From 202365e70213fe7f23d1d618789e356e24ed0679 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Sat, 13 Jun 2020 21:03:59 +0200 Subject: [PATCH] Make /dev/kvm permissions handling more robust This makes use of udev rules to make it smarter and override host-level packages settings. Additionally, this masks Ubuntu-only service that is another pain point in terms of /dev/kvm permissions. Fingers crossed for no further surprises. Change-Id: I61235b51e2e1325b8a9b4f85bf634f663c7ec3cc Closes-bug: #1681461 --- ansible/roles/nova-cell/defaults/main.yml | 5 ++++ ansible/roles/nova-cell/tasks/config-host.yml | 27 +++++++++++++++++++ .../nova-cell/templates/99-kolla-kvm.rules.j2 | 4 +++ .../notes/bug-1681461-761f0cdf71bcb962.yaml | 6 +++++ 4 files changed, 42 insertions(+) create mode 100644 ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2 create mode 100644 releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml diff --git a/ansible/roles/nova-cell/defaults/main.yml b/ansible/roles/nova-cell/defaults/main.yml index 7aaa1b8268..9c54a4a062 100644 --- a/ansible/roles/nova-cell/defaults/main.yml +++ b/ansible/roles/nova-cell/defaults/main.yml @@ -413,6 +413,11 @@ libvirt_tls_manage_certs: true # ability for people to override the hostname to use. migration_hostname: "{{ ansible_nodename }}" +# NOTE(yoctozepto): Part of bug #1681461 fix. +# We can't get the id too effectively from the images so hardcoding here. +# It does not change that often (in fact, most likely never ever). +qemu_user_gid: 42427 + #################### # Kolla #################### diff --git a/ansible/roles/nova-cell/tasks/config-host.yml b/ansible/roles/nova-cell/tasks/config-host.yml index 2737d4ab57..650def7270 100644 --- a/ansible/roles/nova-cell/tasks/config-host.yml +++ b/ansible/roles/nova-cell/tasks/config-host.yml @@ -13,3 +13,30 @@ when: - set_sysctl | bool - inventory_hostname in groups[nova_cell_compute_group] + +# NOTE(yoctozepto): Part of bug #1681461 fix. +# This part can actually run on any distro and lets us drop the hardcoded +# chown and chmod from the nova-libvirt image extend_start and make the process +# more robust. +- name: Install udev kolla kvm rules + become: true + template: + src: "99-kolla-kvm.rules.j2" + dest: "/etc/udev/rules.d/99-kolla-kvm.rules" + mode: "0644" + when: + - nova_compute_virt_type == 'kvm' + - inventory_hostname in groups[nova_cell_compute_group] + +# NOTE(yoctozepto): Part of bug #1681461 fix. +# This part only really makes sense on Ubuntu and would end up being confusing +# on others. This service changes /dev/kvm permissions. +- name: Mask qemu-kvm service + become: true + systemd: + name: qemu-kvm.service + masked: true + when: + - nova_compute_virt_type == 'kvm' + - ansible_distribution == 'Ubuntu' + - inventory_hostname in groups[nova_cell_compute_group] diff --git a/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2 b/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2 new file mode 100644 index 0000000000..6b528d10f3 --- /dev/null +++ b/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2 @@ -0,0 +1,4 @@ +# Part of Kolla Ansible OpenStack Nova deployment. + +# This ensures the /dev/kvm has proper permissions. +KERNEL=="kvm", GROUP="{{ qemu_user_gid }}", MODE="0660" diff --git a/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml b/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml new file mode 100644 index 0000000000..32397535ca --- /dev/null +++ b/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes handling of `/dev/kvm` permissions to be more robust against + host-level actions. + `LP#1681461 `__