Skip to content

feat(prepare): exclude loop and virtual devices from host LVM scanning #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Aleksei Sviridkin (lexfrei) merged 12 commits into from
Jun 3, 2026
Merged

feat(prepare): exclude loop and virtual devices from host LVM scanning #49

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1f3856a
feat(prepare): exclude loop and virtual devices from host LVM scanning
kvaps Jun 3, 2026
0657c42
feat(prepare): make host LVM global_filter configurable and robust
lexfrei Jun 3, 2026
61a6067
docs(prepare): document host LVM global_filter and override variable
lexfrei Jun 3, 2026
f3964ed
fix(changelog): collapse duplicate Unreleased section
lexfrei Jun 3, 2026
7539c42
docs(prepare): note LVM global_filter task replaces existing entries
lexfrei Jun 3, 2026
961c1db
test(prepare): cover host LVM global_filter rendering and lineinfile
lexfrei Jun 3, 2026
ffc62f4
test(prepare): pin regexp and insertafter across prepare playbooks
lexfrei Jun 3, 2026
a870f42
feat(prepare): verify host LVM global_filter took effect
lexfrei Jun 3, 2026
c06237f
test(prepare): verify global_filter effectiveness with lvmconfig
lexfrei Jun 3, 2026
91cc24b
docs(prepare): document the global_filter effectiveness check
lexfrei Jun 3, 2026
023de19
feat(prepare): verify the effective global_filter value, not just suc…
lexfrei Jun 3, 2026
189287e
test(prepare): cover the stale-duplicate global_filter case
lexfrei Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ Unreleased
IP addresses for ingress-nginx Service ``externalIPs``. Required on
``isp-full-generic`` platform variant when nodes lack a native load
balancer (cloud VMs, bare metal).
- Prepare playbooks now set an LVM ``global_filter`` in
``/etc/lvm/lvm.conf`` excluding ``/dev/drbd*``, ``/dev/dm-*``,
``/dev/zd*`` and ``/dev/loop*`` so the host LVM does not scan or
activate volume groups backed by LINSTOR/DRBD volumes or located
inside loop-mounted images. Mirrors the global_filter shipped in the
Talos machine config.

Unreleased
==========
Expand Down
12 changes: 12 additions & 0 deletions examples/rhel/prepare-rhel.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,18 @@
}
notify: Restart multipathd

# Exclude DRBD, device-mapper, zvol and loop devices from the host's
# LVM device scanning. Without this the host LVM may scan and activate
# volume groups backed by LINSTOR/DRBD volumes — or located inside
# loop-mounted images — making them unavailable to the satellite.
# Mirrors the global_filter shipped in the Talos machine config.
- name: Exclude virtual and loop devices from host LVM scanning
ansible.builtin.lineinfile:
path: /etc/lvm/lvm.conf
regexp: '^\s*#?\s*global_filter\s*='
insertafter: '^devices {'
line: ' global_filter = [ "r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|" ]'

@gemini-code-assist gemini-code-assist Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This task introduces two issues that should be addressed:

  1. Robustness of insertafter: The regex ^devices { is very strict and requires the line to start exactly with devices { (no leading whitespace, exactly one space before the brace). If the target system's lvm.conf has any leading indentation or different spacing (e.g., devices{), the regex will fail to match. When insertafter fails to match, lineinfile appends the line to the end of the file. In LVM configuration, settings outside their respective blocks (like devices { ... }) are invalid or ignored, which would break the configuration or prevent the filter from working. Using ^\s*devices\s*{ is much more robust.

  2. LUKS and Multipath Compatibility: Rejecting /dev/dm-.* in the global_filter prevents the host LVM from scanning any device-mapper devices. This will completely break hosts that use LVM on top of LUKS (encrypted partitions) or LVM on top of Multipath (MPIO), as their physical volumes (PVs) reside on /dev/dm-X devices. To make this safe and customizable, we should expose the filter list as a variable (e.g., cozystack_lvm_global_filter) using the default filter. This allows users with LUKS or Multipath to override the filter in their inventory (e.g., by removing "r|^/dev/dm-.*|"), while keeping the current default behavior for dedicated storage nodes.

    - name: Exclude virtual and loop devices from host LVM scanning
      ansible.builtin.lineinfile:
        path: /etc/lvm/lvm.conf
        regexp: '^\s*#?\s*global_filter\s*='
        insertafter: '^\s*devices\s*{'
        line: '        global_filter = {{ cozystack_lvm_global_filter | default(["r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|"]) | to_json }}'

@lexfrei Aleksei Sviridkin (lexfrei) Jun 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both points addressed in 0657c42.

  • insertafter is now ^\s*devices\s*{, so the setting still lands inside the devices{} block when lvm.conf uses leading whitespace or compact bracing, instead of being appended at EOF where LVM ignores it.
  • The filter list is now exposed as cozystack_lvm_global_filter (same default), rendered with to_json. Hosts whose own PVs live on device-mapper devices (LVM-on-LUKS, multipath) can override it from inventory — e.g. drop the r|^/dev/dm-.*| entry.


