-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent custom block volume sharing #13183
base: main
Are you sure you want to change the base?
Prevent custom block volume sharing #13183
Conversation
0488bfa
to
087ec55
Compare
28a7e15
to
e7b3abb
Compare
e7b3abb
to
ecf80be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly just nits and small tweaks to address.
Heads up @ru-fu - the "Documentation" label was applied to this issue. |
e1dbfa5
to
1ab84a8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you can create block volumes and attach them to profiles in the main test suite we should have a check for that in this PR too.
Also please can you add a check to https://github.com/canonical/lxd-ci/blob/main/tests/storage-volumes-vm for per-VM disk devices.
7400d31
to
e8cc754
Compare
1e48d69
to
80874f5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just a few small comments.
What I am wondering is what happens with volumes which are currently attached to multiple instances as soon as you update to "this" version of LXD? Will there be an error in validation at some point if you don't allow security.shared
for this volume?
lxc profile device add volumeSharingTest test-disk disk pool="lxdtest-$(basename "${LXD_DIR}")-pool1" source=block-vol | ||
|
||
# Try to disable security.shared for a volume already added to a profile. That operation must fail. | ||
! lxc storage volume set "lxdtest-$(basename "${LXD_DIR}")-pool1" block-vol security.shared false || false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there be another check of this kind if the volume is directly attached to an instance? In the commits before I saw you have added code for this too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I added these these on lxd-ci
because block volumes can only be attached to VMs and security.shared
is exclusive to block volumes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thinking was if there is a test checking if security.shared
cannot be unset if the volume is already attached to a profile, shouldn't there also be a test checking if security.shared
cannot be unset if the volume is attached to multiple VMs?
I am talking about this part of the code https://github.com/canonical/lxd/pull/13183/files#diff-029fdd0e1afdacb0e66630c0d7e813772122db9a7d036060902838db315d9c4dR5625
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this is the check you are referring to. This is part of canonical/lxd-ci#146. Please let me know if I am understanfing something wrong
80874f5
to
74fa839
Compare
@roosterfish Any volumes that were being shared before the update won't be affected until the one of the instances is started or the device is updated, at which point you could just set |
This is a problem because if you restart your system after snap has updated to this version you'll end up with potentially unstartable VMs. Which will then require manual intervention and debugging to figure out what has changed. That isn't good UX in my view. We should have a DB patch that adds What do you think? |
@tomponline I agree that this isn't good UX but I also think it is risky to set it for the user since the purpose of setting |
74fa839
to
6884431
Compare
Signed-off-by: Thomas Hipp <thomashipp@gmail.com> (cherry picked from commit b8d3d735dffe6c587ed0b8965288122f63dfc108) Signed-off-by: hamistao <pedro.ribeiro@canonical.com> License: Apache-2.0
The `Update` function returns `map[string]Device` values despite there being a `Devices` type which is the same thing. This commit changes the return types to be `Devices` instead. Signed-off-by: Thomas Hipp <thomashipp@gmail.com> (cherry picked from commit 6fff607f8462237843a590751d7afcb38335e3f4) Signed-off-by: hamistao <pedro.ribeiro@canonical.com> License: Apache-2.0
Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
This validates shared custom block volumes. Such volumes can be attached to profiles only if `security.shared` is `true`. Also, they can only be attached to more than one instance if `security.shared` is `true`. Signed-off-by: Thomas Hipp <thomashipp@gmail.com> (cherry picked from commit 78315b5d6d8b1783604b482dec5c210767597098) Signed-off-by: hamistao <pedro.ribeiro@canonical.com> License: Apache-2.0
This handles the `security.shared` config key update. If a shared custom storage block volume is attached to a profile, this volume cannot be un-shared. Furthermore, if such a volume is attached to more than one instance, it also cannot be un-shared. Signed-off-by: Thomas Hipp <thomashipp@gmail.com> (cherry picked from commit 29b45bb029d3a447e80a3e6f20e19658183ffb36) Signed-off-by: hamistao <pedro.ribeiro@canonical.com> License: Apache-2.0
Signed-off-by: Thomas Hipp <thomashipp@gmail.com> (cherry picked from commit 6e4e6b6b2061ad719ec576ee143e20f1b208b411) Signed-off-by: hamistao <pedro.ribeiro@canonical.com> License: Apache-2.0
Signed-off-by: Thomas Hipp <thomashipp@gmail.com> (cherry picked from commit 606b833d1a67a3d8bc3e7cec032889c372229242) Signed-off-by: hamistao <pedro.ribeiro@canonical.com> License: Apache-2.0
Signed-off-by: Stéphane Graber <stgraber@stgraber.org> (cherry picked from commit 32a4beecbf8098fdbb15ef5f36088956922630f7) Signed-off-by: hamistao <pedro.ribeiro@canonical.com> License: Apache-2.0
This check is not for when the path property is missing, but to check if a device that is not a root disk (and therefore its path is different from '/') has a source property defined Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
This performs checks for mount path definition on devices that are being added to profiles. This will also make it easier to simplify `validateConfig`. Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
`validateConfig` was unnecessarily complicated, this commit proposes a rearrangement of the conditions at play to make the function simpler and more readable without changing its behavior. The biggest change was to port (most) non-profile checks to a separate if and then avoid code duplication on creating `dbVolume`. Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
Signed-off-by: hamistao <pedro.ribeiro@canonical.com>
6884431
to
6f5707b
Compare
Please could you update the PR with a description of the behaviour change in validation ready for review. Will existing VMs only be not startable if they are have a volume that is attached to multiple instances? |
Closes #12254.
Changes mostly based on lxc/incus#467 and lxc/incus#529.