Merge "Make /dev/kvm permissions handling more robust"

b0407ffb · Zuul · Gerrit Code Review · 8fc8dec3 · 202365e7 · b0407ffb
Commit b0407ffb authored 4 years ago by Zuul Committed by Gerrit Code Review 4 years ago
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@@ -413,6 +413,11 @@ libvirt_tls_manage_certs: true
 # ability for people to override the hostname to use.
 migration_hostname: "{{ ansible_nodename }}"

+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# We can't get the id too effectively from the images so hardcoding here.
+# It does not change that often (in fact, most likely never ever).
+qemu_user_gid: 42427
+
 ####################
 # Kolla
 ####################

--- a/ansible/roles/nova-cell/tasks/config-host.yml
+++ b/ansible/roles/nova-cell/tasks/config-host.yml
@@ -22,3 +22,30 @@
  when:
    - set_sysctl | bool
    - inventory_hostname in groups[nova_cell_compute_group]
+
+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# This part can actually run on any distro and lets us drop the hardcoded
+# chown and chmod from the nova-libvirt image extend_start and make the process
+# more robust.
+- name: Install udev kolla kvm rules
+  become: true
+  template:
+    src: "99-kolla-kvm.rules.j2"
+    dest: "/etc/udev/rules.d/99-kolla-kvm.rules"
+    mode: "0644"
+  when:
+    - nova_compute_virt_type == 'kvm'
+    - inventory_hostname in groups[nova_cell_compute_group]
+
+# NOTE(yoctozepto): Part of bug #1681461 fix.
+# This part only really makes sense on Ubuntu and would end up being confusing
+# on others. This service changes /dev/kvm permissions.
+- name: Mask qemu-kvm service
+  become: true
+  systemd:
+    name: qemu-kvm.service
+    masked: true
+  when:
+    - nova_compute_virt_type == 'kvm'
+    - ansible_distribution == 'Ubuntu'
+    - inventory_hostname in groups[nova_cell_compute_group]
--- a/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2
+++ b/ansible/roles/nova-cell/templates/99-kolla-kvm.rules.j2
+# Part of Kolla Ansible OpenStack Nova deployment.
+
+# This ensures the /dev/kvm has proper permissions.
+KERNEL=="kvm", GROUP="{{ qemu_user_gid }}", MODE="0660"
--- a/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml
+++ b/releasenotes/notes/bug-1681461-761f0cdf71bcb962.yaml
+---
+fixes:
+  - |
+    Fixes handling of `/dev/kvm` permissions to be more robust against
+    host-level actions.
+    `LP#1681461 <https://launchpad.net/bugs/1681461>`__