Browse Source

[devstack][ci] Modify firewall in ds-plugin

To set up some first party backends such as
ZFSOnLinux, CephFS via NFS gateway, Container
(where the NAS server is containerized) and LVM,
manila's devstack plugin creates a NAS server
on the devstack host.

On test machines, access to this NAS server is
firewalled from networks outside of the host's
internal network namespace (including from private
project networks that are in different network
namespaces, on the same devstack host).

We currently use a legacy devstack-gate script
to disable firewall on NFS ports; however,
anyone that installs devstack with LVM, Container,
ZFSOnLinux, CephFS-NFS drivers will need these
firewall ports to be opened to be able to mount
shares exported off their devstack host machines.

Move these firewall commands to the devstack plugin.
These commands can be invoked by setting the localrc
variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True.
The value of this variable is False by default,
to preserve existing behavior.

Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44
(cherry picked from commit 36b1715e86)
(cherry picked from commit 94486eb4c0)
(cherry picked from commit e7b4507de4)
changes/45/726945/1
Goutham Pacha Ravi 2 months ago
parent
commit
3f2f7b66b1
14 changed files with 51 additions and 16 deletions
  1. +0
    -15
      contrib/ci/post_test_hook.sh
  2. +2
    -0
      contrib/ci/pre_test_hook.sh
  3. +25
    -0
      devstack/plugin.sh
  4. +5
    -0
      devstack/settings
  5. +4
    -1
      doc/source/contributor/samples/cephfs_local.conf
  6. +3
    -0
      doc/source/contributor/samples/container_local.conf
  7. +3
    -0
      doc/source/contributor/samples/lvm_local.conf
  8. +3
    -0
      doc/source/contributor/samples/zfsonlinux_local.conf
  9. +1
    -0
      playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml
  10. +1
    -0
      playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml
  11. +1
    -0
      playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml
  12. +1
    -0
      playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml
  13. +1
    -0
      playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml
  14. +1
    -0
      playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml

+ 0
- 15
contrib/ci/post_test_hook.sh View File

@@ -342,21 +342,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME
source $BASE/new/manila/contrib/ci/common.sh
manila_wait_for_drivers_init $MANILA_CONF


TCP_PORTS=(2049 111 32803 892 875 662)
UDP_PORTS=(111 32769 892 875 662)
for ipcmd in iptables ip6tables; do
# (aovchinnikov): extra rules are needed to allow instances talk to host.
sudo $ipcmd -N manila-nfs
sudo $ipcmd -I INPUT 1 -j manila-nfs
for port in ${TCP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
done
for port in ${UDP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
done
done

source $BASE/new/devstack/openrc admin admin
public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
iniset $TEMPEST_CONFIG network public_network_id $public_net_id


+ 2
- 0
contrib/ci/pre_test_hook.sh View File

@@ -47,6 +47,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf

echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf

echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf

# === Handle script arguments ===
# First argument is expected to be a boolean-like value for DHSS.
DHSS=$1


+ 25
- 0
devstack/plugin.sh View File

@@ -1019,6 +1019,24 @@ function install_libraries {
fi
}

function allow_host_ports_for_share_mounting {

TCP_PORTS=(2049 111 32803 892 875 662)
UDP_PORTS=(111 32769 892 875 662)
for ipcmd in iptables ip6tables; do
# (aovchinnikov): extra rules are needed to allow instances talk to
# host.
sudo $ipcmd -N manila-nfs
sudo $ipcmd -I INPUT 1 -j manila-nfs
for port in ${TCP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
done
for port in ${UDP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
done
done
}

function setup_ipv6 {

# This will fail with multiple default routes and is not needed in CI
@@ -1266,6 +1284,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then

echo_summary "Update Tempest config"
update_tempest


if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then
echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host"
allow_host_ports_for_share_mounting
fi

fi

if [[ "$1" == "unstack" ]]; then


+ 5
- 0
devstack/settings View File

@@ -158,6 +158,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1} # deprecated
MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated
MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated

# Enable this option when using a storage backend that is on the same host
# as the devstack host, these iptable rules are necessary to allow mounting
# shares from the host
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False}

# Options for configuration of LVM share driver
SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
SHARE_GROUP=${SHARE_GROUP:-lvm-shares}


+ 4
- 1
doc/source/contributor/samples/cephfs_local.conf View File

@@ -36,4 +36,7 @@ MANILA_CEPH_DRIVER=cephfsnfs
# CEPHFS backend options
MANILA_SERVICE_IMAGE_ENABLED=False
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=False'
MANILA_CONFIGURE_DEFAULT_TYPES=True
MANILA_CONFIGURE_DEFAULT_TYPES=True

# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

+ 3
- 0
doc/source/contributor/samples/container_local.conf View File

@@ -33,3 +33,6 @@ MANILA_OPTGROUP_vienna_driver_handles_share_servers=True
MANILA_OPTGROUP_prague_driver_handles_share_servers=True
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=false'
MANILA_CONFIGURE_DEFAULT_TYPES=True

# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

+ 3
- 0
doc/source/contributor/samples/lvm_local.conf View File

@@ -34,3 +34,6 @@ MANILA_OPTGROUP_denver_driver_handles_share_servers=False
SHARE_BACKING_FILE_SIZE=32000M
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True revert_to_snapshot_support=True mount_snapshot_support=True'
MANILA_CONFIGURE_DEFAULT_TYPES=True

# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

+ 3
- 0
doc/source/contributor/samples/zfsonlinux_local.conf View File

@@ -34,3 +34,6 @@ MANILA_OPTGROUP_mumbai_driver_handles_share_servers=False
MANILA_REPLICA_STATE_UPDATE_INTERVAL=60
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True replication_type=readable'
MANILA_CONFIGURE_DEFAULT_TYPES=True

# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

+ 1
- 0
playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml View File

@@ -52,6 +52,7 @@

export ENABLED_SERVICES=tempest
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

# Keep localrc to be able to set some vars in pre_test_hook
export KEEP_LOCALRC=1


+ 1
- 0
playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml View File

@@ -52,6 +52,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

function pre_test_hook {
# 'dhss' - acronym for 'Driver Handles Share Servers',


+ 1
- 0
playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml View File

@@ -52,6 +52,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

function pre_test_hook {
# 'dhss' - acronym for 'Driver Handles Share Servers',


+ 1
- 0
playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml View File

@@ -102,6 +102,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
export OVERRIDE_ENABLED_SERVICES



+ 1
- 0
playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml View File

@@ -66,6 +66,7 @@
export PROJECTS="openstack/devstack-plugin-ceph $PROJECTS"
export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"


+ 1
- 0
playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml View File

@@ -50,6 +50,7 @@
export MANILA_SETUP_IPV6=True
export RUN_MANILA_IPV6_TESTS=True
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

# Basic services needed for minimal job
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest


Loading…
Cancel
Save