Configure LVM's devices file

Configure LVM's "devices file" in order to prevent it from scanning
cinder volume attachments.

LVM uses the concept of a devices file to control whether it
scans local and dynamically attached (SAN) volumes. This is an
enhancement over using LVM device filters. The devices file
essentially provides a whitelist of devices that should be scanned,
and the file is automatically updated by LVM commands such as
'lvcreate'. For this to work, the devices file must exist even if
it's empty.

Resolves: OSPRH-20217
Signed-off-by: Alan Bishop <[email protected]>

Author: ASBishop

roles/edpm_bootstrap/defaults/main.yml

@@ -94,3 +94,10 @@ edpm_bootstrap_fips_fms_status:
   - {exit_code: 0, state: 'enabled', message: 'FIPS is enabled'}
   - {exit_code: 1, state: 'inconsistent', message: 'FIPS setup is inconsistent'}
   - {exit_code: 2, state: 'disabled', message: 'FIPS is disabled'}
+
+# Full path name of LVM's default "devicesfile" (see /etc/lvm/lvm.conf)
+edpm_bootstrap_lvm_devices_file: /etc/lvm/devices/system.devices
+
+# Specifies whether to import existing LVM devices into the devices file. This
+# is overridden (set false) when updating nova compute nodes.
+edpm_bootstrap_lvm_import_devices: true

roles/edpm_bootstrap/meta/argument_specs.yml

@@ -112,3 +112,16 @@ argument_specs:
         default: /var/lib/openstack/reboot_required
         description: |
           Path of the reboot_required folder used by `edpm_reboot` role
+
+      edpm_bootstrap_lvm_devices_file:
+        type: path
+        default: /etc/lvm/devices/system.devices
+        description: |
+          Full path name of LVM's default "devicesfile" (see /etc/lvm/lvm.conf)
+
+      edpm_bootstrap_lvm_import_devices:
+        type: bool
+        default: true
+        description: |
+          Specifies whether to import existing LVM devices into the devices file.
+          This is overridden (set false) when updating nova compute nodes.

roles/edpm_bootstrap/molecule/default/verify.yml

@@ -9,3 +9,9 @@
         path: /tmp/edpm_bootstrap_command
       register: bootstrap_stat
       failed_when: not bootstrap_stat.stat.exists
+
+    - name: Verify the LVM devices file exists
+      stat:
+        path: "{{ edpm_bootstrap_lvm_devices_file }}"
+      register: lvm_devices_stat
+      failed_when: not lvm_devices_stat.stat.exists

roles/edpm_bootstrap/tasks/bootstrap.yml

@@ -108,3 +108,6 @@
 - name: FIPS tasks
   ansible.builtin.import_tasks: fips.yml
   when: edpm_bootstrap_fips_mode != 'check'
+
+- name: LVM tasks
+  ansible.builtin.import_tasks: lvm.yml

roles/edpm_bootstrap/tasks/lvm.yml

@@ -0,0 +1,41 @@
+---
+# Copyright 2025 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Check if the LVM devices file exists
+  become: true
+  ansible.builtin.stat:
+    path: "{{ edpm_bootstrap_lvm_devices_file }}"
+  register: lvm_devices_file
+
+- name: Create the LVM devices file
+  become: true
+  when: not (lvm_devices_file.stat.exists | bool)
+  block:
+    - name: Import any existing LVM devices
+      ansible.builtin.command: /usr/sbin/vgimportdevices --all
+      register: vgimportdevices
+      changed_when: true
+      failed_when: vgimportdevices.rc not in [0, 5]
+      when: (edpm_bootstrap_lvm_import_devices | bool)
+
+    - name: Create an empty LVM devices file
+      ansible.builtin.file:
+        path: "{{ edpm_bootstrap_lvm_devices_file }}"
+        state: touch
+        mode: '0600'
+        owner: root
+        group: root
+      when: not (edpm_bootstrap_lvm_import_devices | bool) or vgimportdevices.rc == 5

roles/edpm_nova/tasks/update.yml

@@ -10,3 +10,15 @@
     mode: "0644"
   loop:
     - {"src": "nova_statedir_ownership.py", "dest": "nova_statedir_ownership.py"}
+
+- name: Run LVM bootstrap tasks
+  tags:
+    - update
+    - nova
+  ansible.builtin.include_role:
+    name: osp.edpm.edpm_bootstrap
+    tasks_from: lvm.yml
+  vars:
+    # Don't import existing LVM devices in case there are "rogue" ones associated
+    # with an attached cinder volume.
+    edpm_bootstrap_lvm_import_devices: false