Merge "[devstack][ci] Modify firewall in ds-plugin" into stable/train

contrib/ci/post_test_hook.sh

@@ -344,21 +344,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME
 source $BASE/new/manila/contrib/ci/common.sh
 manila_wait_for_drivers_init $MANILA_CONF
 
-
-TCP_PORTS=(2049 111 32803 892 875 662)
-UDP_PORTS=(111 32769 892 875 662)
-for ipcmd in iptables ip6tables; do
-    # (aovchinnikov): extra rules are needed to allow instances talk to host.
-    sudo $ipcmd -N manila-nfs
-    sudo $ipcmd -I INPUT 1 -j manila-nfs
-    for port in ${TCP_PORTS[*]}; do
-        sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
-    done
-    for port in ${UDP_PORTS[*]}; do
-        sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
-    done
-done
-
 source $BASE/new/devstack/openrc admin admin
 public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
 iniset $TEMPEST_CONFIG network public_network_id $public_net_id

contrib/ci/pre_test_hook.sh

@@ -47,6 +47,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf
 
 echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf
 
+echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf
+
 # === Handle script arguments ===
 # First argument is expected to be a boolean-like value for DHSS.
 DHSS=$1

devstack/plugin.sh

@@ -1016,6 +1016,24 @@ function install_libraries {
     fi
 }
 
+function allow_host_ports_for_share_mounting {
+
+    TCP_PORTS=(2049 111 32803 892 875 662)
+    UDP_PORTS=(111 32769 892 875 662)
+    for ipcmd in iptables ip6tables; do
+        # (aovchinnikov): extra rules are needed to allow instances talk to
+        # host.
+        sudo $ipcmd -N manila-nfs
+        sudo $ipcmd -I INPUT 1 -j manila-nfs
+        for port in ${TCP_PORTS[*]}; do
+            sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
+        done
+        for port in ${UDP_PORTS[*]}; do
+            sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
+        done
+    done
+}
+
 function setup_ipv6 {
 
     # This will fail with multiple default routes and is not needed in CI
@@ -1270,6 +1288,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
 
     echo_summary "Update Tempest config"
     update_tempest
+
+
+    if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then
+        echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host"
+        allow_host_ports_for_share_mounting
+    fi
+
 fi
 
 if [[ "$1" == "unstack" ]]; then

devstack/settings

@@ -157,6 +157,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1}  # deprecated
 MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2}  # deprecated
 MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2}  # deprecated
 
+# Enable this option when using a storage backend that is on the same host
+# as the devstack host, these iptable rules are necessary to allow mounting
+# shares from the host
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False}
+
 # Options for configuration of LVM share driver
 SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
 SHARE_GROUP=${SHARE_GROUP:-lvm-shares}

doc/source/contributor/samples/cephfs_local.conf

@@ -36,4 +36,7 @@ MANILA_CEPH_DRIVER=cephfsnfs
 # CEPHFS backend options
 MANILA_SERVICE_IMAGE_ENABLED=False
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=False'
-MANILA_CONFIGURE_DEFAULT_TYPES=True
+MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

doc/source/contributor/samples/container_local.conf

@@ -33,3 +33,6 @@ MANILA_OPTGROUP_vienna_driver_handles_share_servers=True
 MANILA_OPTGROUP_prague_driver_handles_share_servers=True
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=false'
 MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

doc/source/contributor/samples/lvm_local.conf

@@ -34,3 +34,6 @@ MANILA_OPTGROUP_denver_driver_handles_share_servers=False
 SHARE_BACKING_FILE_SIZE=32000M
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True revert_to_snapshot_support=True mount_snapshot_support=True'
 MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

doc/source/contributor/samples/zfsonlinux_local.conf

@@ -34,3 +34,6 @@ MANILA_OPTGROUP_mumbai_driver_handles_share_servers=False
 MANILA_REPLICA_STATE_UPDATE_INTERVAL=60
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True replication_type=readable'
 MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml

@@ -52,6 +52,7 @@
 
           export ENABLED_SERVICES=tempest
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           # Keep localrc to be able to set some vars in pre_test_hook
           export KEEP_LOCALRC=1

playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml

@@ -51,6 +51,7 @@
           export KEEP_LOCALRC=1
           export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           export DEVSTACK_GATE_USE_PYTHON3=True
 

playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml

@@ -51,6 +51,7 @@
           export KEEP_LOCALRC=1
           export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           export DEVSTACK_GATE_USE_PYTHON3=True
 

playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml

@@ -103,6 +103,7 @@
           export KEEP_LOCALRC=1
           export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
           OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
           export OVERRIDE_ENABLED_SERVICES
 

playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml

@@ -66,6 +66,7 @@
           export DEVSTACK_GATE_NEUTRON=1
           export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           export MANILA_SETUP_IPV6=True
           export RUN_MANILA_IPV6_TESTS=True

playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml

@@ -52,6 +52,7 @@
           export MANILA_SETUP_IPV6=True
           export RUN_MANILA_IPV6_TESTS=True
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           # Basic services needed for minimal job
           OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest

playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml

@@ -50,6 +50,7 @@
           export MANILA_SETUP_IPV6=True
           export RUN_MANILA_IPV6_TESTS=True
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           # Basic services needed for minimal job
           OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest