Shared filesystem management project for OpenStack.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

616 lines
24 KiB

# Copyright 2015 Mirantis Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import copy
import ipaddress
import os
import re
import six
from oslo_log import log
from manila.common import constants as const
from manila import exception
from manila.i18n import _
from manila import utils
LOG = log.getLogger(__name__)
class NASHelperBase(object):
"""Interface to work with share."""
def __init__(self, execute, ssh_execute, config_object):
self.configuration = config_object
self._execute = execute
self._ssh_exec = ssh_execute
def init_helper(self, server):
pass
def create_exports(self, server, share_name, recreate=False):
"""Create new exports, delete old ones if exist."""
raise NotImplementedError()
def remove_exports(self, server, share_name):
"""Remove exports."""
raise NotImplementedError()
def configure_access(self, server, share_name):
"""Configure server before allowing access."""
pass
def update_access(self, server, share_name, access_rules, add_rules,
delete_rules):
"""Update access rules for given share.
This driver has two different behaviors according to parameters:
1. Recovery after error - 'access_rules' contains all access_rules,
'add_rules' and 'delete_rules' shall be empty. Previously existing
access rules are cleared and then added back according
to 'access_rules'.
2. Adding/Deleting of several access rules - 'access_rules' contains
all access_rules, 'add_rules' and 'delete_rules' contain rules which
should be added/deleted. Rules in 'access_rules' are ignored and
only rules from 'add_rules' and 'delete_rules' are applied.
:param server: None or Share server's backend details
:param share_name: Share's path according to id.
:param access_rules: All access rules for given share
:param add_rules: Empty List or List of access rules which should be
added. access_rules already contains these rules.
:param delete_rules: Empty List or List of access rules which should be
removed. access_rules doesn't contain these rules.
"""
raise NotImplementedError()
@staticmethod
def _verify_server_has_public_address(server):
if 'public_address' in server:
pass
elif 'public_addresses' in server:
if not isinstance(server['public_addresses'], list):
raise exception.ManilaException(_("public_addresses must be "
"a list"))
else:
raise exception.ManilaException(
_("Can not get public_address(es) for generation of export."))
def _get_export_location_template(self, export_location_or_path):
"""Returns template of export location.
Example for NFS:
%s:/path/to/share
Example for CIFS:
\\\\%s\\cifs_share_name
"""
raise NotImplementedError()
def get_exports_for_share(self, server, export_location_or_path):
"""Returns list of exports based on server info."""
self._verify_server_has_public_address(server)
export_location_template = self._get_export_location_template(
export_location_or_path)
export_locations = []
if 'public_addresses' in server:
pairs = list(map(lambda addr: (addr, False),
server['public_addresses']))
else:
pairs = [(server['public_address'], False)]
# NOTE(vponomaryov):
# Generic driver case: 'admin_ip' exists only in case of DHSS=True
# mode and 'ip' exists in case of DHSS=False mode.
# Use one of these for creation of export location for service needs.
service_address = server.get("admin_ip", server.get("ip"))
if service_address:
pairs.append((service_address, True))
for ip, is_admin in pairs:
export_locations.append({
"path": export_location_template % ip,
"is_admin_only": is_admin,
"metadata": {
# TODO(vponomaryov): remove this fake metadata when
# proper appears.
"export_location_metadata_example": "example",
},
})
return export_locations
def get_share_path_by_export_location(self, server, export_location):
"""Returns share path by its export location."""
raise NotImplementedError()
def disable_access_for_maintenance(self, server, share_name):
"""Disables access to share to perform maintenance operations."""
def restore_access_after_maintenance(self, server, share_name):
"""Enables access to share after maintenance operations were done."""
@staticmethod
def validate_access_rules(access_rules, allowed_types, allowed_levels):
"""Validates access rules according to access_type and access_level.
:param access_rules: List of access rules to be validated.
:param allowed_types: tuple of allowed type values.
:param allowed_levels: tuple of allowed level values.
"""
for access in (access_rules or []):
access_type = access['access_type']
access_level = access['access_level']
if access_type not in allowed_types:
reason = _("Only %s access type allowed.") % (
', '.join(tuple(["'%s'" % x for x in allowed_types])))
raise exception.InvalidShareAccess(reason=reason)
if access_level not in allowed_levels:
raise exception.InvalidShareAccessLevel(level=access_level)
def _get_maintenance_file_path(self, share_name):
return os.path.join(self.configuration.share_mount_path,
"%s.maintenance" % share_name)
def nfs_synchronized(f):
def wrapped_func(self, *args, **kwargs):
key = "nfs-%s" % args[0].get("lock_name", args[0]["instance_id"])
# NOTE(vponomaryov): 'external' lock is required for DHSS=False
# mode of LVM and Generic drivers, that may have lots of
# driver instances on single host.
@utils.synchronized(key, external=True)
def source_func(self, *args, **kwargs):
return f(self, *args, **kwargs)
return source_func(self, *args, **kwargs)
return wrapped_func
class NFSHelper(NASHelperBase):
"""Interface to work with share."""
def create_exports(self, server, share_name, recreate=False):
path = os.path.join(self.configuration.share_mount_path, share_name)
server_copy = copy.copy(server)
public_addresses = []
if 'public_addresses' in server_copy:
for address in server_copy['public_addresses']:
public_addresses.append(
self._escaped_address(address))
server_copy['public_addresses'] = public_addresses
for t in ['public_address', 'admin_ip', 'ip']:
address = server_copy.get(t)
if address is not None:
server_copy[t] = self._escaped_address(address)
return self.get_exports_for_share(server_copy, path)
@staticmethod
def _escaped_address(address):
addr = ipaddress.ip_address(six.text_type(address))
if addr.version == 4:
return six.text_type(addr)
else:
return '[%s]' % six.text_type(addr)
def init_helper(self, server):
try:
self._ssh_exec(server, ['sudo', 'exportfs'])
except exception.ProcessExecutionError as e:
if 'command not found' in e.stderr:
raise exception.ManilaException(
_('NFS server is not installed on %s')
% server['instance_id'])
LOG.error(e.stderr)
def remove_exports(self, server, share_name):
"""Remove exports."""
@nfs_synchronized
def update_access(self, server, share_name, access_rules, add_rules,
delete_rules):
"""Update access rules for given share.
Please refer to base class for a more in-depth description.
"""
local_path = os.path.join(self.configuration.share_mount_path,
share_name)
out, err = self._ssh_exec(server, ['sudo', 'exportfs'])
# Recovery mode
if not (add_rules or delete_rules):
self.validate_access_rules(
access_rules, ('ip',),
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
hosts = self.get_host_list(out, local_path)
for host in hosts:
parsed_host = self._get_parsed_address_or_cidr(host)
self._ssh_exec(server, ['sudo', 'exportfs', '-u',
':'.join((parsed_host, local_path))])
self._sync_nfs_temp_and_perm_files(server)
for access in access_rules:
rules_options = '%s,no_subtree_check,no_root_squash'
access_to = self._get_parsed_address_or_cidr(
access['access_to'])
self._ssh_exec(
server,
['sudo', 'exportfs', '-o',
rules_options % access['access_level'],
':'.join((access_to, local_path))])
self._sync_nfs_temp_and_perm_files(server)
# Adding/Deleting specific rules
else:
self.validate_access_rules(
add_rules, ('ip',),
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
for access in delete_rules:
try:
self.validate_access_rules(
[access], ('ip',),
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
except (exception.InvalidShareAccess,
exception.InvalidShareAccessLevel):
LOG.warning(
"Unsupported access level %(level)s or access type "
"%(type)s, skipping removal of access rule to "
"%(to)s.", {'level': access['access_level'],
'type': access['access_type'],
'to': access['access_to']})
continue
access_to = self._get_parsed_address_or_cidr(
access['access_to'])
self._ssh_exec(server, ['sudo', 'exportfs', '-u',
':'.join((access_to, local_path))])
if delete_rules:
self._sync_nfs_temp_and_perm_files(server)
for access in add_rules:
access_to = self._get_parsed_address_or_cidr(
access['access_to'])
found_item = re.search(
re.escape(local_path) + '[\s\n]*' + re.escape(access_to),
out)
if found_item is not None:
LOG.warning("Access rule %(type)s:%(to)s already "
"exists for share %(name)s", {
'to': access['access_to'],
'type': access['access_type'],
'name': share_name
})
else:
rules_options = '%s,no_subtree_check,no_root_squash'
self._ssh_exec(
server,
['sudo', 'exportfs', '-o',
rules_options % access['access_level'],
':'.join((access_to, local_path))])
if add_rules:
self._sync_nfs_temp_and_perm_files(server)
@staticmethod
def _get_parsed_address_or_cidr(access_to):
network = ipaddress.ip_network(six.text_type(access_to))
mask_length = network.prefixlen
address = six.text_type(network.network_address)
if mask_length == 0:
# Special case because Linux exports don't support /0 netmasks
return '*'
if network.version == 4:
if mask_length == 32:
return address
return '%s/%s' % (address, mask_length)
if mask_length == 128:
return "[%s]" % address
return "[%s]/%s" % (address, mask_length)
@staticmethod
def get_host_list(output, local_path):
entries = []
output = output.replace('\n\t\t', ' ')
lines = output.split('\n')
for line in lines:
items = line.split(' ')
if local_path == items[0]:
entries.append(items[1])
return entries
def _sync_nfs_temp_and_perm_files(self, server):
"""Sync changes of exports with permanent NFS config file.
This is required to ensure, that after share server reboot, exports
still exist.
"""
sync_cmd = [
'sudo', 'cp', const.NFS_EXPORTS_FILE_TEMP, const.NFS_EXPORTS_FILE
]
self._ssh_exec(server, sync_cmd)
self._ssh_exec(server, ['sudo', 'exportfs', '-a'])
out, _ = self._ssh_exec(
server, ['sudo', 'service', 'nfs-kernel-server', 'status'],
check_exit_code=False)
if "not" in out:
self._ssh_exec(
server, ['sudo', 'service', 'nfs-kernel-server', 'restart'])
def _get_export_location_template(self, export_location_or_path):
path = export_location_or_path.split(':')[-1]
return '%s:' + path
def get_share_path_by_export_location(self, server, export_location):
return export_location.split(':')[-1]
@nfs_synchronized
def disable_access_for_maintenance(self, server, share_name):
maintenance_file = self._get_maintenance_file_path(share_name)
backup_exports = [
'cat', const.NFS_EXPORTS_FILE,
'|', 'grep', share_name,
'|', 'sudo', 'tee', maintenance_file
]
self._ssh_exec(server, backup_exports)
local_path = os.path.join(self.configuration.share_mount_path,
share_name)
out, err = self._ssh_exec(server, ['sudo', 'exportfs'])
hosts = self.get_host_list(out, local_path)
for host in hosts:
self._ssh_exec(server, ['sudo', 'exportfs', '-u',
':'.join((host, local_path))])
self._sync_nfs_temp_and_perm_files(server)
@nfs_synchronized
def restore_access_after_maintenance(self, server, share_name):
maintenance_file = self._get_maintenance_file_path(share_name)
restore_exports = [
'cat', maintenance_file,
'|', 'sudo', 'tee', '-a', const.NFS_EXPORTS_FILE,
'&&', 'sudo', 'exportfs', '-r',
'&&', 'sudo', 'rm', '-f', maintenance_file
]
self._ssh_exec(server, restore_exports)
class CIFSHelperBase(NASHelperBase):
@staticmethod
def _get_share_group_name_from_export_location(export_location):
if '/' in export_location and '\\' in export_location:
pass
elif export_location.startswith('\\\\'):
return export_location.split('\\')[-1]
elif export_location.startswith('//'):
return export_location.split('/')[-1]
msg = _("Got incorrect CIFS export location '%s'.") % export_location
raise exception.InvalidShare(reason=msg)
def _get_export_location_template(self, export_location_or_path):
group_name = self._get_share_group_name_from_export_location(
export_location_or_path)
return ('\\\\%s' + ('\\%s' % group_name))
class CIFSHelperIPAccess(CIFSHelperBase):
"""Manage shares in samba server by net conf tool.
Class provides functionality to operate with CIFS shares.
Samba server should be configured to use registry as configuration
backend to allow dynamically share managements. This class allows
to define access to shares by IPs with RW access level.
"""
def __init__(self, *args):
super(CIFSHelperIPAccess, self).__init__(*args)
self.parameters = {
'browseable': 'yes',
'create mask': '0755',
'hosts deny': '0.0.0.0/0', # deny all by default
'hosts allow': '127.0.0.1',
'read only': 'no',
}
def init_helper(self, server):
# This is smoke check that we have required dependency
self._ssh_exec(server, ['sudo', 'net', 'conf', 'list'])
def create_exports(self, server, share_name, recreate=False):
"""Create share at samba server."""
share_path = os.path.join(self.configuration.share_mount_path,
share_name)
create_cmd = [
'sudo', 'net', 'conf', 'addshare', share_name, share_path,
'writeable=y', 'guest_ok=y',
]
try:
self._ssh_exec(
server, ['sudo', 'net', 'conf', 'showshare', share_name, ])
except exception.ProcessExecutionError:
# Share does not exist, create it
try:
self._ssh_exec(server, create_cmd)
except Exception:
msg = _("Could not create CIFS export %s.") % share_name
LOG.exception(msg)
raise exception.ManilaException(reason=msg)
else:
# Share exists
if recreate:
self._ssh_exec(
server, ['sudo', 'net', 'conf', 'delshare', share_name, ])
try:
self._ssh_exec(server, create_cmd)
except Exception:
msg = _("Could not create CIFS export %s.") % share_name
LOG.exception(msg)
raise exception.ManilaException(reason=msg)
else:
msg = _('Share section %s already defined.') % share_name
raise exception.ShareBackendException(msg=msg)
for param, value in self.parameters.items():
self._ssh_exec(server, ['sudo', 'net', 'conf', 'setparm',
share_name, param, value])
return self.get_exports_for_share(server, '\\\\%s\\' + share_name)
def remove_exports(self, server, share_name):
"""Remove share definition from samba server."""
try:
self._ssh_exec(
server, ['sudo', 'net', 'conf', 'delshare', share_name])
except exception.ProcessExecutionError as e:
LOG.warning("Caught error trying delete share: %(error)s, try"
"ing delete it forcibly.", {'error': e.stderr})
self._ssh_exec(server, ['sudo', 'smbcontrol', 'all', 'close-share',
share_name])
def update_access(self, server, share_name, access_rules, add_rules,
delete_rules):
"""Update access rules for given share.
Please refer to base class for a more in-depth description. For this
specific implementation, add_rules and delete_rules parameters are not
used.
"""
hosts = []
self.validate_access_rules(
access_rules, ('ip',), (const.ACCESS_LEVEL_RW,))
for access in access_rules:
hosts.append(access['access_to'])
self._set_allow_hosts(server, hosts, share_name)
def _get_allow_hosts(self, server, share_name):
(out, _) = self._ssh_exec(server, ['sudo', 'net', 'conf', 'getparm',
share_name, 'hosts allow'])
return out.split()
def _set_allow_hosts(self, server, hosts, share_name):
value = ' '.join(hosts) or ' '
self._ssh_exec(server, ['sudo', 'net', 'conf', 'setparm', share_name,
'hosts allow', value])
def get_share_path_by_export_location(self, server, export_location):
# Get name of group that contains share data on CIFS server
group_name = self._get_share_group_name_from_export_location(
export_location)
# Get parameter 'path' from group that belongs to current share
(out, __) = self._ssh_exec(
server, ['sudo', 'net', 'conf', 'getparm', group_name, 'path'])
# Remove special symbols from response and return path
return out.strip()
def disable_access_for_maintenance(self, server, share_name):
maintenance_file = self._get_maintenance_file_path(share_name)
allowed_hosts = " ".join(self._get_allow_hosts(server, share_name))
backup_exports = [
'echo', "'%s'" % allowed_hosts, '|', 'sudo', 'tee',
maintenance_file
]
self._ssh_exec(server, backup_exports)
self._set_allow_hosts(server, [], share_name)
self._kick_out_users(server, share_name)
def _kick_out_users(self, server, share_name):
"""Kick out all users of share"""
(out, _) = self._ssh_exec(server, ['sudo', 'smbstatus', '-S'])
shares = []
header = True
regexp = r"^(?P<share>[^ ]+)\s+(?P<pid>[0-9]+)\s+(?P<machine>[^ ]+).*"
for line in out.splitlines():
line = line.strip()
if not header and line:
match = re.match(regexp, line)
if match:
shares.append(match.groupdict())
else:
raise exception.ShareBackendException(
msg="Failed to obtain smbstatus for %s!" % share_name)
elif line.startswith('----'):
header = False
to_kill = [s['pid'] for s in shares if
share_name == s['share'] or share_name is None]
if to_kill:
self._ssh_exec(server, ['sudo', 'kill', '-15'] + to_kill)
def restore_access_after_maintenance(self, server, share_name):
maintenance_file = self._get_maintenance_file_path(share_name)
(exports, __) = self._ssh_exec(server, ['cat', maintenance_file])
self._set_allow_hosts(server, exports.split(), share_name)
self._ssh_exec(server, ['sudo', 'rm', '-f', maintenance_file])
class CIFSHelperUserAccess(CIFSHelperIPAccess):
"""Manage shares in samba server by net conf tool.
Class provides functionality to operate with CIFS shares.
Samba server should be configured to use registry as configuration
backend to allow dynamically share managements. This class allows
to define access to shares by usernames with either RW or RO access levels.
"""
def __init__(self, *args):
super(CIFSHelperUserAccess, self).__init__(*args)
self.parameters = {
'browseable': 'yes',
'create mask': '0755',
'hosts allow': '0.0.0.0/0',
'read only': 'no',
}
def update_access(self, server, share_name, access_rules, add_rules,
delete_rules):
"""Update access rules for given share.
Please refer to base class for a more in-depth description. For this
specific implementation, add_rules and delete_rules parameters are not
used.
"""
all_users_rw = []
all_users_ro = []
self.validate_access_rules(
access_rules, ('user',),
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
for access in access_rules:
if access['access_level'] == const.ACCESS_LEVEL_RW:
all_users_rw.append(access['access_to'])
else:
all_users_ro.append(access['access_to'])
self._set_valid_users(
server, all_users_rw, share_name, const.ACCESS_LEVEL_RW)
self._set_valid_users(
server, all_users_ro, share_name, const.ACCESS_LEVEL_RO)
def _get_conf_param(self, access_level):
if access_level == const.ACCESS_LEVEL_RW:
return 'valid users'
else:
return 'read list'
def _set_valid_users(self, server, users, share_name, access_level):
value = ' '.join(users)
param = self._get_conf_param(access_level)
self._ssh_exec(server, ['sudo', 'net', 'conf', 'setparm', share_name,
param, value])