tests/storage-volumes-vm: Root volume disk device attachments

This should have a check for all corner cases around VM root volume attachments: - security.protection.start allows one other VM to attach the machine's root disk, and can only be removed if the disk is not attached - security.shared allows unchecked attachments of root disks - VM attachments are correctly reported in used_by - hotplug of VM root attachments works (as this is the method reccomended by the docs to avoid UUID/LABEL conflicts) Signed-off-by: Wesley Hershberger <[email protected]>
canonical · Dec 5, 2024 · 4ea7f64 · 4ea7f64
1 parent 0a72186
commit 4ea7f64
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/tests/storage-volumes-vm b/tests/storage-volumes-vm
@@ -191,6 +191,74 @@ do
 	lxc storage volume detach "${poolName}" vol3 v1
 	lxc storage volume detach "${poolName}" vol6 v1 || true  # optional ISO
 
+	# attach VM root volumes
+	if hasNeededAPIExtension instance_root_volume_attachment; then
+		lxc init --empty --vm v2 --storage "${poolName}"
+		lxc init --empty --vm v3 --storage "${poolName}"
+
+		# Requires either security.shared or security.protection.start
+		! lxc storage volume attach "${poolName}" virtual-machine/v2 v1 || false
+
+		lxc config set v2 security.protection.start=true
+
+		# security.protection.start on a VM allows exactly one other attachment
+		lxc storage volume attach "${poolName}" virtual-machine/v2 v1
+		! lxc storage volume attach "${poolName}" virtual-machine/v2 v3 || false
+
+		# Deleting the instance will fail while it's root volume is in use
+		! lxc delete v2 || false
+
+		# Make sure used_by is calculated correctly
+		lxc storage volume show "${poolName}" virtual-machine/v2 | grep -q '/1.0/instances/v1'
+
+		# Can't unset security.protection.start when vm2's root volume is attached to vm1
+		! lxc config unset v2 security.protection.start || false
+
+		lxc storage volume detach "${poolName}" virtual-machine/v2 v1
+
+		# Unset security.protection.start works when not attached
+		lxc config unset v2 security.protection.start
+
+		lxc config set v2 security.protection.start=true
+		lxc storage volume attach "${poolName}" virtual-machine/v2 v1
+
+		lxc storage volume set "${poolName}" virtual-machine/v2 security.shared=true
+
+		# security.shared allows many attachments
+		lxc storage volume attach "${poolName}" virtual-machine/v2 v3
+
+		lxc storage volume show "${poolName}" virtual-machine/v2 | grep -q '/1.0/instances/v1'
+		lxc storage volume show "${poolName}" virtual-machine/v2 | grep -q '/1.0/instances/v3'
+
+		lxc config unset v2 security.protection.start
+
+		# Detach so that we can double-check hotplug
+		lxc storage volume detach "${poolName}" virtual-machine/v2 v1
+
+		# Make sure that the devices actually show up and can be mounted
+		lxc start v1
+		waitInstanceReady v1
+
+		# Specify a different device name here; udev appears to be truncating the
+		# default name when it creates the /dev/disk/by-id/scsi* symlinks, so use
+		# a shorter name to prevent truncation.
+		lxc storage volume attach "${poolName}" virtual-machine/v2 v1 v2-root
+		[ "$(lxc exec v1 -- /bin/sh -c 'stat --format=%F /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_lxd_v2--root')" = "symbolic link" ]
+		lxc stop --force v1
+
+		# Can't unset security.shared when vm1's root volume is attached elsewhere
+		! lxc storage volume unset "${poolName}" virtual-machine/v2 security.shared || false
+
+		lxc storage volume detach "${poolName}" virtual-machine/v2 v1
+		lxc storage volume detach "${poolName}" virtual-machine/v2 v3
+
+		lxc storage volume unset "${poolName}" virtual-machine/v2 security.shared
+
+		lxc delete --force v2 v3
+	else
+		echo "==> Skipping instance root attachment tests, not supported"
+	fi
+
 	echo "==> Deleting VM"
 	lxc delete v1