From 36b1715e86919a739d3639f9c0d2c80e9f853e7a Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Tue, 28 Apr 2020 17:32:07 -0700 Subject: [PATCH] [devstack][ci] Modify firewall in ds-plugin To set up some first party backends such as ZFSOnLinux, CephFS via NFS gateway, Container (where the NAS server is containerized) and LVM, manila's devstack plugin creates a NAS server on the devstack host. On test machines, access to this NAS server is firewalled from networks outside of the host's internal network namespace (including from private project networks that are in different network namespaces, on the same devstack host). We currently use a legacy devstack-gate script to disable firewall on NFS ports; however, anyone that installs devstack with LVM, Container, ZFSOnLinux, CephFS-NFS drivers will need these firewall ports to be opened to be able to mount shares exported off their devstack host machines. Move these firewall commands to the devstack plugin. These commands can be invoked by setting the localrc variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True. The value of this variable is False by default, to preserve existing behavior. Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44 --- contrib/ci/post_test_hook.sh | 15 ----------- contrib/ci/pre_test_hook.sh | 2 ++ devstack/plugin.sh | 25 +++++++++++++++++++ devstack/settings | 5 ++++ .../contributor/samples/cephfs_local.conf | 5 +++- .../contributor/samples/container_local.conf | 3 +++ doc/source/contributor/samples/lvm_local.conf | 3 +++ .../contributor/samples/zfsonlinux_local.conf | 3 +++ .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run-ipv6.yaml | 1 + .../manila-tempest-minimal-dsvm-lvm/run.yaml | 1 + 15 files changed, 52 insertions(+), 16 deletions(-) diff --git a/contrib/ci/post_test_hook.sh b/contrib/ci/post_test_hook.sh index 59c250a4e8..9b21746e3d 100755 --- a/contrib/ci/post_test_hook.sh +++ b/contrib/ci/post_test_hook.sh @@ -345,21 +345,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME source $BASE/new/manila/contrib/ci/common.sh manila_wait_for_drivers_init $MANILA_CONF - -TCP_PORTS=(2049 111 32803 892 875 662) -UDP_PORTS=(111 32769 892 875 662) -for ipcmd in iptables ip6tables; do - # (aovchinnikov): extra rules are needed to allow instances talk to host. - sudo $ipcmd -N manila-nfs - sudo $ipcmd -I INPUT 1 -j manila-nfs - for port in ${TCP_PORTS[*]}; do - sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT - done - for port in ${UDP_PORTS[*]}; do - sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT - done -done - source $BASE/new/devstack/openrc admin admin public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID ) iniset $TEMPEST_CONFIG network public_network_id $public_net_id diff --git a/contrib/ci/pre_test_hook.sh b/contrib/ci/pre_test_hook.sh index e5566bbf20..350f7f4f48 100755 --- a/contrib/ci/pre_test_hook.sh +++ b/contrib/ci/pre_test_hook.sh @@ -47,6 +47,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf +echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf + # === Handle script arguments === # First argument is expected to be a boolean-like value for DHSS. DHSS=$1 diff --git a/devstack/plugin.sh b/devstack/plugin.sh index e93ee3d40d..cc13e65013 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -1010,6 +1010,24 @@ function install_libraries { fi } +function allow_host_ports_for_share_mounting { + + TCP_PORTS=(2049 111 32803 892 875 662) + UDP_PORTS=(111 32769 892 875 662) + for ipcmd in iptables ip6tables; do + # (aovchinnikov): extra rules are needed to allow instances talk to + # host. + sudo $ipcmd -N manila-nfs + sudo $ipcmd -I INPUT 1 -j manila-nfs + for port in ${TCP_PORTS[*]}; do + sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT + done + for port in ${UDP_PORTS[*]}; do + sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT + done + done +} + function setup_ipv6 { # This will fail with multiple default routes and is not needed in CI @@ -1264,6 +1282,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then echo_summary "Update Tempest config" update_tempest + + + if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then + echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host" + allow_host_ports_for_share_mounting + fi + fi if [[ "$1" == "unstack" ]]; then diff --git a/devstack/settings b/devstack/settings index 59808b0988..263ba6995b 100644 --- a/devstack/settings +++ b/devstack/settings @@ -158,6 +158,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1} # deprecated MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated +# Enable this option when using a storage