fix(cozystack): exclude loop devices from LVM global_filter

[Andrei Kvapil (kvaps)]

Add /dev/loop to the LVM global_filter in the generated Talos machine config so the host does not scan or activate volume groups located inside loop-mounted images.

Summary by CodeRabbit

• Chores
  • LVM configuration updated to filter out loop devices (now excludes /dev/loop.* alongside existing patterns).
• Tests
  • Expanded test coverage to assert the LVM configuration includes the loop-device exclusion.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 40db45c3-85aa-496c-b748-bfcdd1303583

📥 Commits

Reviewing files that changed from the base of the PR and between 197fa71 and fbc207f.

📒 Files selected for processing (1)

• pkg/engine/contract_machine_test.go

---

📝 Walkthrough

Walkthrough

The PR adds /dev/loop.* to the LVM global_filter in the Talos machine template and updates the machine.files contract test to document and assert the new exclude pattern.

Changes

LVM Configuration Update

Layer / File(s)	Summary
Add loop device filter to LVM global_filter charts/cozystack/templates/_helpers.tpl	The embedded /etc/lvm/lvm.conf global_filter now excludes /dev/loop.*, alongside existing /dev/drbd.*, /dev/dm-.*, and /dev/zd.* patterns.
Update contract docs and assertions pkg/engine/contract_machine_test.go	Test comments updated to mention excluding loop-mounted images; test adds an assertion that /etc/lvm/lvm.conf contains an exclude regex for /dev/loop.*.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit peeked into LVM's lair,
Found loop devices nested there,
"Not for you," the filter said with cheer,
Added /dev/loop.*, clear and near,
Now scans hop past without a care. 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding loop device exclusion to LVM global_filter in cozystack, which aligns perfectly with the changeset modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/lvm-loop-filter

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the LVM configuration in charts/cozystack/templates/_helpers.tpl by adding /dev/loop.* to the global_filter list to exclude loop devices. There are no review comments to evaluate, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Aleksei Sviridkin (lexfrei)]

NOT LGTM — the config change itself is correct and safe, but it adds a fourth entry to a list that is pinned by a contract test without extending that test, and it leaves the test's own description of the filter stale.

Business context: prevent the Talos host LVM from scanning/activating volume groups that live inside loop-mounted images (e.g. guest disk images), by rejecting /dev/loop.* in global_filter — consistent with the existing drbd/dm/zd rejects and with how the disk selector already treats loop devices as a virtual class.

Blockers

B1: the new global_filter loop entry is not pinned by its contract test, and the test comment is now stale

File: pkg/engine/contract_machine_test.go:651-653 (assertions) and :632-634 (comment)

Issue: TestContract_Machine_Files_Cozystack pins each filter entry individually — r|^/dev/drbd.*|, r|^/dev/dm-.*|, r|^/dev/zd.*| — but this PR adds r|^/dev/loop.*| to the template (charts/cozystack/templates/_helpers.tpl:113) without adding the matching assertion. The test's doc comment still reads "global_filter that excludes drbd, dm-, zd- devices", which no longer matches what the template emits.

Evidence: go test ./pkg/engine/ -run TestContract_Machine_Files_Cozystack passes on this branch. Because the test asserts only the three original entries, removing r|^/dev/loop.*| from the template would not fail any test — the new behavior is unpinned, while all three sibling entries are pinned.

Impact: a later edit that drops the loop reject would silently regress (the host LVM resumes scanning loop devices, reintroducing the bug this PR fixes) with a green test suite; the stale comment also misdescribes the shipped contract.

Fix: in the same commit, add an assertContains for r|^/dev/loop.*| right after the zd assertion, and update the comment to read "excludes drbd, dm-, zd-, loop devices".

[Aleksei Sviridkin (lexfrei)]

LGTM — the contract-test gap from the previous review is resolved.

TestContract_Machine_Files_Cozystack now pins r|^/dev/loop.*| alongside drbd/dm/zd, and the contract comment was refreshed to match. Verified that the new assertion fails if the loop reject is dropped from the template, so the filter is now regression-protected. Pushed directly to the branch as a separate commit.