
+++ b/ci/environments/scenario002-standalone.yaml
@@ -68,3 +68,7 @@ parameter_defaults:
     - test_volume:/testvol
   StandaloneExtraGroupVars:
     cinder_fake_group_var_one: var_one_override
+  StandaloneParameters:
+    LVMFilterEnabled: true
+    LVMFilterAllowlist:
+      - /dev/allowed
\ No newline at end of file
diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml
index 292bc79260..f49d940b70 100644
--- a/deployment/iscsid/iscsid-container-puppet.yaml
+++ b/deployment/iscsid/iscsid-container-puppet.yaml
@@ -36,12 +36,56 @@ parameters:
   DefaultPasswords:
     default: {}
     type: json
+  LVMFilterEnabled:
+    default: false
+    description: Enables configuration of LVM2 with a filter so that devices not
+                 in use on the host or explicitly allowed are ignored by
+                 LVM2. Can be configured per-role.
+                 When disabled, the proposed lvm.conf file will be created
+                 regardless and left in /tmp/tripleo_lvmfilter.conf for
+                 debugging purposes.
+    type: boolean
+    tags:
+      - role_specific
+  LVMFilterAllowlist:
+    default: []
+    description: A list of block devices which should be allowed in the LVM2
+                 `global_filter`. Supports regular expressions, like `/dev/sd.*`
+                 and can be configured per-role. Any block device in use at boot
+                 time will be automatically allowed.
+    type: comma_delimited_list
+    tags:
+      - role_specific
+  LVMFilterDenylist:
+    default: ['.*']
+    description: A list of block devices which should be disallowed in the LVM2
+                 `global_filter`. Supports regular expressions, like `/dev/sd.*`
+                 and can be configured per-role.
+    type: comma_delimited_list
+    tags:
+      - role_specific
 
 resources:
 
   ContainersCommon:
     type: ../containers-common.yaml
 
+  RoleParametersValue:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        map_replace:
+          - map_replace:
+            - tripleo_tripleo_lvmfilter_enabled: LVMFilterEnabled
+              tripleo_tripleo_lvmfilter_devices_allowlist: LVMFilterAllowlist
+              tripleo_tripleo_lvmfilter_devices_denylist: LVMFilterDenylist
+            - values: {get_param: [RoleParameters]}
+          - values:
+              LVMFilterEnabled: {get_param: LVMFilterEnabled}
+              LVMFilterAllowlist: {get_param: LVMFilterAllowlist}
+              LVMFilterDenylist: {get_param: LVMFilterDenylist}
+
 outputs:
   role_data:
     description: Role data for the Iscsid role.
@@ -49,6 +93,13 @@ outputs:
       service_name: iscsid
       config_settings: {}
       service_config_settings: {}
+      deploy_steps_tasks:
+      - name: Run lvmfilter role
+        include_role:
+          name: tripleo_lvmfilter
+        when:
+        - step|int == 1
+      ansible_group_vars: {get_attr: [RoleParametersValue, value]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: iscsid
diff --git a/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml b/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml
new file mode 100644
index 0000000000..629bb76ed9
--- /dev/null
+++ b/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml
@@ -0,0 +1,23 @@
+---
+features:
+  - |
+    To isolate LVM volumes created by compute guests, within Cinder volumes, from
+    the LVM volumes created/managed by the host itself, a new task has been
+    introduced to create an allowlist and denylist of devices which should be
+    accessible (or not) to the host, configured in lvm.conf using the
+    global_filter key.
+    The allowlist is generated gathering the list of existing in-use physical
+    disks (or partitions) and appending to it any user provided device passed
+    via `LVMFilterAllowlist` parameter.
+    The denylist is configured via `LVMFilterDenylist` and defaults to ['.*'],
+    which means it blocks any device not explicitly allowed.
+    Both the list parameters can be specified per-role.
+    The feature is, by default, disabled and can be enabled passing
+    `LVMFilterEnabled: true`; when disabled the existing lvm.conf won't be
+    touched and a version of it which includes the global_filter will be left,
+    for debugging, in `/tmp/tripleo_lvmfilter.conf`.
+fixes:
+  - |
+    As per launchpad bug 1855704, the lvmfilter task aims at hiding to the
+    host the LVM2 volumes created by compute guests in Cinder volumes or
+    Glance images.