[devstack][ci] Modify firewall in ds-plugin

To set up some first party backends such as
ZFSOnLinux, CephFS via NFS gateway, Container
(where the NAS server is containerized) and LVM,
manila's devstack plugin creates a NAS server
on the devstack host.

On test machines, access to this NAS server is
firewalled from networks outside of the host's
internal network namespace (including from private
project networks that are in different network
namespaces, on the same devstack host).

We currently use a legacy devstack-gate script
to disable firewall on NFS ports; however,
anyone that installs devstack with LVM, Container,
ZFSOnLinux, CephFS-NFS drivers will need these
firewall ports to be opened to be able to mount
shares exported off their devstack host machines.

Move these firewall commands to the devstack plugin.
These commands can be invoked by setting the localrc
variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True.
The value of this variable is False by default,
to preserve existing behavior.

Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44
(cherry picked from commit 36b1715e86)
(cherry picked from commit 94486eb4c0)
(cherry picked from commit e7b4507de4)
(cherry picked from commit 3f2f7b66b1)
(cherry picked from commit 4008c86f4e)
This commit is contained in:
Goutham Pacha Ravi 2020-04-28 17:32:07 -07:00
parent 58499f378d
commit e517c01ddb
9 changed files with 37 additions and 15 deletions

View File

@ -334,21 +334,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME
source $BASE/new/manila/contrib/ci/common.sh
manila_wait_for_drivers_init $MANILA_CONF
TCP_PORTS=(2049 111 32803 892 875 662)
UDP_PORTS=(111 32769 892 875 662)
for ipcmd in iptables ip6tables; do
# (aovchinnikov): extra rules are needed to allow instances talk to host.
sudo $ipcmd -N manila-nfs
sudo $ipcmd -I INPUT 1 -j manila-nfs
for port in ${TCP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
done
for port in ${UDP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
done
done
source $BASE/new/devstack/openrc admin admin
public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
iniset $TEMPEST_CONFIG network public_network_id $public_net_id

View File

@ -43,6 +43,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf
echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf
echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf
# === Handle script arguments ===
# First argument is expected to be a boolean-like value for DHSS.
DHSS=$1

View File

@ -961,6 +961,24 @@ function install_libraries {
fi
}
function allow_host_ports_for_share_mounting {
TCP_PORTS=(2049 111 32803 892 875 662)
UDP_PORTS=(111 32769 892 875 662)
for ipcmd in iptables ip6tables; do
# (aovchinnikov): extra rules are needed to allow instances talk to
# host.
sudo $ipcmd -N manila-nfs
sudo $ipcmd -I INPUT 1 -j manila-nfs
for port in ${TCP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
done
for port in ${UDP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
done
done
}
function setup_ipv6 {
# save IPv6 default route to add back later after enabling forwarding
@ -1181,6 +1199,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
echo_summary "Update Tempest config"
update_tempest
if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then
echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host"
allow_host_ports_for_share_mounting
fi
fi
if [[ "$1" == "unstack" ]]; then

View File

@ -149,6 +149,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1} # deprecated
MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated
MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated
# Enable this option when using a storage backend that is on the same host
# as the devstack host, these iptable rules are necessary to allow mounting
# shares from the host
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False}
# Options for configuration of LVM share driver
SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
SHARE_GROUP=${SHARE_GROUP:-lvm-shares}

View File

@ -52,6 +52,7 @@
export ENABLED_SERVICES=tempest
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
# Keep localrc to be able to set some vars in pre_test_hook
export KEEP_LOCALRC=1

View File

@ -53,6 +53,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
function pre_test_hook {
# 'dhss' - acronym for 'Driver Handles Share Servers',

View File

@ -53,6 +53,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
function pre_test_hook {
# 'dhss' - acronym for 'Driver Handles Share Servers',

View File

@ -77,6 +77,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
export OVERRIDE_ENABLED_SERVICES

View File

@ -58,6 +58,7 @@
export MANILA_SETUP_IPV6=True
export RUN_MANILA_IPV6_TESTS=True
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
# Basic services needed for minimal job
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest