Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an LVM devices file by default #1517

Closed
dustymabe opened this issue Jun 26, 2023 · 13 comments
Closed

Add an LVM devices file by default #1517

dustymabe opened this issue Jun 26, 2023 · 13 comments
Assignees
Labels
jira for syncing to jira

Comments

@dustymabe
Copy link
Member

We are seeing some issues where running Virtual Machines inside of your container orchestration (for example Kubevirt allows running VMs on top of Kubernetes) leads to issues where the user may choose to attach block storage and initialize that block storage as LVM physical volumes, later adding volume groups and logical volumes on top. At this point the host (Fedora CoreOS or downstream) and the guest (controlled by the user) both try to manage the block devices that is part of the LVM pool. This is reported downstream in https://issues.redhat.com/browse/OCPBUGS-5223

After some discussion in the downstream ticket we think the current best approach is to use lvmdevices to limit the host from trying to access any newly created PV/VG/LV in the guest. This would require:

  • Us to create an empty devices file for new installs.
  • Us to migrate existing systems
    • Create an empty devices file
    • If the host has existing LVM storage (i.e. LVs backing container storage or /var/) then
      • Create a new devices file with those devices in it
@dustymabe dustymabe self-assigned this Jun 26, 2023
@dustymabe dustymabe added the meeting topics for meetings label Jun 26, 2023
@dustymabe
Copy link
Member Author

We discussed this in the community meeting today:

13:19:23*        dustymabe | #agreed we will ship an empty lvmdevices file for new      
                           | installs and also add a migration script for existing  
                           | systems that will populate an lvmdevices file with
                           | appropriate content so that existing systems using LVM will
                           | continue to work.
13:19:46         dustymabe | Of course, if new information comes out or if we find a
                           | better way to achieve the goal. We'll bring that information
                           | to the ticket and pivot.

@dustymabe dustymabe added jira for syncing to jira and removed meeting topics for meetings labels Jun 28, 2023
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 25, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 25, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 28, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 28, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 28, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 28, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 29, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to coreos/fedora-coreos-config that referenced this issue Aug 30, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Aug 30, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517

(cherry picked from commit 693f221)
dustymabe added a commit to coreos/fedora-coreos-config that referenced this issue Aug 30, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517

(cherry picked from commit 693f221)
@travier
Copy link
Member

travier commented Aug 31, 2023

Should we close this one now that coreos/fedora-coreos-config#2566 is merged?

@dustymabe dustymabe added status/pending-testing-release Fixed upstream. Waiting on a testing release. status/pending-next-release Fixed upstream. Waiting on a next release. labels Aug 31, 2023
@dustymabe
Copy link
Member Author

Yes we can. I added the labels so we'll update here when it makes it into the production streams.

@dustymabe
Copy link
Member Author

The fix for this went into next stream release 38.20230902.1.0. Please try out the new release and report issues.

@dustymabe
Copy link
Member Author

The fix for this went into testing stream release 38.20230902.2.0. Please try out the new release and report issues.

@dustymabe dustymabe added status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. and removed status/pending-testing-release Fixed upstream. Waiting on a testing release. status/pending-next-release Fixed upstream. Waiting on a next release. labels Sep 5, 2023
@dustymabe dustymabe changed the title Adding an LVM devices file by default Add an LVM devices file by default Sep 5, 2023
@dustymabe
Copy link
Member Author

The fix for this went into stable stream release 38.20230902.3.0.

@dustymabe dustymabe removed the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Sep 20, 2023
@Quantum-Sicarius
Copy link

I will mention this breaks one of the use cases I had where there was a second disk attached to the VM that was encrypted with LUKS.

pvscan no longer picked up the disk and trying to restore the group failed:

 vgcfgrestore -f /etc/lvm/backup/vg00 vg00
  WARNING: Couldn't find device with uuid a9nC05-q5RM-EcHf-D8AN-axWJ-N3Wu-XADqYn.
  Cannot restore Volume Group vg00 with 1 PVs marked as missing.
  Restore failed.

After reading this issue I added the device manually:

lvmdevices --adddev /dev/mapper/second-disk

after which it was able to be mounted again:

pvs
  PV                      VG   Fmt  Attr PSize    PFree
  /dev/mapper/second-disk vg00 lvm2 a--  <249.97g    0 

I know this is a unique case and not something that I expect other people are do, but it did break our fleet of servers. (lucky I can fix this with ansible)

@dustymabe
Copy link
Member Author

Thanks @Quantum-Sicarius for adding feedback here.

We added a one time migration script that should have added any pre-existing LVM devices to the /etc/lvm/devices/system.devices file when this update rolled out. I'm wondering why that didn't work. Was this an upgrading system and not a freshly deployed one?

Can you share the journal logs from the boot after the upgrade? If not the whole log then something like journalctl -u coreos-populate-lvmdevices.service would work.

