BZ to track full support if this feature. +++ This bug was initially created as a clone of Bug #1261083 +++ Description of problem: Using LVM on a cinder volume on the instance causes the compute node to pick up the LVM at the host level How reproducible: Every time Steps to Reproduce: 1. Create a new cinder volume and present it to an instance 2. Use LVM against the raw device (pvcreate/vgcreate/lvcreate) 3. Run 'lvs -o +devices' on the compute Actual results: LVM from the guest is seen on the host Expected results: host should not be able to see LVM from the guest Additional info: This can cause problems such as conflicting VG names on the compute. It can also cause the LVM on the compute to adjust metadata that the instance is not aware of, leading to things like missing volumes. Current workaround is to set a filter on the compute node.
Verified on: tripleo-ansible-0.5.1-3.20201104004940.5325afc.el8ost.noarch openstack-tripleo-heat-templates-11.3.2-3.20201103010339.1309c80.el8ost.noarch Used below yaml to configure a filter: [stack@undercloud-0 ~]$ cat virt/extra_templates.yaml parameter_defaults: ComputeParameters: LVMFilterAllowlist: - /dev/vda -> notice comment at the end [0] LVMFilterEnabled: true The resulting filter is created on compute node [root@compute-0 ~]# grep -i global_filter /etc/lvm/lvm.conf # Configuration option devices/global_filter. # Use global_filter to hide devices from these LVM system components. # global_filter are not opened by LVM. global_filter=["a|/dev/vda|","r|.*|"] Booted up a Centos instance, attached a Cinder lvm(iscsi) volume to instance Instance the instance on Cinder volume I created an LVM partition [root@inst11 ~]# lvs LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert lv1 vg1 -wi-a----- 1020.00m When we check compute node, due to filtering as expected we don't see instance's LVM/data exposed on compute host [root@compute-0 ~]# lvs -o +devices [root@compute-0 ~]# Looking good as expected. Just to be extra sure, I later commented out the filter on compute node's lvm.conf without lvm filtering set we confirm the pre-fix/ none-filtered case where instance's LVM is exposed on compute host: [root@compute-0 ~]# lvs -o +devices LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert Devices lv1 vg1 -wi-a----- 1020.00m /dev/sda(0) Good to verify with filtering set we eliminate exposure of instance's data on compute host. [0] FYI at the moment filtering gets set only if allowlist is used. https://bugzilla.redhat.com/show_bug.cgi?id=1905973
Version released, but the bug is TestOnly, so it needs to be manually moved to CLOSED/CURRENTRELEASE.