backend that is on the same host +# as the devstack host, these iptable rules are necessary to allow mounting +# shares from the host +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False} + # Options for configuration of LVM share driver SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M} SHARE_GROUP=${SHARE_GROUP:-lvm-shares} diff --git a/doc/source/contributor/samples/cephfs_local.conf b/doc/source/contributor/samples/cephfs_local.conf index d25e7137e6..97569d8276 100644 --- a/doc/source/contributor/samples/cephfs_local.conf +++ b/doc/source/contributor/samples/cephfs_local.conf @@ -36,4 +36,7 @@ MANILA_CEPH_DRIVER=cephfsnfs # CEPHFS backend options MANILA_SERVICE_IMAGE_ENABLED=False MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=False' -MANILA_CONFIGURE_DEFAULT_TYPES=True \ No newline at end of file +MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/container_local.conf b/doc/source/contributor/samples/container_local.conf index c892e17211..a5ab8e95f7 100644 --- a/doc/source/contributor/samples/container_local.conf +++ b/doc/source/contributor/samples/container_local.conf @@ -33,3 +33,6 @@ MANILA_OPTGROUP_vienna_driver_handles_share_servers=True MANILA_OPTGROUP_prague_driver_handles_share_servers=True MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=false' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/lvm_local.conf b/doc/source/contributor/samples/lvm_local.conf index a61785a6b4..507634010f 100644 --- a/doc/source/contributor/samples/lvm_local.conf +++ b/doc/source/contributor/samples/lvm_local.conf @@ -34,3 +34,6 @@ MANILA_OPTGROUP_denver_driver_handles_share_servers=False SHARE_BACKING_FILE_SIZE=32000M MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True revert_to_snapshot_support=True mount_snapshot_support=True' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/zfsonlinux_local.conf b/doc/source/contributor/samples/zfsonlinux_local.conf index db8db895e6..f7eb80e02d 100644 --- a/doc/source/contributor/samples/zfsonlinux_local.conf +++ b/doc/source/contributor/samples/zfsonlinux_local.conf @@ -34,3 +34,6 @@ MANILA_OPTGROUP_mumbai_driver_handles_share_servers=False MANILA_REPLICA_STATE_UPDATE_INTERVAL=60 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True replication_type=readable' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml b/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml index 418576f572..6d6c37d1a6 100644 --- a/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml @@ -52,6 +52,7 @@ export ENABLED_SERVICES=tempest export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Keep localrc to be able to set some vars in pre_test_hook export KEEP_LOCALRC=1 diff --git a/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml b/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml index 7e6a7cd3a0..b89d067c29 100644 --- a/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml @@ -51,6 +51,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True export DEVSTACK_GATE_USE_PYTHON3=True diff --git a/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml b/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml index e091f9cc5a..0d14bca245 100644 --- a/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml @@ -51,6 +51,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True export DEVSTACK_GATE_USE_PYTHON3=True diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml index b3776a4b54..a48cf67d05 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml @@ -103,6 +103,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest export OVERRIDE_ENABLED_SERVICES diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml index 8ce783ff84..8205e05c20 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml @@ -65,6 +65,7 @@ export DEVSTACK_GATE_NEUTRON=1 export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True export MANILA_SETUP_IPV6=True export RUN_MANILA_IPV6_TESTS=True diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml index acbc3bc00f..aa17f4472c 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml @@ -51,6 +51,7 @@ export MANILA_SETUP_IPV6=True export RUN_MANILA_IPV6_TESTS=True export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Basic services needed for minimal job OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml index 4f423586dc..d7f363ef24 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml @@ -49,6 +49,7 @@ export MANILA_SETUP_IPV6=True export RUN_MANILA_IPV6_TESTS=True export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Basic services needed for minimal job OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest