From e7b4507de4e8fbb8f2a1919519ddb22e545ac0c7 Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Tue, 28 Apr 2020 17:32:07 -0700 Subject: [PATCH] [devstack][ci] Modify firewall in ds-plugin To set up some first party backends such as ZFSOnLinux, CephFS via NFS gateway, Container (where the NAS server is containerized) and LVM, manila's devstack plugin creates a NAS server on the devstack host. On test machines, access to this NAS server is firewalled from networks outside of the host's internal network namespace (including from private project networks that are in different network namespaces, on the same devstack host). We currently use a legacy devstack-gate script to disable firewall on NFS ports; however, anyone that installs devstack with LVM, Container, ZFSOnLinux, CephFS-NFS drivers will need these firewall ports to be opened to be able to mount shares exported off their devstack host machines. Move these firewall commands to the devstack plugin. These commands can be invoked by setting the localrc variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True. The value of this variable is False by default, to preserve existing behavior. Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44 (cherry picked from commit 36b1715e86919a739d3639f9c0d2c80e9f853e7a) (cherry picked from commit 94486eb4c09ac64f0e7cdf34945a84b11c1b0ae0) --- contrib/ci/post_test_hook.sh | 15 ----------- contrib/ci/pre_test_hook.sh | 2 ++ devstack/plugin.sh | 25 +++++++++++++++++++ devstack/settings | 5 ++++ .../contributor/samples/cephfs_local.conf | 5 +++- .../contributor/samples/container_local.conf | 3 +++ doc/source/contributor/samples/lvm_local.conf | 3 +++ .../contributor/samples/zfsonlinux_local.conf | 3 +++ .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run.yaml | 1 + .../run-ipv6.yaml | 1 + .../manila-tempest-minimal-dsvm-lvm/run.yaml | 1 + 15 files changed, 52 insertions(+), 16 deletions(-) diff --git a/contrib/ci/post_test_hook.sh b/contrib/ci/post_test_hook.sh index 84586de598..1299b5158d 100755 --- a/contrib/ci/post_test_hook.sh +++ b/contrib/ci/post_test_hook.sh @@ -344,21 +344,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME source $BASE/new/manila/contrib/ci/common.sh manila_wait_for_drivers_init $MANILA_CONF - -TCP_PORTS=(2049 111 32803 892 875 662) -UDP_PORTS=(111 32769 892 875 662) -for ipcmd in iptables ip6tables; do - # (aovchinnikov): extra rules are needed to allow instances talk to host. - sudo $ipcmd -N manila-nfs - sudo $ipcmd -I INPUT 1 -j manila-nfs - for port in ${TCP_PORTS[*]}; do - sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT - done - for port in ${UDP_PORTS[*]}; do - sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT - done -done - source $BASE/new/devstack/openrc admin admin public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID ) iniset $TEMPEST_CONFIG network public_network_id $public_net_id diff --git a/contrib/ci/pre_test_hook.sh b/contrib/ci/pre_test_hook.sh index 7499c9777f..b32c48340d 100755 --- a/contrib/ci/pre_test_hook.sh +++ b/contrib/ci/pre_test_hook.sh @@ -47,6 +47,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf +echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf + # === Handle script arguments === # First argument is expected to be a boolean-like value for DHSS. DHSS=$1 diff --git a/devstack/plugin.sh b/devstack/plugin.sh index de1a1aab7a..02e4ff2e9f 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -1008,6 +1008,24 @@ function install_libraries { fi } +function allow_host_ports_for_share_mounting { + + TCP_PORTS=(2049 111 32803 892 875 662) + UDP_PORTS=(111 32769 892 875 662) + for ipcmd in iptables ip6tables; do + # (aovchinnikov): extra rules are needed to allow instances talk to + # host. + sudo $ipcmd -N manila-nfs + sudo $ipcmd -I INPUT 1 -j manila-nfs + for port in ${TCP_PORTS[*]}; do + sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT + done + for port in ${UDP_PORTS[*]}; do + sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT + done + done +} + function setup_ipv6 { # This will fail with multiple default routes and is not needed in CI @@ -1262,6 +1280,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then echo_summary "Update Tempest config" update_tempest + + + if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then + echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host" + allow_host_ports_for_share_mounting + fi + fi if [[ "$1" == "unstack" ]]; then diff --git a/devstack/settings b/devstack/settings index 95cd3bbf3e..f8ba8e7c2e 100644 --- a/devstack/settings +++ b/devstack/settings @@ -157,6 +157,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1} # deprecated MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2} # deprecated MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2} # deprecated +# Enable this option when using a storage backend that is on the same host +# as the devstack host, these iptable rules are necessary to allow mounting +# shares from the host +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False} + # Options for configuration of LVM share driver SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M} SHARE_GROUP=${SHARE_GROUP:-lvm-shares} diff --git a/doc/source/contributor/samples/cephfs_local.conf b/doc/source/contributor/samples/cephfs_local.conf index 189cfebb56..f7a3593e93 100644 --- a/doc/source/contributor/samples/cephfs_local.conf +++ b/doc/source/contributor/samples/cephfs_local.conf @@ -36,4 +36,7 @@ MANILA_CEPH_DRIVER=cephfsnfs # CEPHFS backend options MANILA_SERVICE_IMAGE_ENABLED=False MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=False' -MANILA_CONFIGURE_DEFAULT_TYPES=True \ No newline at end of file +MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/container_local.conf b/doc/source/contributor/samples/container_local.conf index 66ab39b569..bf0556242f 100644 --- a/doc/source/contributor/samples/container_local.conf +++ b/doc/source/contributor/samples/container_local.conf @@ -33,3 +33,6 @@ MANILA_OPTGROUP_vienna_driver_handles_share_servers=True MANILA_OPTGROUP_prague_driver_handles_share_servers=True MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=false' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/lvm_local.conf b/doc/source/contributor/samples/lvm_local.conf index 342d852c56..54a1e29230 100644 --- a/doc/source/contributor/samples/lvm_local.conf +++ b/doc/source/contributor/samples/lvm_local.conf @@ -34,3 +34,6 @@ MANILA_OPTGROUP_denver_driver_handles_share_servers=False SHARE_BACKING_FILE_SIZE=32000M MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True revert_to_snapshot_support=True mount_snapshot_support=True' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/doc/source/contributor/samples/zfsonlinux_local.conf b/doc/source/contributor/samples/zfsonlinux_local.conf index 076a17c22c..edffdec137 100644 --- a/doc/source/contributor/samples/zfsonlinux_local.conf +++ b/doc/source/contributor/samples/zfsonlinux_local.conf @@ -34,3 +34,6 @@ MANILA_OPTGROUP_mumbai_driver_handles_share_servers=False MANILA_REPLICA_STATE_UPDATE_INTERVAL=60 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True replication_type=readable' MANILA_CONFIGURE_DEFAULT_TYPES=True + +# Required for mounting shares +MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True diff --git a/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml b/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml index 418576f572..6d6c37d1a6 100644 --- a/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml @@ -52,6 +52,7 @@ export ENABLED_SERVICES=tempest export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Keep localrc to be able to set some vars in pre_test_hook export KEEP_LOCALRC=1 diff --git a/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml b/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml index 7e6a7cd3a0..b89d067c29 100644 --- a/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml @@ -51,6 +51,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True export DEVSTACK_GATE_USE_PYTHON3=True diff --git a/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml b/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml index e091f9cc5a..0d14bca245 100644 --- a/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml +++ b/playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml @@ -51,6 +51,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True export DEVSTACK_GATE_USE_PYTHON3=True diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml index b3776a4b54..a48cf67d05 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml @@ -103,6 +103,7 @@ export KEEP_LOCALRC=1 export PROJECTS="openstack/manila-tempest-plugin $PROJECTS" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest export OVERRIDE_ENABLED_SERVICES diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml index 40558a3e02..e1faef6f1c 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml @@ -66,6 +66,7 @@ export DEVSTACK_GATE_NEUTRON=1 export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient" export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True export MANILA_SETUP_IPV6=True export RUN_MANILA_IPV6_TESTS=True diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml index 7955649478..709d69dc40 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml @@ -52,6 +52,7 @@ export MANILA_SETUP_IPV6=True export RUN_MANILA_IPV6_TESTS=True export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Basic services needed for minimal job OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml index 61234f3a60..af6142d2d9 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml @@ -50,6 +50,7 @@ export MANILA_SETUP_IPV6=True export RUN_MANILA_IPV6_TESTS=True export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False + export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True # Basic services needed for minimal job OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest