Bug 1884225
| Summary: | [RFE] Using LVM on a cinder volume should not expose the data to the compute host | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Gregory Charot <gcharot> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Giulio Fidente <gfidente> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Tzach Shefi <tshefi> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 16.2 (Train) | CC: | abishop, acanan, agk, akaris, amcleod, astillma, broose, cschwede, eharney, gcharot, gfidente, jbrassow, jpittman, jraju, jvisser, jwaterwo, lmarsh, ltoscano, mabrams, marjones, mburns, nlevinki, nsoffer, nwolf, pablo.iranzo, pgrist, sclewis, scohen, spower, sputhenp, srevivo, teigland, tkajinam, tshefi, tvignaud, tvvcox, vcojot, vfarias, zkabelac |
| Target Milestone: | Alpha | Keywords: | FutureFeature, TestOnly, Triaged |
| Target Release: | 16.2 (Train on RHEL 8.4) | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tripleo-ansible-0.5.1-1.20200914163926.el8ost openstack-tripleo-heat-templates-11.3.2-1.20200914170167.el8ost | Doc Type: | Technology Preview |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1261083 | Environment: | |
| Last Closed: | 2021-09-22 09:13:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1261083 | ||
| Bug Blocks: | 1518969, 1883643 | ||
|
Description
Gregory Charot
2020-10-01 11:57:35 UTC
Verified on:
tripleo-ansible-0.5.1-3.20201104004940.5325afc.el8ost.noarch
openstack-tripleo-heat-templates-11.3.2-3.20201103010339.1309c80.el8ost.noarch
Used below yaml to configure a filter:
[stack@undercloud-0 ~]$ cat virt/extra_templates.yaml
parameter_defaults:
ComputeParameters:
LVMFilterAllowlist:
- /dev/vda -> notice comment at the end [0]
LVMFilterEnabled: true
The resulting filter is created on compute node
[root@compute-0 ~]# grep -i global_filter /etc/lvm/lvm.conf
# Configuration option devices/global_filter.
# Use global_filter to hide devices from these LVM system components.
# global_filter are not opened by LVM.
global_filter=["a|/dev/vda|","r|.*|"]
Booted up a Centos instance, attached a Cinder lvm(iscsi) volume to instance
Instance the instance on Cinder volume I created an LVM partition
[root@inst11 ~]# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
lv1 vg1 -wi-a----- 1020.00m
When we check compute node, due to filtering as expected we don't see instance's LVM/data exposed on compute host
[root@compute-0 ~]# lvs -o +devices
[root@compute-0 ~]#
Looking good as expected.
Just to be extra sure,
I later commented out the filter on compute node's lvm.conf
without lvm filtering set we confirm the pre-fix/ none-filtered
case where instance's LVM is exposed on compute host:
[root@compute-0 ~]# lvs -o +devices
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert Devices
lv1 vg1 -wi-a----- 1020.00m /dev/sda(0)
Good to verify with filtering set we eliminate exposure of instance's data on compute host.
[0] FYI at the moment filtering gets set only if allowlist is used.
https://bugzilla.redhat.com/show_bug.cgi?id=1905973
Version released, but the bug is TestOnly, so it needs to be manually moved to CLOSED/CURRENTRELEASE. |