Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

storage: Disallow volume.security.shared on cephfs #14633

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

storage: Disallow volume.security.shared on cephfs #14633

wants to merge 4 commits into from
+21 −7

Conversation

hamistao
Copy link
Contributor

This adds a check to deny enabling security.shared on a cephfs pool. Also includes tests for this check and for setting security.shared in many volume types.

@hamistao hamistao force-pushed the cephfs_tests branch 2 times, most recently from dae00b1 to a211f9c Compare December 11, 2024 19:17
@hamistao
Copy link
Contributor Author

@masnax Could you please just look at the last commit and confirm if my changes there make sense?

@hamistao hamistao marked this pull request as ready for review December 12, 2024 04:54
@hamistao hamistao marked this pull request as draft December 12, 2024 05:18
@hamistao hamistao marked this pull request as ready for review December 12, 2024 06:21
tomponline
tomponline reviewed Dec 12, 2024
View reviewed changes
lxd/storage/drivers/driver_cephfs.go
@@ -437,6 +437,8 @@ func (d *cephfs) Validate(config map[string]string) error {
// shortdesc: Whether the CephFS file system was empty on creation time
// scope: global
"volatile.pool.pristine": validate.IsAny,
// Override general 'security.shared' rule since only cephfs does not support block volumes.
"volume.security.shared": func(value string) error { return fmt.Errorf("") },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

empty error message looks odd?

tomponline
tomponline reviewed Dec 12, 2024
View reviewed changes
test/suites/storage_local_volume_handling.sh

# security.shared is only allowed for block volumes
! lxc storage volume set "${pool}" vol1 security.shared true || false
! lxc storage volume set "${pool}" isoVol security.shared true || false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So does security.shared not work for iso volumes because they are allowed to be attached concurrently to multiple instances (as this should be allowed because they are readonly)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, they are sharable by default

tomponline
tomponline reviewed Dec 12, 2024
View reviewed changes
test/suites/storage_driver_cephfs.sh
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please can you expand the commit message as to why these were ineffective?

@tomponline
Copy link
Member

@hamistao ceph tests failing

+ lxc storage create cephfs cephfs source=cephfs/Q5A
++ timeout --foreground 120 /home/runner/go/bin/lxc storage create cephfs cephfs source=cephfs/Q5A --verbose
Error: Invalid value for option "volume.security.shared":

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomponline tomponline tomponline left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hamistao @tomponline