[devstack][ci] Modify firewall in ds-plugin
To set up some first party backends such as ZFSOnLinux, CephFS via NFS gateway, Container (where the NAS server is containerized) and LVM, manila's devstack plugin creates a NAS server on the devstack host. On test machines, access to this NAS server is firewalled from networks outside of the host's internal network namespace (including from private project networks that are in different network namespaces, on the same devstack host). We currently use a legacy devstack-gate script to disable firewall on NFS ports; however, anyone that installs devstack with LVM, Container, ZFSOnLinux, CephFS-NFS drivers will need these firewall ports to be opened to be able to mount shares exported off their devstack host machines. Move these firewall commands to the devstack plugin. These commands can be invoked by setting the localrc variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True. The value of this variable is False by default, to preserve existing behavior. Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44 (cherry picked from commit36b1715e86
) (cherry picked from commit94486eb4c0
) (cherry picked from commite7b4507de4
) (cherry picked from commit3f2f7b66b1
) (cherry picked from commit4008c86f4e
)
This commit is contained in:
parent
58499f378d
commit
e517c01ddb
|
@ -334,21 +334,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME
|
||||||
source $BASE/new/manila/contrib/ci/common.sh
|
source $BASE/new/manila/contrib/ci/common.sh
|
||||||
manila_wait_for_drivers_init $MANILA_CONF
|
manila_wait_for_drivers_init $MANILA_CONF
|
||||||
|
|
||||||
|
|
||||||
TCP_PORTS=(2049 111 32803 892 875 662)
|
|
||||||
UDP_PORTS=(111 32769 892 875 662)
|
|
||||||
for ipcmd in iptables ip6tables; do
|
|
||||||
# (aovchinnikov): extra rules are needed to allow instances talk to host.
|
|
||||||
sudo $ipcmd -N manila-nfs
|
|
||||||
sudo $ipcmd -I INPUT 1 -j manila-nfs
|
|
||||||
for port in ${TCP_PORTS[*]}; do
|
|
||||||
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
|
|
||||||
done
|
|
||||||
for port in ${UDP_PORTS[*]}; do
|
|
||||||
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
|
|
||||||
done
|
|
||||||
done
|
|
||||||
|
|
||||||
source $BASE/new/devstack/openrc admin admin
|
source $BASE/new/devstack/openrc admin admin
|
||||||
public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
|
public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
|
||||||
iniset $TEMPEST_CONFIG network public_network_id $public_net_id
|
iniset $TEMPEST_CONFIG network public_network_id $public_net_id
|
||||||
|
|
|
@ -43,6 +43,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf
|
||||||
|
|
||||||
echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf
|
echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf
|
||||||
|
|
||||||
|
echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf
|
||||||
|
|
||||||
# === Handle script arguments ===
|
# === Handle script arguments ===
|
||||||
# First argument is expected to be a boolean-like value for DHSS.
|
# First argument is expected to be a boolean-like value for DHSS.
|
||||||
DHSS=$1
|
DHSS=$1
|
||||||
|
|
|
@ -961,6 +961,24 @@ function install_libraries {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function allow_host_ports_for_share_mounting {
|
||||||
|
|
||||||
|
TCP_PORTS=(2049 111 32803 892 875 662)
|
||||||
|
UDP_PORTS=(111 32769 892 875 662)
|
||||||
|
for ipcmd in iptables ip6tables; do
|
||||||
|
# (aovchinnikov): extra rules are needed to allow instances talk to
|
||||||
|
# host.
|
||||||
|
sudo $ipcmd -N manila-nfs
|
||||||
|
sudo $ipcmd -I INPUT 1 -j manila-nfs
|
||||||
|
for port in ${TCP_PORTS[*]}; do
|
||||||
|
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
|
||||||
|
done
|
||||||
|
for port in ${UDP_PORTS[*]}; do
|
||||||
|
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
function setup_ipv6 {
|
function setup_ipv6 {
|
||||||
|
|
||||||
# save IPv6 default route to add back later after enabling forwarding
|
# save IPv6 default route to add back later after enabling forwarding
|
||||||
|
@ -1181,6 +1199,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
|
||||||
|
|
||||||
echo_summary "Update Tempest config"
|
echo_summary "Update Tempest config"
|
||||||
update_tempest
|
update_tempest
|
||||||
|
|
||||||
|
|
||||||
|
if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then
|
||||||
|
echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host"
|
||||||
|
allow_host_ports_for_share_mounting
|
||||||
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$1" == "unstack" ]]; then
|
if [[ "$1" == "unstack" ]]; then
|
||||||
|
|
|
@ -149,6 +149,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1} # deprecated
|
||||||
MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated
|
MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated
|
||||||
MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated
|
MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated
|
||||||
|
|
||||||
|
# Enable this option when using a storage backend that is on the same host
|
||||||
|
# as the devstack host, these iptable rules are necessary to allow mounting
|
||||||
|
# shares from the host
|
||||||
|
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False}
|
||||||
|
|
||||||
# Options for configuration of LVM share driver
|
# Options for configuration of LVM share driver
|
||||||
SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
|
SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
|
||||||
SHARE_GROUP=${SHARE_GROUP:-lvm-shares}
|
SHARE_GROUP=${SHARE_GROUP:-lvm-shares}
|
||||||
|
|
|
@ -52,6 +52,7 @@
|
||||||
|
|
||||||
export ENABLED_SERVICES=tempest
|
export ENABLED_SERVICES=tempest
|
||||||
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
||||||
|
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
|
||||||
|
|
||||||
# Keep localrc to be able to set some vars in pre_test_hook
|
# Keep localrc to be able to set some vars in pre_test_hook
|
||||||
export KEEP_LOCALRC=1
|
export KEEP_LOCALRC=1
|
||||||
|
|
|
@ -53,6 +53,7 @@
|
||||||
export KEEP_LOCALRC=1
|
export KEEP_LOCALRC=1
|
||||||
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
|
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
|
||||||
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
||||||
|
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
|
||||||
|
|
||||||
function pre_test_hook {
|
function pre_test_hook {
|
||||||
# 'dhss' - acronym for 'Driver Handles Share Servers',
|
# 'dhss' - acronym for 'Driver Handles Share Servers',
|
||||||
|
|
|
@ -53,6 +53,7 @@
|
||||||
export KEEP_LOCALRC=1
|
export KEEP_LOCALRC=1
|
||||||
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
|
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
|
||||||
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
||||||
|
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
|
||||||
|
|
||||||
function pre_test_hook {
|
function pre_test_hook {
|
||||||
# 'dhss' - acronym for 'Driver Handles Share Servers',
|
# 'dhss' - acronym for 'Driver Handles Share Servers',
|
||||||
|
|
|
@ -77,6 +77,7 @@
|
||||||
export KEEP_LOCALRC=1
|
export KEEP_LOCALRC=1
|
||||||
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
|
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
|
||||||
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
||||||
|
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
|
||||||
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
|
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
|
||||||
export OVERRIDE_ENABLED_SERVICES
|
export OVERRIDE_ENABLED_SERVICES
|
||||||
|
|
||||||
|
|
|
@ -58,6 +58,7 @@
|
||||||
export MANILA_SETUP_IPV6=True
|
export MANILA_SETUP_IPV6=True
|
||||||
export RUN_MANILA_IPV6_TESTS=True
|
export RUN_MANILA_IPV6_TESTS=True
|
||||||
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
|
||||||
|
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
|
||||||
|
|
||||||
# Basic services needed for minimal job
|
# Basic services needed for minimal job
|
||||||
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
|
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
|
||||||
|
|
Loading…
Reference in New Issue