- name: Configure sysctl parameters
ansible.posix.sysctl:
name: "{{ item.name }}"
Expand Down
12 changes: 12 additions & 0 deletions examples/suse/prepare-suse.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,18 @@
}
notify: Restart multipathd

# Exclude DRBD, device-mapper, zvol and loop devices from the host's
# LVM device scanning. Without this the host LVM may scan and activate
# volume groups backed by LINSTOR/DRBD volumes — or located inside
# loop-mounted images — making them unavailable to the satellite.
# Mirrors the global_filter shipped in the Talos machine config.
- name: Exclude virtual and loop devices from host LVM scanning
ansible.builtin.lineinfile:
path: /etc/lvm/lvm.conf
regexp: '^\s*#?\s*global_filter\s*='
insertafter: '^devices {'
line: ' global_filter = [ "r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|" ]'

@gemini-code-assist gemini-code-assist Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This task introduces two issues that should be addressed:

  1. Robustness of insertafter: The regex ^devices { is very strict and requires the line to start exactly with devices { (no leading whitespace, exactly one space before the brace). If the target system's lvm.conf has any leading indentation or different spacing (e.g., devices{), the regex will fail to match. When insertafter fails to match, lineinfile appends the line to the end of the file. In LVM configuration, settings outside their respective blocks (like devices { ... }) are invalid or ignored, which would break the configuration or prevent the filter from working. Using ^\s*devices\s*{ is much more robust.

  2. LUKS and Multipath Compatibility: Rejecting /dev/dm-.* in the global_filter prevents the host LVM from scanning any device-mapper devices. This will completely break hosts that use LVM on top of LUKS (encrypted partitions) or LVM on top of Multipath (MPIO), as their physical volumes (PVs) reside on /dev/dm-X devices. To make this safe and customizable, we should expose the filter list as a variable (e.g., cozystack_lvm_global_filter) using the default filter. This allows users with LUKS or Multipath to override the filter in their inventory (e.g., by removing "r|^/dev/dm-.*|"), while keeping the current default behavior for dedicated storage nodes.

    - name: Exclude virtual and loop devices from host LVM scanning
      ansible.builtin.lineinfile:
        path: /etc/lvm/lvm.conf
        regexp: '^\s*#?\s*global_filter\s*='
        insertafter: '^\s*devices\s*{'
        line: '        global_filter = {{ cozystack_lvm_global_filter | default(["r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|"]) | to_json }}'

@lexfrei Aleksei Sviridkin (lexfrei) Jun 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both points addressed in 0657c42.

  • insertafter is now ^\s*devices\s*{, so the setting still lands inside the devices{} block when lvm.conf uses leading whitespace or compact bracing, instead of being appended at EOF where LVM ignores it.
  • The filter list is now exposed as cozystack_lvm_global_filter (same default), rendered with to_json. Hosts whose own PVs live on device-mapper devices (LVM-on-LUKS, multipath) can override it from inventory — e.g. drop the r|^/dev/dm-.*| entry.


- name: Configure sysctl parameters
ansible.posix.sysctl:
name: "{{ item.name }}"
Expand Down
12 changes: 12 additions & 0 deletions examples/ubuntu/prepare-ubuntu.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,18 @@
}
notify: Restart multipathd

# Exclude DRBD, device-mapper, zvol and loop devices from the host's
# LVM device scanning. Without this the host LVM may scan and activate
# volume groups backed by LINSTOR/DRBD volumes — or located inside
# loop-mounted images — making them unavailable to the satellite.
# Mirrors the global_filter shipped in the Talos machine config.
- name: Exclude virtual and loop devices from host LVM scanning
ansible.builtin.lineinfile:
path: /etc/lvm/lvm.conf
regexp: '^\s*#?\s*global_filter\s*='
insertafter: '^devices {'
line: ' global_filter = [ "r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|" ]'

@gemini-code-assist gemini-code-assist Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This task introduces two issues that should be addressed:

  1. Robustness of insertafter: The regex ^devices { is very strict and requires the line to start exactly with devices { (no leading whitespace, exactly one space before the brace). If the target system's lvm.conf has any leading indentation or different spacing (e.g., devices{), the regex will fail to match. When insertafter fails to match, lineinfile appends the line to the end of the file. In LVM configuration, settings outside their respective blocks (like devices { ... }) are invalid or ignored, which would break the configuration or prevent the filter from working. Using ^\s*devices\s*{ is much more robust.

  2. LUKS and Multipath Compatibility: Rejecting /dev/dm-.* in the global_filter prevents the host LVM from scanning any device-mapper devices. This will completely break hosts that use LVM on top of LUKS (encrypted partitions) or LVM on top of Multipath (MPIO), as their physical volumes (PVs) reside on /dev/dm-X devices. To make this safe and customizable, we should expose the filter list as a variable (e.g., cozystack_lvm_global_filter) using the default filter. This allows users with LUKS or Multipath to override the filter in their inventory (e.g., by removing "r|^/dev/dm-.*|"), while keeping the current default behavior for dedicated storage nodes.

    - name: Exclude virtual and loop devices from host LVM scanning
      ansible.builtin.lineinfile:
        path: /etc/lvm/lvm.conf
        regexp: '^\s*#?\s*global_filter\s*='
        insertafter: '^\s*devices\s*{'
        line: '        global_filter = {{ cozystack_lvm_global_filter | default(["r|^/dev/drbd.*|", "r|^/dev/dm-.*|", "r|^/dev/zd.*|", "r|^/dev/loop.*|"]) | to_json }}'

@lexfrei Aleksei Sviridkin (lexfrei) Jun 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both points addressed in 0657c42.

  • insertafter is now ^\s*devices\s*{, so the setting still lands inside the devices{} block when lvm.conf uses leading whitespace or compact bracing, instead of being appended at EOF where LVM ignores it.
  • The filter list is now exposed as cozystack_lvm_global_filter (same default), rendered with to_json. Hosts whose own PVs live on device-mapper devices (LVM-on-LUKS, multipath) can override it from inventory — e.g. drop the r|^/dev/dm-.*| entry.


- name: Configure sysctl parameters
ansible.posix.sysctl:
name: "{{ item.name }}"
Expand Down