feat(prepare): exclude loop and virtual devices from host LVM scanning

[Andrei Kvapil (kvaps)]

Summary

Add an LVM global_filter to /etc/lvm/lvm.conf in the prepare playbooks so the host LVM does not scan or activate volume groups backed by LINSTOR/DRBD volumes — or located inside loop-mounted images. Mirrors the global_filter already shipped in the Talos machine config and complements the existing multipathd DRBD blacklist.

Note: unlike Talos (minimal, non-LVM root), the filter is applied with lineinfile so the distro's default lvm.conf is preserved. The filter does hide /dev/dm-* and /dev/zd* from the host LVM tooling — intended for dedicated Cozystack storage nodes.

Changes

• Set global_filter = [ "r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|" ] in /etc/lvm/lvm.conf (via lineinfile) in the ubuntu, rhel and suse prepare playbooks, right after the multipathd DRBD blacklist.
• Add a CHANGELOG entry.

Test plan

• ansible-lint passes
• ansible-test sanity passes
• Tested on a live cluster (describe environment)
• Idempotency verified (second run: changed=0)

Summary by CodeRabbit

• New Features

  • Preparation playbooks now automatically configure LVM to exclude DRBD, device-mapper, zvol, and loop devices from host LVM scanning, preventing conflicts with storage volumes.

• Documentation

  • Updated changelog to document the new LVM global_filter configuration capabilities.

[coderabbitai]

Warning

Rate limit exceeded

@lexfrei has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 53 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ff42a476-0dbb-469b-8351-b1fa308c01f9

📥 Commits

Reviewing files that changed from the base of the PR and between 0657c42 and 189287e.

📒 Files selected for processing (8)

• .github/workflows/test.yml
• CHANGELOG.rst
• README.md
• examples/rhel/prepare-rhel.yml
• examples/suse/prepare-suse.yml
• examples/ubuntu/prepare-ubuntu.yml
• tests/tasks-lvm-global-filter-case.yml
• tests/test-lvm-global-filter.yml

📝 Walkthrough

Walkthrough

Four files are updated to add LVM global_filter configuration: changelog documentation and three distribution-specific Ansible playbooks (RHEL, SUSE, Ubuntu) now configure /etc/lvm/lvm.conf to exclude virtual/container-backed device patterns from host LVM scanning.

Changes

LVM Global Filter Configuration for Host LVM Isolation

Layer / File(s)	Summary
Changelog documentation CHANGELOG.rst	Release notes document that prepare playbooks now configure an LVM global_filter to exclude DRBD, device-mapper, zvol, and loop devices from host LVM scanning, mirroring Talos machine configuration.
LVM global_filter setup in prepare playbooks examples/rhel/prepare-rhel.yml, examples/suse/prepare-suse.yml, examples/ubuntu/prepare-ubuntu.yml	Each distribution playbook adds an ansible.builtin.lineinfile task to update /etc/lvm/lvm.conf with a global_filter setting that excludes DRBD, device-mapper, zvol, and loop devices, using a default filter list or cozystack_lvm_global_filter inventory override.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 In three distros, filters align,
Excluding loop and DRBD's design,
Host LVM scans with care,
Container volumes left spare, ✨
Like Talos, our config's divine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding LVM configuration to exclude specific device types from host scanning.
Description check	✅ Passed	The description covers the required template sections with a clear summary, detailed changes, and a comprehensive test plan, though test items are marked as not run.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/lvm-global-filter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds Ansible tasks to exclude virtual and loop devices (DRBD, device-mapper, zvol, and loop devices) from host LVM scanning across RHEL, SUSE, and Ubuntu playbooks. The review feedback highlights two critical issues: first, the insertafter regular expression is too strict and could fail to match if there is leading whitespace, causing the configuration to be appended incorrectly; second, unconditionally excluding /dev/dm-.* will break systems using LVM on top of LUKS or Multipath. It is recommended to use a more robust regex and expose the filter list as a customizable variable with a default fallback.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

This task introduces two issues that should be addressed:

1. Robustness of insertafter: The regex ^devices { is very strict and requires the line to start exactly with devices { (no leading whitespace, exactly one space before the brace). If the target system's lvm.conf has any leading indentation or different spacing (e.g., devices{), the regex will fail to match. When insertafter fails to match, lineinfile appends the line to the end of the file. In LVM configuration, settings outside their respective blocks (like devices { ... }) are invalid or ignored, which would break the configuration or prevent the filter from working. Using ^\s*devices\s*{ is much more robust.

2. LUKS and Multipath Compatibility: Rejecting /dev/dm-.* in the global_filter prevents the host LVM from scanning any device-mapper devices. This will completely break hosts that use LVM on top of LUKS (encrypted partitions) or LVM on top of Multipath (MPIO), as their physical volumes (PVs) reside on /dev/dm-X devices. To make this safe and customizable, we should expose the filter list as a variable (e.g., cozystack_lvm_global_filter) using the default filter. This allows users with LUKS or Multipath to override the filter in their inventory (e.g., by removing "r|^/dev/dm-.*|"), while keeping the current default behavior for dedicated storage nodes.

    - name: Exclude virtual and loop devices from host LVM scanning
      ansible.builtin.lineinfile:
        path: /etc/lvm/lvm.conf
        regexp: '^\s*#?\s*global_filter\s*='
        insertafter: '^\s*devices\s*{'
        line: '        global_filter = {{ cozystack_lvm_global_filter | default(["r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|"]) | to_json }}'

[Aleksei Sviridkin (lexfrei)]

Both points addressed in 0657c42.

