Merge "[devstack][ci] Modify firewall in ds-plugin" into stable/queens

2020-05-26 13:25:58 +00:00 · 2020-05-26 13:25:58 +00:00 · 0d5a1873f2
parent 3597aadaee e517c01ddb
commit 0d5a1873f2
9 changed files with 37 additions and 15 deletions
--- a/contrib/ci/post_test_hook.sh
+++ b/contrib/ci/post_test_hook.sh
@ -334,21 +334,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME
 source $BASE/new/manila/contrib/ci/common.sh
 manila_wait_for_drivers_init $MANILA_CONF

-
-TCP_PORTS=(2049 111 32803 892 875 662)
-UDP_PORTS=(111 32769 892 875 662)
-for ipcmd in iptables ip6tables; do
-    # (aovchinnikov): extra rules are needed to allow instances talk to host.
-    sudo $ipcmd -N manila-nfs
-    sudo $ipcmd -I INPUT 1 -j manila-nfs
-    for port in ${TCP_PORTS[*]}; do
-        sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
-    done
-    for port in ${UDP_PORTS[*]}; do
-        sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
-    done
-done
-
 source $BASE/new/devstack/openrc admin admin
 public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
 iniset $TEMPEST_CONFIG network public_network_id $public_net_id
--- a/contrib/ci/pre_test_hook.sh
+++ b/contrib/ci/pre_test_hook.sh
@ -43,6 +43,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf

 echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf

+echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf
+
 # === Handle script arguments ===
 # First argument is expected to be a boolean-like value for DHSS.
 DHSS=$1
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -961,6 +961,24 @@ function install_libraries {
    fi
 }

+function allow_host_ports_for_share_mounting {
+
+    TCP_PORTS=(2049 111 32803 892 875 662)
+    UDP_PORTS=(111 32769 892 875 662)
+    for ipcmd in iptables ip6tables; do
+        # (aovchinnikov): extra rules are needed to allow instances talk to
+        # host.
+        sudo $ipcmd -N manila-nfs
+        sudo $ipcmd -I INPUT 1 -j manila-nfs
+        for port in ${TCP_PORTS[*]}; do
+            sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
+        done
+        for port in ${UDP_PORTS[*]}; do
+            sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
+        done
+    done
+}
+
 function setup_ipv6 {

    # This will fail with multiple default routes and is not needed in CI
@ -1189,6 +1207,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then

    echo_summary "Update Tempest config"
    update_tempest
+
+
+    if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then
+        echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host"
+        allow_host_ports_for_share_mounting
+    fi
+
 fi

 if [[ "$1" == "unstack" ]]; then
--- a/devstack/settings
+++ b/devstack/settings
@ -149,6 +149,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1}  # deprecated
 MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2}  # deprecated
 MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2}  # deprecated

+# Enable this option when using a storage backend that is on the same host
+# as the devstack host, these iptable rules are necessary to allow mounting
+# shares from the host
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False}
+
 # Options for configuration of LVM share driver
 SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
 SHARE_GROUP=${SHARE_GROUP:-lvm-shares}
--- a/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml
+++ b/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml
@ -52,6 +52,7 @@

          export ENABLED_SERVICES=tempest
          export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

          # Keep localrc to be able to set some vars in pre_test_hook
          export KEEP_LOCALRC=1
--- a/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml
+++ b/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml
@ -53,6 +53,7 @@
          export KEEP_LOCALRC=1
          export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
          export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

          function pre_test_hook {
              # 'dhss' - acronym for 'Driver Handles Share Servers',
--- a/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml
+++ b/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml
@ -53,6 +53,7 @@
          export KEEP_LOCALRC=1
          export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
          export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

          function pre_test_hook {
              # 'dhss' - acronym for 'Driver Handles Share Servers',
--- a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml
+++ b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml
@ -77,6 +77,7 @@
          export KEEP_LOCALRC=1
          export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
          export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
          OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
          export OVERRIDE_ENABLED_SERVICES

--- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm-centos-7/run.yaml
+++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm-centos-7/run.yaml
@ -58,6 +58,7 @@
          export MANILA_SETUP_IPV6=True
          export RUN_MANILA_IPV6_TESTS=True
          export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

          # Basic services needed for minimal job
          OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest