Merge "[devstack] Allow cephfs daemon port access" into stable/rocky

2020-07-28 16:37:35 +00:00 · 2020-07-28 16:37:35 +00:00 · fd67d81748
parent 5e9c755f61 58f1f21073
commit fd67d81748
1 changed files with 22 additions and 13 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -961,20 +961,29 @@ function install_libraries {
 function allow_host_ports_for_share_mounting {
-    TCP_PORTS=(2049 111 32803 892 875 662)
+    if [[ $MANILA_ENABLED_SHARE_PROTOCOLS =~ NFS ]]; then
-    UDP_PORTS=(111 32769 892 875 662)
+        # 111 and 2049 are for rpcbind and NFS
-    for ipcmd in iptables ip6tables; do
+        # Other ports are for NFSv3 statd, mountd and lockd daemons
-        # (aovchinnikov): extra rules are needed to allow instances talk to
+        MANILA_TCP_PORTS=(2049 111 32803 892 875 662)
-        # host.
+        MANILA_UDP_PORTS=(111 32769 892 875 662)
-        sudo $ipcmd -N manila-nfs
+    fi
-        sudo $ipcmd -I INPUT 1 -j manila-nfs
+    if [[ $MANILA_ENABLED_SHARE_PROTOCOLS =~ CEPHFS ]]; then
-        for port in ${TCP_PORTS[*]}; do
+        # clients need access to the ceph daemons
-            sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
+        MANILA_TCP_PORTS=(${MANILA_TCP_PORTS[*]} 6789 6800:7300)
    fi
    if [[ -v MANILA_TCP_PORTS || -v MANILA_UDP_PORTS ]]; then
        for ipcmd in iptables ip6tables; do
            sudo $ipcmd -N manila-storage
            sudo $ipcmd -I INPUT 1 -j manila-storage
            for port in ${MANILA_TCP_PORTS[*]}; do
                sudo $ipcmd -A manila-storage -m tcp -p tcp --dport $port -j ACCEPT
            done
            for port in ${MANILA_UDP_PORTS[*]}; do
                sudo $ipcmd -A manila-storage -m udp -p udp --dport $port -j ACCEPT
            done
        done
-        for port in ${UDP_PORTS[*]}; do
+    fi
            sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
        done
    done
 }
 function setup_ipv6 {