• insertafter is now ^\s*devices\s*{, so the setting still lands inside the devices{} block when lvm.conf uses leading whitespace or compact bracing, instead of being appended at EOF where LVM ignores it.
• The filter list is now exposed as cozystack_lvm_global_filter (same default), rendered with to_json. Hosts whose own PVs live on device-mapper devices (LVM-on-LUKS, multipath) can override it from inventory — e.g. drop the r|^/dev/dm-.*| entry.

[gemini-code-assist]

This task introduces two issues that should be addressed:

1. Robustness of insertafter: The regex ^devices { is very strict and requires the line to start exactly with devices { (no leading whitespace, exactly one space before the brace). If the target system's lvm.conf has any leading indentation or different spacing (e.g., devices{), the regex will fail to match. When insertafter fails to match, lineinfile appends the line to the end of the file. In LVM configuration, settings outside their respective blocks (like devices { ... }) are invalid or ignored, which would break the configuration or prevent the filter from working. Using ^\s*devices\s*{ is much more robust.

2. LUKS and Multipath Compatibility: Rejecting /dev/dm-.* in the global_filter prevents the host LVM from scanning any device-mapper devices. This will completely break hosts that use LVM on top of LUKS (encrypted partitions) or LVM on top of Multipath (MPIO), as their physical volumes (PVs) reside on /dev/dm-X devices. To make this safe and customizable, we should expose the filter list as a variable (e.g., cozystack_lvm_global_filter) using the default filter. This allows users with LUKS or Multipath to override the filter in their inventory (e.g., by removing "r|^/dev/dm-.*|"), while keeping the current default behavior for dedicated storage nodes.

    - name: Exclude virtual and loop devices from host LVM scanning
      ansible.builtin.lineinfile:
        path: /etc/lvm/lvm.conf
        regexp: '^\s*#?\s*global_filter\s*='
        insertafter: '^\s*devices\s*{'
        line: '        global_filter = {{ cozystack_lvm_global_filter | default(["r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|"]) | to_json }}'

[Aleksei Sviridkin (lexfrei)]

Both points addressed in 0657c42.

• insertafter is now ^\s*devices\s*{, so the setting still lands inside the devices{} block when lvm.conf uses leading whitespace or compact bracing, instead of being appended at EOF where LVM ignores it.
• The filter list is now exposed as cozystack_lvm_global_filter (same default), rendered with to_json. Hosts whose own PVs live on device-mapper devices (LVM-on-LUKS, multipath) can override it from inventory — e.g. drop the r|^/dev/dm-.*| entry.

[gemini-code-assist]

This task introduces two issues that should be addressed:

1. Robustness of insertafter: The regex ^devices { is very strict and requires the line to start exactly with devices { (no leading whitespace, exactly one space before the brace). If the target system's lvm.conf has any leading indentation or different spacing (e.g., devices{), the regex will fail to match. When insertafter fails to match, lineinfile appends the line to the end of the file. In LVM configuration, settings outside their respective blocks (like devices { ... }) are invalid or ignored, which would break the configuration or prevent the filter from working. Using ^\s*devices\s*{ is much more robust.

2. LUKS and Multipath Compatibility: Rejecting /dev/dm-.* in the global_filter prevents the host LVM from scanning any device-mapper devices. This will completely break hosts that use LVM on top of LUKS (encrypted partitions) or LVM on top of Multipath (MPIO), as their physical volumes (PVs) reside on /dev/dm-X devices. To make this safe and customizable, we should expose the filter list as a variable (e.g., cozystack_lvm_global_filter) using the default filter. This allows users with LUKS or Multipath to override the filter in their inventory (e.g., by removing "r|^/dev/dm-.*|"), while keeping the current default behavior for dedicated storage nodes.

    - name: Exclude virtual and loop devices from host LVM scanning
      ansible.builtin.lineinfile:
        path: /etc/lvm/lvm.conf
        regexp: '^\s*#?\s*global_filter\s*='
        insertafter: '^\s*devices\s*{'
        line: '        global_filter = {{ cozystack_lvm_global_filter | default(["r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|"]) | to_json }}'

[Aleksei Sviridkin (lexfrei)]

Both points addressed in 0657c42.

• insertafter is now ^\s*devices\s*{, so the setting still lands inside the devices{} block when lvm.conf uses leading whitespace or compact bracing, instead of being appended at EOF where LVM ignores it.
• The filter list is now exposed as cozystack_lvm_global_filter (same default), rendered with to_json. Hosts whose own PVs live on device-mapper devices (LVM-on-LUKS, multipath) can override it from inventory — e.g. drop the r|^/dev/dm-.*| entry.

[Aleksei Sviridkin (lexfrei)]

LGTM. The host LVM global_filter is the right fix for the LINSTOR/DRBD/zvol/loop auto-activation trap and mirrors the Talos machine-config filter. It is configurable via cozystack_lvm_global_filter, the insertafter anchor is whitespace-tolerant, and a post-write lvmconfig check fails loudly — comparing the effective value, not just exit status — if the filter did not land inside the devices {} block. Verified end-to-end against real lvmconfig across in-block, no-filter, indented, override, no-block and stale-duplicate lvm.conf shapes; the new CI job is green.