Browse Source

Run tripleo_lvmfilter role to restrict block devices visible to LVM2

Calls an ansible role to create an LVM2 filter.

Change-Id: Ia01d23e252bc48b7cc6c66cd39138e6844b90a69
Depends-On: I9781007559e074f2b102f6f90c1aed6def1b02be
Closes-Bug: 1855704
(cherry picked from commit 0bd041a6dce3aa572a2a681f222bd8753c1a6b4a)
(cherry picked from commit 4747cc41c4729cd3357b702ac69dcc773a473cef)
changes/35/759135/1
Giulio Fidente 1 year ago
parent
commit
e3477d92fa
4 changed files with 83 additions and 0 deletions
  1. +5
    -0
      ci/environments/scenario001-standalone.yaml
  2. +4
    -0
      ci/environments/scenario002-standalone.yaml
  3. +51
    -0
      deployment/iscsid/iscsid-container-puppet.yaml
  4. +23
    -0
      releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml

+ 5
- 0
ci/environments/scenario001-standalone.yaml View File

@ -191,3 +191,8 @@ parameter_defaults:
foo: bar
NfsUrl: 127.0.0.1
CephMsgrSecureMode: true
LVMFilterEnabled: true
LVMFilterAllowlist:
- /dev/loop2
- /dev/loop3
- /dev/loop4

+ 4
- 0
ci/environments/scenario002-standalone.yaml View File

@ -52,3 +52,7 @@ parameter_defaults:
SwiftCeilometerPipelineEnabled: false
BarbicanSimpleCryptoGlobalDefault: true
ContainerCli: podman
StandaloneParameters:
LVMFilterEnabled: true
LVMFilterAllowlist:
- /dev/allowed

+ 51
- 0
deployment/iscsid/iscsid-container-puppet.yaml View File

@ -36,12 +36,56 @@ parameters:
DefaultPasswords:
default: {}
type: json
LVMFilterEnabled:
default: false
description: Enables configuration of LVM2 with a filter so that devices not
in use on the host or explicitly allowed are ignored by
LVM2. Can be configured per-role.
When disabled, the proposed lvm.conf file will be created
regardless and left in /tmp/tripleo_lvmfilter.conf for
debugging purposes.
type: boolean
tags:
- role_specific
LVMFilterAllowlist:
default: []
description: A list of block devices which should be allowed in the LVM2
`global_filter`. Supports regular expressions, like `/dev/sd.*`
and can be configured per-role. Any block device in use at boot
time will be automatically allowed.
type: comma_delimited_list
tags:
- role_specific
LVMFilterDenylist:
default: ['.*']
description: A list of block devices which should be disallowed in the LVM2
`global_filter`. Supports regular expressions, like `/dev/sd.*`
and can be configured per-role.
type: comma_delimited_list
tags:
- role_specific
resources:
ContainersCommon:
type: ../containers-common.yaml
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- tripleo_tripleo_lvmfilter_enabled: LVMFilterEnabled
tripleo_tripleo_lvmfilter_devices_allowlist: LVMFilterAllowlist
tripleo_tripleo_lvmfilter_devices_denylist: LVMFilterDenylist
- values: {get_param: [RoleParameters]}
- values:
LVMFilterEnabled: {get_param: LVMFilterEnabled}
LVMFilterAllowlist: {get_param: LVMFilterAllowlist}
LVMFilterDenylist: {get_param: LVMFilterDenylist}
outputs:
role_data:
description: Role data for the Iscsid role.
@ -49,6 +93,13 @@ outputs:
service_name: iscsid
config_settings: {}
service_config_settings: {}
deploy_steps_tasks:
- name: Run lvmfilter role
include_role:
name: tripleo_lvmfilter
when:
- step|int == 1
ansible_group_vars: {get_attr: [RoleParametersValue, value]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: iscsid


+ 23
- 0
releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml View File

@ -0,0 +1,23 @@
---
features:
- |
To isolate LVM volumes created by compute guests, within Cinder volumes, from
the LVM volumes created/managed by the host itself, a new task has been
introduced to create an allowlist and denylist of devices which should be
accessible (or not) to the host, configured in lvm.conf using the
global_filter key.
The allowlist is generated gathering the list of existing in-use physical
disks (or partitions) and appending to it any user provided device passed
via `LVMFilterAllowlist` parameter.
The denylist is configured via `LVMFilterDenylist` and defaults to ['.*'],
which means it blocks any device not explicitly allowed.
Both the list parameters can be specified per-role.
The feature is, by default, disabled and can be enabled passing
`LVMFilterEnabled: true`; when disabled the existing lvm.conf won't be
touched and a version of it which includes the global_filter will be left,
for debugging, in `/tmp/tripleo_lvmfilter.conf`.
fixes:
- |
As per launchpad bug 1855704, the lvmfilter task aims at hiding to the
host the LVM2 volumes created by compute guests in Cinder volumes or
Glance images.

Loading…
Cancel
Save