From 3f2f7b66b112f34412da3e998486b239ff372905 Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Tue, 28 Apr 2020 17:32:07 -0700 Subject: [PATCH] [devstack][ci] Modify firewall in ds-plugin To set up some first party backends such as ZFSOnLinux, CephFS via NFS gateway, Container (where the NAS server is containerized) and LVM, manila's devstack plugin creates a NAS server on the devstack host. On test machines, access to this NAS server is firewalled from networks outside of the host's internal network namespace (including from private project networks that are in different network namespaces, on the same devstack host). We currently use a legacy devstack-gate script to disable firewall on NFS ports; however, anyone that installs devstack with LVM, Container, ZFSOnLinux, CephFS-NFS drivers will need these firewall ports to be opened to be able to mount shares exported off their devstack host machines. Move these firewall commands to the devstack plugin. These commands can be invoked by setting the localrc variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True. The value of this variable is False by default, to preserve existing behavior. Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44 (cherry picked from commit 36b1715e86919a739d3639f9c0d2c80e9f853e7a) (cherry picked from commit 94486eb4c09ac64f0e7cdf34945a84b11c1b0ae0) (cherry picked from commit e7b4507de4e8fbb8f2a1919519ddb22e545ac0c7) --- contrib/ci/post_test_hook.sh | 15 ----------- contrib/ci/pre_test_hook.sh | 2 ++ devstack/plugin.sh | 25 +++++++++++++++++++ devstack/settings | 5 ++++ .../contributor/samples/cephfs_local.conf | 5 +++- .../contributor/samples/container_local.conf | 3 +++ doc/source/contributor/samples/lvm_local.conf | 3 +++ .../contributor/samples/zfsonlinux_local.conf | 3 +++ .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../manila-tempest-minimal-dsvm-lvm/run.yaml | 1 + 14 files changed, 51 insertions(+), 16 deletions(-) diff --git a/contrib/ci/post_test_hook.sh b/contrib/ci/post_test_hook.sh index 8aa67e9e9b..8c36c4a9ae 100755 --- a/contrib/ci/post_test_hook.sh +++ b/contrib/ci/post_test_hook.sh @@ -342,21 +342,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME source $BASE/new/manila/contrib/ci/common.sh manila_wait_for_drivers_init $MANILA_CONF - -TCP_PORTS=(2049 111 32803 892 875 662) -UDP_PORTS=(111 32769 892 875 662) -for ipcmd in iptables ip6tables; do - # (aovchinnikov): extra rules are needed to allow instances talk to host. - sudo $ipcmd -N manila-nfs - sudo $ipcmd -I INPUT 1 -j manila-nfs - for port in ${TCP_PORTS[*]}; do - sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT - done - for port in ${UDP_PORTS[*]}; do - sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT - done -done - source $BASE/new/devstack/openrc admin admin public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID ) iniset $TEMPEST_CONFIG network public_network_id $public_net_id diff --git a/contrib/ci/pre_test_hook.sh b/contrib/ci/pre_test_hook.sh index 00ce5d6fbf..4905a02979 100755 --- a/contrib/ci/pre_test_hook.sh +++ b/contrib/ci/pre_test_hook.sh @@ -47,6 +47,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf +echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf + # === Handle script arguments === # First argument is expected to be a boolean-like value for DHSS. DHSS=$1 diff --git a/devstack/plugin.sh b/devstack/plugin.sh index f5e6785d83..988e85eaae 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -1019,6 +1019,24 @@ function install_libraries { fi } +function allow_host_ports_for_share_mounting { + + TCP_PORTS=(2049 111 32803 892 875 662) + UDP_PORTS=(111 32769 892 875 662) + for ipcmd in iptables ip6tables; do + # (aovchinnikov): extra rules are needed to allow instances talk to + # host. + sudo $ipcmd -N manila-nfs + sudo $ipcmd -I INPUT 1 -j manila-nfs + for port in ${TCP_PORTS[*]}; do + sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT + done + for port in ${UDP_PORTS[*]}; do + sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT + done + done +} + function setup_ipv6 { # This will fail with multiple default routes and is not needed in CI @@ -1266,6 +1284,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then echo_summary "Update Tempest config" update_tempest + + + if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then + echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host" + allow_host_ports_for_share_mounting + fi + fi if [[ "$1" == "unstack" ]]; then diff --git a/devstack/settings b/devstack/settings index 15b2fd7d40..e04621888d 100644 --- a/devstack/settings +++ b/devstack/settings @@ -158,6 +158,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1} # deprecated MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated +# Enable this option when using a storage backend that is on the same host +# as the devstack host, these iptable rules are necessary to allow mounting +# shares from the host +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False} + # Options for configuration of LVM share driver SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M} SHARE_GROUP=${SHARE_GROUP:-lvm-shares} diff --git a/doc/source/contributor/samples/cephfs_local.conf b/doc/source/contributor/samples/cephfs_local.conf index 189cfebb56..f7a3593e93 100644 --- a/doc/source/contributor/samples/cephfs_local.conf +++ b/doc/source/contributor/samples/cephfs_local.conf @@ -36,4 +36,7 @@ MANILA_CEPH_DRIVER=cephfsnfs # CEPHFS backend options MANILA_SERVICE_IMAGE_ENABLED=False MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=False' -MANILA_CONFIGURE_DEFAULT_TYPES=True \ No newline at end of file +MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/container_local.conf b/doc/source/contributor/samples/container_local.conf index 66ab39b569..bf0556242f 100644 --- a/doc/source/contributor/samples/container_local.conf +++ b/doc/source/contributor/samples/container_local.conf @@ -33,3 +33,6 @@ MANILA_OPTGROUP_vienna_driver_handles_share_servers=True MANILA_OPTGROUP_prague_driver_handles_share_servers=True MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=false' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/lvm_local.conf b/doc/source/contributor/samples/lvm_local.conf index 342d852c56..54a1e29230 100644 --- a/doc/source/contributor/samples/lvm_local.conf +++ b/doc/source/contributor/samples/lvm_local.conf @@ -34,3 +34,6 @@ MANILA_OPTGROUP_denver_driver_handles_share_servers=False SHARE_BACKING_FILE_SIZE=32000M MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True revert_to_snapshot_support=True mount_snapshot_support=True' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/zfsonlinux_local.conf b/doc/source/contributor/samples/zfsonlinux_local.conf index 076a17c22c..edffdec137 100644 --- a/doc/source/contributor/samples/zfsonlinux_local.conf +++ b/doc/source/contributor/samples/zfsonlinux_local.conf @@ -34,3 +34,6 @@ MANILA_OPTGROUP_mumbai_driver_handles_share_servers=False MANILA_REPLICA_STATE_UPDATE_INTERVAL=60 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True replication_type=readable' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml b/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml index 418576f572..6d6c37d1a6 100644 --- a/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml @@ -52,6 +52,7 @@ export ENABLED_SERVICES=tempest export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Keep localrc to be able to set some vars in pre_test_hook export KEEP_LOCALRC=1 diff --git a/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml b/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml index 63d9d4c77e..3ddbd2940b 100644 --- a/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml @@ -52,6 +52,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True function pre_test_hook { # 'dhss' - acronym for 'Driver Handles Share Servers', diff --git a/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml b/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml index fdb96726a4..e18cab91b5 100644 --- a/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml @@ -52,6 +52,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True function pre_test_hook { # 'dhss' - acronym for 'Driver Handles Share Servers', diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml index bbe7a5cd2a..cbe56d2811 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml @@ -102,6 +102,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest export OVERRIDE_ENABLED_SERVICES diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml index ff8597ef04..7111ff3eeb 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml @@ -66,6 +66,7 @@ export PROJECTS="openstack/devstack-plugin-ceph $PROJECTS" export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml index 5c12cc5bd3..073d1afc75 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml @@ -50,6 +50,7 @@ export MANILA_SETUP_IPV6=True export RUN_MANILA_IPV6_TESTS=True export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Basic services needed for minimal job OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest