Prevent accidental Libvirt downgrades

Add a version check for nova_libvirt during deploy and upgrade.
Resolve the target image digest once on the first compute host.
Compare it with each running container digest before version check.
This runs the assertion only on hypervisors that would change
image and leaves other hosts untouched.

Adds a tiny macro role ``service-image-info`` to resolve container
image info (Docker/Podman) once per service. The nova-libvirt version
check now uses it to compare running vs target image.

Closes-bug: #2120290

Co-Authored-By: Bartosz Bezak <[email protected]>

Signed-off-by: Bartosz Bezak <[email protected]>
Change-Id: I904a7b959f8fd151ab40bf6ac830dcf13d899239
(cherry picked from commit 7035e11)

Author: m-bull

ansible/roles/nova-cell/tasks/deploy.yml

@@ -2,6 +2,8 @@
 - include_tasks: clone.yml
   when: nova_dev_mode | bool
 
+- import_tasks: version-check.yml
+
 - import_tasks: config-host.yml
 
 - import_tasks: config.yml

ansible/roles/nova-cell/tasks/upgrade.yml

@@ -1,4 +1,6 @@
 ---
+- import_tasks: version-check.yml
+
 - name: Stopping nova cell services
   become: true
   kolla_container:

ansible/roles/nova-cell/tasks/version-check.yml

@@ -0,0 +1,88 @@
+---
+- block:
+    - name: Get new Libvirt version
+      become: true
+      kolla_container:
+        action: "start_container"
+        command: "libvirtd --version"
+        common_options: "{{ docker_common_options }}"
+        container_engine: "{{ kolla_container_engine }}"
+        detach: false
+        environment:
+          KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+        image: "{{ service.image }}"
+        name: "libvirt_version_check"
+        restart_policy: oneshot
+        remove_on_exit: true
+      register: libvirt_version_new
+      failed_when: false
+      check_mode: false
+      run_once: true
+      delegate_to: "{{ groups[service.group] | first }}"
+
+    - name: Cache new Libvirt version
+      set_fact:
+        libvirt_new_version: "{{ libvirt_version_new.stdout | regex_search('[0-9]+\\.[0-9]+\\.[0-9]+') }}"
+      run_once: true
+      delegate_facts: true
+      delegate_to: "{{ groups[service.group] | first }}"
+
+    - name: Get nova_libvirt image info
+      include_role:
+        name: service-image-info
+      run_once: true
+
+    - name: Get container facts
+      become: true
+      kolla_container_facts:
+        action: get_containers
+        container_engine: "{{ kolla_container_engine }}"
+        name:
+          - "{{ service.container_name }}"
+      register: container_facts_per_host
+      run_once: true
+      delegate_to: "{{ item }}"
+      loop: "{{ groups[service.group] }}"
+      loop_control:
+        label: "{{ item }}"
+
+    - name: Get current Libvirt version
+      become: true
+      command: "{{ kolla_container_engine }} exec {{ service.container_name }} libvirtd --version"
+      register: libvirt_version_current_results
+      changed_when: false
+      run_once: true
+      delegate_to: "{{ item.item }}"
+      loop: "{{ container_facts_per_host.results }}"
+      loop_control:
+        label: "{{ item.item }}"
+      when:
+        - item.containers[service.container_name] is defined
+        - item.containers[service.container_name].State.Running
+        - (hostvars[groups[service.group] | first].service_image_info.images | default([]) | length) > 0
+        - item.containers[service.container_name].Image
+          != hostvars[groups[service.group] | first].service_image_info.images[0].Id
+
+    - name: Check that the new Libvirt version is >= current
+      vars:
+        current_version: "{{ item.stdout | regex_search('[0-9]+\\.[0-9]+\\.[0-9]+') }}"
+        new_version: "{{ hostvars[groups[service.group] | first].libvirt_new_version }}"
+      assert:
+        that: "{{ new_version is version(current_version, '>=', strict=true) }}"
+        fail_msg: >
+          It looks like you're about to downgrade Libvirt in the nova_libvirt container from
+          version {{ current_version }} to version {{ new_version }}. If you're absolutely certain
+          that you want to do this, please skip the tag `nova-libvirt-version-check`.
+        success_msg: >
+          Libvirt version check successful: target {{ new_version }} >= current {{ current_version }}.
+      run_once: true
+      loop: "{{ libvirt_version_current_results.results }}"
+      loop_control:
+        label: "{{ item.item }}"
+      when: item.stdout is defined
+
+  tags: nova-libvirt-version-check
+  when: enable_nova_libvirt_container | bool and (groups[service.group] | length) > 0
+  vars:
+    service_name: "nova-libvirt"
+    service: "{{ nova_cell_services[service_name] }}"

ansible/roles/service-image-info/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# Host to delegate task execution to.
+service_image_info_delegate_host: "{{ groups[service.group] | first }}"

ansible/roles/service-image-info/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Get target image info (docker)
+  block:
+    - community.docker.docker_image_info:
+        name: "{{ service.image }}"
+      register: docker_image_info
+
+    - set_fact:
+        service_image_info: "{{ docker_image_info }}"
+      delegate_facts: true
+  become: true
+  delegate_to: "{{ service_image_info_delegate_host }}"
+  when: kolla_container_engine == 'docker'
+
+- name: Get target image info (podman)
+  block:
+    - containers.podman.podman_image_info:
+        name: "{{ service.image }}"
+      register: podman_image_info
+
+    - set_fact:
+        service_image_info: "{{ podman_image_info }}"
+      delegate_facts: true
+  become: true
+  delegate_to: "{{ service_image_info_delegate_host }}"
+  when: kolla_container_engine == 'podman'

releasenotes/notes/libvirt-catch-downgrade-d297347d745211f0.yaml

@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Prevents accidental ``libvirt`` downgrades in ``nova_libvirt`` container
+    image during deploy and upgrade. Adds a ``nova_libvirt`` version check that
+    resolves the target image digest once on the first compute host
+    and runs only on hypervisors where the running container digest differs
+    from the target.