Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow vm security.shared #14413

Closed
wants to merge 3 commits into from
Closed

Allow vm security.shared #14413

wants to merge 3 commits into from

Conversation

MggMuggins
Copy link
Contributor

@MggMuggins MggMuggins commented Nov 6, 2024
edited
Loading

This is a preparatory change for attaching virtual-machine and container type volumes to instances.

security.shared will be required for in order to attach virtual-machine volumes to other VMs.

Also a few bits I noticed in the docs.

@MggMuggins
doc/explanation/storage: Fix wording
17607b4 
Signed-off-by: Wesley Hershberger <[email protected]>
@github-actions github-actions bot added the Documentation Documentation needs updating label Nov 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 6, 2024

Heads up @mionaalex - the "Documentation" label was applied to this issue.

@MggMuggins MggMuggins marked this pull request as ready for review November 7, 2024 02:41
@tomponline
Copy link
Member

security.shared will be required for in order to attach virtual-machine volumes to other instances.

Hrm, im not sure why that is needed, because that security.shared setting is designed to allow concurrently mounting custom block volumes on multiple running instances, but for the feature you're working on we will require that the instance's whose root volume you're attaching to a different instance wont be running.

@tomponline
Copy link
Member

This is a preparatory change for attaching virtual-machine and container type volumes to instances.

Also interesting that you mention container volumes here, im not opposed to this at all, but this might introduce additional complexities wrt to idmapping, so might be a "phase 2" feature, as the primary driver for the feature you're working on is to add support for attaching VM root volumes to another VM for recovery/export/import.

@MggMuggins
Copy link
Contributor Author

MggMuggins commented Nov 7, 2024
edited
Loading

attaching VM root volumes to another VM for recovery/export/import

I totally s/VM/instance/ when I read the roadmap item; my bad. This will be reflected in the spec.

security.shared only guards creation of multiple disk devices referring to the same volume (it's only checked during config validation or when updating storage volumes), basically --yes-i-really-mean-it for creating the devices.

As we found while I was working on cluster member limits, making decisions based on the running state of instances is prone to races.

We should require security.shared: true to attach a VM's root volume to another instance since we have no way of guarding against corruption by checking the running state.

We can put this on hold until I've put together a spec.

@MggMuggins MggMuggins changed the title Allow vm security shared Allow vm security.shared Nov 8, 2024
@tomponline
Copy link
Member

Lets close this for now.

@tomponline tomponline closed this Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MggMuggins @tomponline