From c2de4b4cd185a8c0a6bc21b3a5ffb7ae1d2141d1 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 22 Dec 2023 11:26:08 +0100 Subject: [PATCH] kvm-host: Add LVM filter when needed --- CHANGELOG.md | 1 + kvm-host/defaults/main.yml | 9 ++++++++- kvm-host/handlers/main.yml | 8 ++++++++ kvm-host/tasks/lvm.yml | 37 +++++++++++++++++++++++++++++++++++++ kvm-host/tasks/main.yml | 2 ++ 5 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 kvm-host/tasks/lvm.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index f60fe536..e435af05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add condition for config tasks * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * webapps/nextcloud: Set ownership and permissions of data directory +* kvm-host: Automatically add an LVM filter when LVM is present ### Changed diff --git a/kvm-host/defaults/main.yml b/kvm-host/defaults/main.yml index 574c249f..9cbdd9a3 100644 --- a/kvm-host/defaults/main.yml +++ b/kvm-host/defaults/main.yml @@ -3,4 +3,11 @@ kvm_custom_libvirt_images_path: '' kvm_install_drbd: True kvm_scripts_dir: /usr/local/sbin -kvm_pair: null \ No newline at end of file +kvm_pair: null + +# A "r|.*/|" is always added in order to make this an allowlist +# Default = all sata/scsi disks + all nvme + all md (+partitions) +lvm_filter: + - '"a|^/dev/sd[a-zA-Z]+[0-9]*$|"' + - '"a|^/dev/nvme[0-9]+(n[0-9]+)?(p[0-9]+)?$|"' + - '"a|^/dev/md[0-9]+$|"' \ No newline at end of file diff --git a/kvm-host/handlers/main.yml b/kvm-host/handlers/main.yml index 5ca5295a..963105f9 100644 --- a/kvm-host/handlers/main.yml +++ b/kvm-host/handlers/main.yml @@ -3,3 +3,11 @@ ansible.builtin.service: name: munin-node state: restarted + +- name: Update initramfs + ansible.builtin.command: + argv: + - '/usr/sbin/update-initramfs' + - '-k' + - 'all' + - '-u' \ No newline at end of file diff --git a/kvm-host/tasks/lvm.yml b/kvm-host/tasks/lvm.yml new file mode 100644 index 00000000..41b12b2d --- /dev/null +++ b/kvm-host/tasks/lvm.yml @@ -0,0 +1,37 @@ +--- + +- name: 'Figure out if /etc/lvm/lvm.conf exists' + ansible.builtin.stat: + path: '/etc/lvm/lvm.conf' + follow: true + get_checksum: false + get_mime: false + get_attributes: false + ignore_errors: true + register: lvm_conf_stat + +- name: Add LVM filter + ansible.builtin.lineinfile: + path: '/etc/lvm/lvm.conf' + insertafter: '# Configuration option devices/filter.' + regexp: '^\s*(#\s*)?filter\s*=\s*\[.*\]' + line: " filter = [ {{ lvm_filter | list | join(', ') }}, \"r|.*/|\" ]" + state: present + firstmatch: true + notify: 'Update initramfs' + when: + - lvm_conf_stat is succeeded + - lvm_conf_stat.stat.exists | bool + +- name: Add LVM global_filter + ansible.builtin.lineinfile: + path: '/etc/lvm/lvm.conf' + insertafter: '# Configuration option devices/global_filter.' + regexp: '^\s*(#\s*)?global_filter\s*=\s*\[.*\]' + line: " global_filter = [ {{ lvm_filter | list | join(', ') }}, \"r|.*/|\" ]" + state: present + firstmatch: true + notify: 'Update initramfs' + when: + - lvm_conf_stat is succeeded + - lvm_conf_stat.stat.exists | bool diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index c6004b7b..7aa3bdc2 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -4,6 +4,8 @@ name: evolix/drbd when: kvm_install_drbd +- ansible.builtin.import_tasks: lvm.yml + ## TODO: check why it's disabled - ansible.builtin.include: ssh.yml