tripleo-heat-templates/releasenotes/notes/automated-lvmfilter-3bee670c0108585a.yaml
Giulio Fidente 0bd041a6dc Run tripleo_lvmfilter role to restrict block devices visible to LVM2
Calls an ansible role to create an LVM2 filter.

Change-Id: Ia01d23e252bc48b7cc6c66cd39138e6844b90a69
Depends-On: I9781007559e074f2b102f6f90c1aed6def1b02be
Closes-Bug: 1855704
2020-10-21 10:46:08 +00:00

24 lines
1.2 KiB
YAML

---
features:
- |
To isolate LVM volumes created by compute guests, within Cinder volumes, from
the LVM volumes created/managed by the host itself, a new task has been
introduced to create an allowlist and denylist of devices which should be
accessible (or not) to the host, configured in lvm.conf using the
global_filter key.
The allowlist is generated gathering the list of existing in-use physical
disks (or partitions) and appending to it any user provided device passed
via `LVMFilterAllowlist` parameter.
The denylist is configured via `LVMFilterDenylist` and defaults to ['.*'],
which means it blocks any device not explicitly allowed.
Both the list parameters can be specified per-role.
The feature is, by default, disabled and can be enabled passing
`LVMFilterEnabled: true`; when disabled the existing lvm.conf won't be
touched and a version of it which includes the global_filter will be left,
for debugging, in `/tmp/tripleo_lvmfilter.conf`.
fixes:
- |
As per launchpad bug 1855704, the lvmfilter task aims at hiding to the
host the LVM2 volumes created by compute guests in Cinder volumes or
Glance images.