[devstack][ci] Modify firewall in ds-plugin

To set up some first party backends such as
ZFSOnLinux, CephFS via NFS gateway, Container
(where the NAS server is containerized) and LVM,
manila's devstack plugin creates a NAS server
on the devstack host.

On test machines, access to this NAS server is
firewalled from networks outside of the host's
internal network namespace (including from private
project networks that are in different network
namespaces, on the same devstack host).

We currently use a legacy devstack-gate script
to disable firewall on NFS ports; however,
anyone that installs devstack with LVM, Container,
ZFSOnLinux, CephFS-NFS drivers will need these
firewall ports to be opened to be able to mount
shares exported off their devstack host machines.

Move these firewall commands to the devstack plugin.
These commands can be invoked by setting the localrc
variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True.
The value of this variable is False by default,
to preserve existing behavior.

Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44
(cherry picked from commit 36b1715e86)
(cherry picked from commit 94486eb4c0)
This commit is contained in:
Goutham Pacha Ravi 2020-04-28 17:32:07 -07:00
parent 66c27787c7
commit e7b4507de4
15 changed files with 52 additions and 16 deletions

View File

@ -344,21 +344,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME
source $BASE/new/manila/contrib/ci/common.sh
manila_wait_for_drivers_init $MANILA_CONF
TCP_PORTS=(2049 111 32803 892 875 662)
UDP_PORTS=(111 32769 892 875 662)
for ipcmd in iptables ip6tables; do
# (aovchinnikov): extra rules are needed to allow instances talk to host.
sudo $ipcmd -N manila-nfs
sudo $ipcmd -I INPUT 1 -j manila-nfs
for port in ${TCP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
done
for port in ${UDP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
done
done
source $BASE/new/devstack/openrc admin admin
public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
iniset $TEMPEST_CONFIG network public_network_id $public_net_id

View File

@ -47,6 +47,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf
echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf
echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf
# === Handle script arguments ===
# First argument is expected to be a boolean-like value for DHSS.
DHSS=$1

View File

@ -1008,6 +1008,24 @@ function install_libraries {
fi
}
function allow_host_ports_for_share_mounting {
TCP_PORTS=(2049 111 32803 892 875 662)
UDP_PORTS=(111 32769 892 875 662)
for ipcmd in iptables ip6tables; do
# (aovchinnikov): extra rules are needed to allow instances talk to
# host.
sudo $ipcmd -N manila-nfs
sudo $ipcmd -I INPUT 1 -j manila-nfs
for port in ${TCP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
done
for port in ${UDP_PORTS[*]}; do
sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
done
done
}
function setup_ipv6 {
# This will fail with multiple default routes and is not needed in CI
@ -1262,6 +1280,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
echo_summary "Update Tempest config"
update_tempest
if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then
echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host"
allow_host_ports_for_share_mounting
fi
fi
if [[ "$1" == "unstack" ]]; then

View File

@ -157,6 +157,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1} # deprecated
MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated
MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated
# Enable this option when using a storage backend that is on the same host
# as the devstack host, these iptable rules are necessary to allow mounting
# shares from the host
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False}
# Options for configuration of LVM share driver
SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
SHARE_GROUP=${SHARE_GROUP:-lvm-shares}

View File

@ -36,4 +36,7 @@ MANILA_CEPH_DRIVER=cephfsnfs
# CEPHFS backend options
MANILA_SERVICE_IMAGE_ENABLED=False
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=False'
MANILA_CONFIGURE_DEFAULT_TYPES=True
MANILA_CONFIGURE_DEFAULT_TYPES=True
# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

View File

@ -33,3 +33,6 @@ MANILA_OPTGROUP_vienna_driver_handles_share_servers=True
MANILA_OPTGROUP_prague_driver_handles_share_servers=True
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=false'
MANILA_CONFIGURE_DEFAULT_TYPES=True
# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

View File

@ -34,3 +34,6 @@ MANILA_OPTGROUP_denver_driver_handles_share_servers=False
SHARE_BACKING_FILE_SIZE=32000M
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True revert_to_snapshot_support=True mount_snapshot_support=True'
MANILA_CONFIGURE_DEFAULT_TYPES=True
# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

View File

@ -34,3 +34,6 @@ MANILA_OPTGROUP_mumbai_driver_handles_share_servers=False
MANILA_REPLICA_STATE_UPDATE_INTERVAL=60
MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True replication_type=readable'
MANILA_CONFIGURE_DEFAULT_TYPES=True
# Required for mounting shares
MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

View File

@ -52,6 +52,7 @@
export ENABLED_SERVICES=tempest
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
# Keep localrc to be able to set some vars in pre_test_hook
export KEEP_LOCALRC=1

View File

@ -51,6 +51,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
export DEVSTACK_GATE_USE_PYTHON3=True

View File

@ -51,6 +51,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
export DEVSTACK_GATE_USE_PYTHON3=True

View File

@ -103,6 +103,7 @@
export KEEP_LOCALRC=1
export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
export OVERRIDE_ENABLED_SERVICES

View File

@ -66,6 +66,7 @@
export DEVSTACK_GATE_NEUTRON=1
export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
export MANILA_SETUP_IPV6=True
export RUN_MANILA_IPV6_TESTS=True

View File

@ -52,6 +52,7 @@
export MANILA_SETUP_IPV6=True
export RUN_MANILA_IPV6_TESTS=True
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
# Basic services needed for minimal job
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest

View File

@ -50,6 +50,7 @@
export MANILA_SETUP_IPV6=True
export RUN_MANILA_IPV6_TESTS=True
export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
# Basic services needed for minimal job
OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest