Manila APIs have had the requirement to include
project_id in the URLs since the very beginning.
This comes from an old assumption that our APIs
would be differentiated per-tenant on the cloud,
and we would allow different kinds of API endpoints
(public, admin, internal, etc). While it is possible
to set up different endpoints against the API
service, the same and complete API is exposed at
each of these endpoints.
We don't _need_ the project_id information that
we receive in the URL for any of our APIs to
function. We rather authorize tenants by gathering
information from the Identity service (Keystone)
and wrapping that into a RequestContext object
that we then rely on to ensure namespace isolation.
Removing the requirement for "project_id" simplifies
our API endpoint structure in the service catalog
as well as provides a way for system scoped users
to interact with manila without having to declare
their project.
In order to make project_id optional in urls, the
possible values of project_id have to be constrained.
This change introduces a new configuration option
so deployers may control that. This configuration
option defaults to accepting UUIDs with and without
dashes.
Since manila can be used in standalone deployments
without the need for Keystone, this change introduces
a noauth middleware that can work without project_id
in the URL paths.
The API version has been incremented to signal this
change to end users. When 2.60 is available, deployments
may drop "project_id" in the service catalog endpoint
for Manila and end users applications can stop needing
it as well (if they don't already rely on the service
catalog for this data).
APIImpact
Implements: bp remove-project-id-from-urls
Change-Id: I5127e150e8a71e621890f30dba6720b3932cf583
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This change makes healtcheck middleware enabled by default, so that
operators can use the middleware to monitor service availability for
various purpose like healthcheck by load balancers.
Change-Id: I47e65d23ebfe310643896e1de3396cd627a3def3
This patch implements managing and unmanaging of share
servers and shares functionality to the Container driver.
Depends-On: I452c2a99b186f53d737cb7fbd7eabfcfd9b249d6
Implements: bp container-driver-manage-unmanage-with-share-servers
Change-Id: I623c88dd1155740f0a444d2063236d91efd3bd1e
We assign a random UUID with tune2fs to snapshots
and shares created from snapshots so that they
don't conflict with the parent shares/snapshots
when both of them are being mounted.
tune2fs requires that a filesystem check be
performed "recently" before UUID assignments.
So, perform a filesystem check right away to
allow tune2fs to assign a random UUID.
Change-Id: I858a318f7a83e033cc3f2699859e38b6b74c8d24
Related-Bug: #1645751
Closes-Bug: #1798219
The /etc/mtab file may have mount information such as 'nfsd'
that if copied to /etc/fstab will cause the share server to
hang when rebooted.
Update /etc/fstab with exactly the newly mounted or unmounted
shares rather than simply overwriting /etc/fstab with /etc/mtab.
Change-Id: I67602bae1f928769d768008deca7bd0f2fef1ac2
Close-Bug: #1639662
This patch adds policy in code support for availability_zone,
scheduler_stats and message resources.
Change-Id: I9a79b5ececc583e85149cc920321e461e832b245
Partial-Implements: blueprint policy-in-code
This patch adds policy in code support for share instance,
share export location and share type extra specs resources.
Change-Id: I9a89b4ececc583e85249cc925950e462e805b215
Partial-Implements: blueprint policy-in-code
This patch adds policy in code support for replica, network
and security service resources.
Change-Id: I9a79b5ececc583e85149cc920950e462e805b245
Partial-Implements: blueprint policy-in-code
This patch adds policy in code support for group
resources.
Change-Id: I9a79b5ececc583e80149cc920950e462e805b142
Partial-Implements: blueprint policy-in-code
This patch adds policy in code support for service and quota
resources.
Change-Id: I9a79b5ececc583e80149cc980930e162e805b143
Partial-Implements: blueprint policy-in-code
This patch adds policy in code support for snapshot
resources.
Change-Id: I8a29b5ececc583e80129cc981930e162e805b246
Partial-Implements: blueprint policy-in-code
This patch adds policy in code support for share
resources.
Change-Id: I9a79b5ececc583e80129cc980930e162e805b246
Partial-Implements: blueprint policy-in-code
This patch adds policy in code support for share type
resources and depends on the basic patch [1].
[1]: https://review.openstack.org/#/c/507054/
Change-Id: I9a79b5ececc587e80129cc980930e168e805b246
Partial-Implements: blueprint policy-in-code
This is the basic patch which consits of the framework
code for default policy in code feature as well as
share instance export location resource.
Partial-Implements: blueprint policy-in-code
Change-Id: Iedde7a4a674a60e760b47d5eb2973f42d79226d8
Reverts with the LVM driver were happening asynchronously
which resulted in unreliable behavior. This change makes
the reverts synchronous.
Also, the driver now unexports and unmounts both the share and
the snapshot during the revert (required to make the operation
synchronous) which requires changing the driver interface to
include the snapshot access rules in addition to the share access
rules.
Closes-bug: #1707943
Change-Id: Ifea1799e1d2e3963fec7e90ce3f9cb47b9f02f4f
For quite some time, OpenStack services have wanted to be able to send
messages to API end users (by user I do not mean the operator, but the
user that is interacting with the client).
This patch implements basic user messages with the following APIs.
GET /messages
GET /messages/<message_id>
DELETE /messages/<message_id>
Implements the basic /messages resource and tempest tests
The patch is aligned with related cinder patch where possible:
I8a635a07ed6ff93ccb71df8c404c927d1ecef005
DocImpact
APIImpact
Needed-By: I5ffb840a271c518f62ee1accfd8e20a97f45594d
Needed-By: I9ce096eebda3249687268e361b7141dea4032b57
Needed-By: Ic7d25a144905a39c56ababe8bd666b01bc0d0aef
Partially-implements: blueprint user-messages
Co-Authored-By: Jan Provaznik <jprovazn@redhat.com>
Change-Id: Ia0cc524e0bfb2ca5e495e575e17e9911c746690b
You can dynamically update access lists of exports with Ganesha
version >= 2.4. Make ganesha library use this feature in a new helper
class, GaneshaNASHelper2, to cleanly implement share access rules
changes without undesired interruptions.
When updating a share's access rules, the new helper class differs
from the older GaneshaNASHelper class as follows:
* Looks for an existing export and edits its client access list;
creates a new export if it can't find one; and removes an export if
the access list ends up empty. Rather than awkwardly create or
remove an export per addition or removal of an access rule.
* Issues DBUS UpdateAccess command to dynamically update an export.
Implements: bp ganesha-dynamic-update-export
Co-Authored-By: Csaba Henk <chenk@redhat.com>
Change-Id: I01ec100c0afe28a84e9afa8e0660d299e4b3d160
This feature was disabled by default in Ocata.
Now, enable it back to ease further work and updates of this feaure.
Change-Id: Ib57b55ce77df1b8e6481057014f2e9f6d743e34d
Snapshot policy is named inconsistently. Fixing this in the code
would cause a migration conflict since both "share:create_snapshot"
and "share_snapshot:create_snapshot" need to be supported. Instead
this fixes only policy.json
Change-Id: I5869f53ac5086d7411dc3553b4cf88423b7524f5
Closes-bug: #1666498
Also, allow filtering by host based on policy 'list_by_host' that
defaults to 'admin only'.
Do not bump API, because it is not considered as expected behavior,
hence should not be kept for old microversions.
Co-Authored-By: Valeriy Ponomaryov <vponomaryov@mirantis.com>
APIImpact
Change-Id: I799bb7378927b6c3ee0f9fe88fd9876a03dd85b5
Closes bug: 1664370
as of Ocata because feature has not been completed.
Revert this change back in Pike.
Change-Id: Ibe2f7fba436e298b720a492594579d64b2e81a47
Closes-Bug: #1661639
This new feature gives the user the ability to allow and
deny access to the snapshots, so that they could be mounted in
read-only mode to retrieve files.
APIImpact
DocImpact
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@fit-tecnologia.org.br>
Co-Authored-By: Alyson Rosa <alyson.rosa@fit-tecnologia.org.br>
Co-Authored-By: Miriam Yumi <miriam.peixoto@fit-tecnologia.org.br>
Partially-implements: blueprint manila-mountable-snapshots
Change-Id: I65f398a05f82eef31ec317d70dfa101483b44b30
Remove the experimental consistency group APIs and
replace them with the experimental Share Group APIs.
DocImpact
APIImpact
Partially-implements-blueprint: manila-share-groups
Change-Id: I79a80a62ae4e0015d6161edc2b93fd1f9ba69537
This commit adds the ability for Manila to revert a
share to the latest available snapshot.
The feature is implemented in the LVM driver, for
testing purposes.
APIImpact
DocImpact
Co-Authored-By: Ben Swartzlander <ben@swartzlander.org>
Co-Authored-By: Andrew Kerr <andrew.kerr@netapp.com>
Implements: blueprint manila-share-revert-to-snapshot
Change-Id: Id497e13070e0003db2db951526a52de6c2182cca
Added support for manage/unmanage in GPFS NFS driver.
This patch added functions that allow share on Spectrum Scale
node to be managed by OpenStack if existing fileset is an
independent fileset and doesn't have any NFS export
over the fileset path. Also, share can be unmanaged from
OpenStack but still left in Spectrum Scale cluster.
Implements: blueprint gpfs-manage-support
Change-Id: I9134408b59c30ac4bc593f287294741f6e996136
Reportedly [1], the kernel-nfs-server has a bug where we have overlap of
filesystem identifiers using LVM volumes and their snapshots.
We face this bug in manila LVM driver and Generic driver when we use
cinder LVM driver. So, fix it generating unique UUID for all
snapshots (only for LVM, because we cannot do it in Generic driver
while we do not have "mount-snapshot" feature support there) and
child volumes that will be exported as child shares.
[1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1071733
Change-Id: Ib93bfb0d4184da1e70ecece6fde6931e44d05a30
Closes-Bug: #1645751
Add support of share migration feature to ZFsonLinux driver.
Implements BP zfsonlinux-share-migration
Change-Id: If9e1fec9a6d4f96d2bb5c176c6249fafc7e3e891
At Austin 2016 summit there were several improvements to
Share migration feature discussed. This patch implements
these changes.
Changes are:
- Added 'Writable' API parameter: user chooses whether share must
remain writable during migration.
- Added 'Preserve Metadata' API parameter: user chooses whether
share must preserve all file metadata on migration.
- Added 'Non-disruptive' API parameter: user chooses whether
migration of share must be performed non-disruptively.
- Removed existing 'Notify', thus removing 1-phase migration
possibility.
- Renamed existing 'Force Host Copy' parameter to 'Force
Host-assisted Migration'.
- Renamed all 'migration_info' and 'migration_get_info' entries to
'connection_info' and 'connection_get_info'.
- Updated driver interfaces with the new API parameters, drivers
must respect them.
- Changed share/api => scheduler RPCAPI back to asynchronous.
- Added optional SHA-256 validation to perform additional check if
bytes were corrupted during copying.
- Added mount options configuration to Data Service so CIFS shares
can be mounted.
- Driver may override _get_access_mapping if supports a different
access_type/protocol combination than what is defined by default.
- Added CIFS share protocol support and 'user' access type
support to Data Service.
- Reset Task State API now allows task_state to be unset using
'None' value.
- Added possibility to change share-network when migrating a share.
- Bumped microversion to 2.22.
- Removed support of all previous versions of Share Migration APIs.
APIImpact
DocImpact
Implements: blueprint newton-migration-improvements
Change-Id: Ief49a46c86ed3c22d3b31021aff86a9ce0ecbe3b
This driver exploits a Docker container as a share server instead
of a virtual machine. The container acts as a CIFS server
and shares logical volume attached to it. The volume gets created
simultaneously to the container on a host in a volume group
specified by the user.
DocImpact
Change-Id: I711813a2022d765ab7a70ed670e34f68f9cf1399
Implements: blueprint manila-container-driver
Spectrum Scale supports NFS ganesha through CES protocol services. This
change replaces the current NFS ganesha support with the Spectrum Scale
CES infrastructure.
Implements: blueprint gpfs-ces-support
Change-Id: I8eb307c19761788ea71c15c889794f8b5f110253
The ssl middleware from oslo.middleware is deprecated in favor of
http_proxy_to_wsgi, which is used by nova, cinder, glance and several
other services.
Change-Id: Id33a0f7eeb8ced77d09f9edd6b1d65697d8bcfe7
Rather complex logic was added to ZFS driver to cope with
mount-namespace-related problems caused by neutron. A better
solution is to ensure mounts (and unmount) propagate to
namespaces.
Closes-Bug: 1552552
Change-Id: Id952cb110c0187021a46ed5de02308b10ddf1239
Nova [1], Neutron [2,3] and Cinder's [4] rootwrap exec dirs include
/usr/local/{sbin,bin} which are a standardised locations for admins to
install non-distro executables, and these executables are no less
"trustworthy" than /usr/bin and friends. See Neutron and Cinder's
rootwrap.conf (and probably others), and typical distro default values
for sudoers/secure_path for extremely similar precedents that all
include /usr/local/*bin.
Brief discussion of doing this via devstack available at [5].
Also, remove absolute paths from existing filters
to make this fix useful.
[1] I6a0a4b7f952193ce0f4ed2594613188854d36bf1
[2] Ib3646933744ca6b20ecd5ad0cedcedb4f1fa5f12
[3] Id7aebb50e60b1cc64c113be63c599387be5f1765
[4] I577e10df25181c7d4ca8189b10640a8e6e39b047
[5] I710cf142b834381c00e651cfc062299ae755c33f
Change-Id: Ie7177778a247a687ced846bb11030cb72344c93f
Closes-Bug: #1551956
The default values needed for manila's implementation of cors
middleware have been moved from paste.ini into the configuration
hooks provided by oslo.config. Furthermore, these values have been
added to the default initialization procedure. This ensures
that if a value remains unset in the configuration file, it will
fallback to using sane defaults. It also ensures that an operator
modifying the configuration will be presented with that same
set of defaults.
Change-Id: Ie4adc39866a4ee6132eab6a111660218b3e6e5bd
Closes-Bug: #1551836
Removed functionality of Share Migration relying on Manila Share
Service node, moved code to Data Service node for copy phase.
Added parameter 'notify' and share/api methods for future
implementation (see dependent patches).
Added new copy operation statuses, in order to implement future
API calls to obtain progress and cancel migration.
Added possibility of 2-phase migration for driver migration and
generic (fallback) migration.
Added admin export location support and removed approach of
replacing IP with config parameter.
Added Admin-only API entry points to:
- Migration Cancel (only during copying)
- Reset Task State field
- Migration Get Progress (only during copying)
- Migration Complete (2nd phase migration)
- Notify parameter on Migrate Share
APIImpact
DocImpact
Implements: blueprint data-service-migration
Change-Id: I1d65aac2f36942cd70eb214be561d59a15a4ba26
This driver exploits a container as a share server instead
of a virtual machine. The container acts as a NFS/CIFS server
and shares logical volume attached to it. The volume gets created
simultaneously to the container on a host in a volume group
specified by the user. Currently NFS is limited to v3 since the
only userspace NFS server that works in a container out of the box
seems to be unfs3. Later it will be replaced with nfs-ganesha.
Co-Authored-By: Alexey Ovchinnikov <aovchinnikov@mirantis.com>
Implements: blueprint lxc-driver
Depends-On: Ib1896997f2e7a505b5bf8ec0c9e5ee35942f79a6
Change-Id: Iea73bd34b94919d77ebe17cf054dde1f580384be