From 4ea7f642be3cc6743e9bfead1bc85ce5a8631cac Mon Sep 17 00:00:00 2001 From: Wesley Hershberger Date: Wed, 4 Dec 2024 17:51:52 -0600 Subject: [PATCH] tests/storage-volumes-vm: Root volume disk device attachments This should have a check for all corner cases around VM root volume attachments: - security.protection.start allows one other VM to attach the machine's root disk, and can only be removed if the disk is not attached - security.shared allows unchecked attachments of root disks - VM attachments are correctly reported in used_by - hotplug of VM root attachments works (as this is the method reccomended by the docs to avoid UUID/LABEL conflicts) Signed-off-by: Wesley Hershberger --- tests/storage-volumes-vm | 68 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/tests/storage-volumes-vm b/tests/storage-volumes-vm index 843df15c..2fc73f82 100755 --- a/tests/storage-volumes-vm +++ b/tests/storage-volumes-vm @@ -191,6 +191,74 @@ do lxc storage volume detach "${poolName}" vol3 v1 lxc storage volume detach "${poolName}" vol6 v1 || true # optional ISO + # attach VM root volumes + if hasNeededAPIExtension instance_root_volume_attachment; then + lxc init --empty --vm v2 --storage "${poolName}" + lxc init --empty --vm v3 --storage "${poolName}" + + # Requires either security.shared or security.protection.start + ! lxc storage volume attach "${poolName}" virtual-machine/v2 v1 || false + + lxc config set v2 security.protection.start=true + + # security.protection.start on a VM allows exactly one other attachment + lxc storage volume attach "${poolName}" virtual-machine/v2 v1 + ! lxc storage volume attach "${poolName}" virtual-machine/v2 v3 || false + + # Deleting the instance will fail while it's root volume is in use + ! lxc delete v2 || false + + # Make sure used_by is calculated correctly + lxc storage volume show "${poolName}" virtual-machine/v2 | grep -q '/1.0/instances/v1' + + # Can't unset security.protection.start when vm2's root volume is attached to vm1 + ! lxc config unset v2 security.protection.start || false + + lxc storage volume detach "${poolName}" virtual-machine/v2 v1 + + # Unset security.protection.start works when not attached + lxc config unset v2 security.protection.start + + lxc config set v2 security.protection.start=true + lxc storage volume attach "${poolName}" virtual-machine/v2 v1 + + lxc storage volume set "${poolName}" virtual-machine/v2 security.shared=true + + # security.shared allows many attachments + lxc storage volume attach "${poolName}" virtual-machine/v2 v3 + + lxc storage volume show "${poolName}" virtual-machine/v2 | grep -q '/1.0/instances/v1' + lxc storage volume show "${poolName}" virtual-machine/v2 | grep -q '/1.0/instances/v3' + + lxc config unset v2 security.protection.start + + # Detach so that we can double-check hotplug + lxc storage volume detach "${poolName}" virtual-machine/v2 v1 + + # Make sure that the devices actually show up and can be mounted + lxc start v1 + waitInstanceReady v1 + + # Specify a different device name here; udev appears to be truncating the + # default name when it creates the /dev/disk/by-id/scsi* symlinks, so use + # a shorter name to prevent truncation. + lxc storage volume attach "${poolName}" virtual-machine/v2 v1 v2-root + [ "$(lxc exec v1 -- /bin/sh -c 'stat --format=%F /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_lxd_v2--root')" = "symbolic link" ] + lxc stop --force v1 + + # Can't unset security.shared when vm1's root volume is attached elsewhere + ! lxc storage volume unset "${poolName}" virtual-machine/v2 security.shared || false + + lxc storage volume detach "${poolName}" virtual-machine/v2 v1 + lxc storage volume detach "${poolName}" virtual-machine/v2 v3 + + lxc storage volume unset "${poolName}" virtual-machine/v2 security.shared + + lxc delete --force v2 v3 + else + echo "==> Skipping instance root attachment tests, not supported" + fi + echo "==> Deleting VM" lxc delete v1