qemu-kvm: prevent host from accessing passthru LVM disks

Question

I am running multiple Ubuntu (5.4.0-117-generic) qemu-kvm hosts. On each I am passing multiple block devices through to VMs thusly:

    <disk type='block' device='disk'>
      <driver name='qemu' type='raw'/>
      <source dev='/dev/disk/by-id/scsi-SATA_ST5000LM000-2AN1_WCJ3RALZ'/>
      <target dev='vdc' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x0b' function='0x0'/>
    </disk>

there to be used by the guest OS (also Ubuntu) for LVM (gluster with snapshot capability but that's another post).

I am concerned about how much the host accesses the drives. The LVM volumes are picked up by the mapper, show under lsblk, and spew 'not a block device' every time I run a update-grub. Even more concerning is that I can deactivate logical volumes from the host with vgchange. That can't be good!

Obviously the hosts need to "see" devices in order for me to present them to the VMs. But is there something to be done to otherwise prevent the host from playing with them?

Answer 1

Found global_filter under /etc/lvm/lvm.conf:

devices {
   ...
global_filter = [ "r|/dev/disk/by-id/scsi-SATA_ST5000LM000-*|" ]

Very cool that it supports regexp AND symbolic links.

Even more cool that it takes effect immediately upon edit - no reboot or service restart required - though it makes me a little nervous about saving a typo ....

Some LVM info is still displayed under lsblk but the volume groups are no longer accessible on the host and update-grub complains no more!