@Quantum-Sicarius
Copy link

@dustymabe

Not seeing anything in the journal:

sudo journalctl -u coreos-populate-lvmdevices.service
-- No entries --

Did however appear to run:

sudo systemctl status coreos-populate-lvmdevices.service
● coreos-populate-lvmdevices.service - CoreOS Populate LVM Devices File
     Loaded: loaded (/usr/lib/systemd/system/coreos-populate-lvmdevices.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (exited) since Wed 2023-09-20 15:27:30 UTC; 1 day 19h ago
       Docs: https://github.com/coreos/fedora-coreos-tracker/issues/1517
   Main PID: 708 (code=exited, status=0/SUCCESS)
        CPU: 31ms
sudo journalctl -b | grep lvmdevices
Sep 22 09:51:46 hostname sudo[1302334]:   thomas : TTY=pts/0 ; PWD=/var/home/thomas ; USER=root ; COMMAND=/usr/bin/journalctl -u coreos-populate-lvmdevices.service
Sep 22 09:51:58 hostname sudo[1302497]:   thomas : TTY=pts/0 ; PWD=/var/home/thomas ; USER=root ; COMMAND=/usr/bin/systemctl status coreos-populate-lvmdevices.service
Sep 22 09:52:14 hostname sudo[1302753]:   thomas : TTY=pts/0 ; PWD=/var/home/thomas ; USER=root ; COMMAND=/usr/bin/journalctl -u coreos-populate-lvmdevices.service
Sep 22 10:51:50 hostname sudo[1349951]:   thomas : TTY=pts/0 ; PWD=/var/home/thomas ; USER=root ; COMMAND=/usr/bin/journalctl -u coreos-populate-lvmdevices.service
Sep 22 10:51:56 hostname sudo[1350066]:   thomas : TTY=pts/0 ; PWD=/var/home/thomas ; USER=root ; COMMAND=/usr/bin/systemctl status coreos-populate-lvmdevices.service

For interest sake here is the disk layout:

NAME               MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                  8:0    0   25G  0 disk  
├─sda1               8:1    0  384M  0 part  /boot
├─sda2               8:2    0  127M  0 part  
├─sda3               8:3    0    1M  0 part  
└─sda4               8:4    0 24.5G  0 part  /var
                                             /sysroot/ostree/deploy/fedora-coreos/var
                                             /usr
                                             /etc
                                             /
                                             /sysroot
sdb                  8:16   0  250G  0 disk  
└─second-disk      253:0    0  250G  0 crypt 
  ├─vg00-lv01_opt  253:1    0   10G  0 lvm   /var/mnt/opt
  └─vg00-lv02_data 253:2    0  240G  0 lvm   /var/mnt/data
zram0              252:0    0  3.9G  0 disk  [SWAP]

@dustymabe
Copy link
Member Author

Odd. So does the stamp file exist at /var/lib/coreos-populate-lvmdevices.stamp?

Maybe the fact that your LV is on top of luks encryption caused the migration script to not work (i.e. an ordering issue on boot where the migration script ran before the disks are unlocked).

@Quantum-Sicarius
Copy link

ls -lah /var/lib/coreos-populate-lvmdevices.stamp
-rw-r--r--. 1 root root 0 Sep 20 15:27 /var/lib/coreos-populate-lvmdevices.stamp

It does appear to exist.

I think you are correct, the ordering is probably the issue. The second disk is decrypted using Tang + Clevis, meaning the OS networking needs to be up first. Which I assume probably occurs after that service has been executed.

As I said, I have a unique case, so I doubt this issue will affect other users. (Unless SilverBlue also follows this path perhaps?)

@dustymabe
Copy link
Member Author

Ahh, yes. That makes sense. I wish there was a good way I could think of to handle this case. The only thing I can think of is to attempt to do a second import later after networking is up.

Either way, thank you for reporting the issue.

@travier
Copy link
Member

travier commented Sep 27, 2023

As I said, I have a unique case, so I doubt this issue will affect other users. (Unless SilverBlue also follows this path perhaps?)

Silverblue is moving away from LVM in general so I don't think we'll make that kind of "Kubernetes" related improvement there.

However I don't think your use case is that unique as we advertise Tang/Clevis support in Fedora CoreOS (and RHCOS).

HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this issue Oct 10, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this issue Oct 10, 2023
Populate an lvmdevices(8) file to limit LVM from autoactivating all
devices it sees in a system. By default systems will get a "blank"
configuration file with a comment in it explaining what it is used
for. There is also a one-time "populate" service that will run and
add any devices it sees into the devices file. This will serve to
import existing devices on upgrading systems or new systems with
pre-existing LVM devices attached. See the tracker issue [1] for more
information.

[1] coreos/fedora-coreos-tracker#1517
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
jira for syncing to jira
Projects
None yet
Development

No branches or pull requests

3 participants