From 699bc9ce333c9be5b6dc030e1dad6c959841ba9e Mon Sep 17 00:00:00 2001 From: Alan Bishop Date: Thu, 4 May 2017 12:09:14 -0400 Subject: [PATCH] Add support for Cinder "NAS secure" driver params Add ability to set Cinder's nas_secure_file_operations and nas_secure_file_permissions driver parameters. Two sets of identically named parameters are implemented by Cinder's NFS and NetApp back end drivers. The ability to control these parameters is crucial for supporting deployments that require non-default values. Partial-Bug: #1688332 Change-Id: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9 (cherry picked from commit 02e29ba67dbeceac3d9027686e86fbf9aa3ac51b) --- manifests/backend/netapp.pp | 21 ++++++ manifests/backend/nfs.pp | 67 +++++++++++++------ ...as_secure_parameters-780423667cda878a.yaml | 5 ++ spec/defines/cinder_backend_netapp_spec.rb | 2 + spec/defines/cinder_backend_nfs_spec.rb | 24 ++++--- 5 files changed, 88 insertions(+), 31 deletions(-) create mode 100644 releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml diff --git a/manifests/backend/netapp.pp b/manifests/backend/netapp.pp index 9f13a5ad..c63a9578 100644 --- a/manifests/backend/netapp.pp +++ b/manifests/backend/netapp.pp @@ -147,6 +147,23 @@ # application. # Defaults to '/devmgr/v2' # +# [*nas_secure_file_operations*] +# (Optional) Allow network-attached storage systems to operate in a secure +# environment where root level access is not permitted. If set to False, +# access is as the root user and insecure. If set to True, access is not as +# root. If set to auto, a check is done to determine if this is a new +# installation: True is used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# +# [*nas_secure_file_permissions*] +# (Optional) Set more secure file permissions on network-attached storage +# volume files to restrict broad other/world access. If set to False, +# volumes are created with open permissions. If set to True, volumes are +# created with permissions for the cinder user and group (660). If set to +# auto, a check is done to determine if this is a new installation: True is +# used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# # [*manage_volume_type*] # (Optional) Whether or not manage Cinder Volume type. # If set to true, a Cinde Volume type will be created @@ -228,6 +245,8 @@ define cinder::backend::netapp ( $manage_volume_type = false, $extra_options = {}, $netapp_pool_name_search_pattern = '(.+)', + $nas_secure_file_operations = $::os_service_default, + $nas_secure_file_permissions = $::os_service_default, # DEPRECATED PARAMETERS $netapp_eseries_host_type = undef, $netapp_storage_pools = undef, @@ -290,6 +309,8 @@ define cinder::backend::netapp ( "${name}/netapp_pool_name_search_pattern": value => $netapp_pool_name_search_pattern_real; "${name}/netapp_host_type": value => $netapp_host_type_real; "${name}/netapp_webservice_path": value => $netapp_webservice_path; + "${name}/nas_secure_file_operations": value => $nas_secure_file_operations; + "${name}/nas_secure_file_permissions": value => $nas_secure_file_permissions; } if $manage_volume_type { diff --git a/manifests/backend/nfs.pp b/manifests/backend/nfs.pp index ceb92da9..5587d687 100644 --- a/manifests/backend/nfs.pp +++ b/manifests/backend/nfs.pp @@ -49,6 +49,23 @@ # longer be valid. # Defaults to $::os_service_default # +# [*nas_secure_file_operations*] +# (Optional) Allow network-attached storage systems to operate in a secure +# environment where root level access is not permitted. If set to False, +# access is as the root user and insecure. If set to True, access is not as +# root. If set to auto, a check is done to determine if this is a new +# installation: True is used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# +# [*nas_secure_file_permissions*] +# (Optional) Set more secure file permissions on network-attached storage +# volume files to restrict broad other/world access. If set to False, +# volumes are created with open permissions. If set to True, volumes are +# created with permissions for the cinder user and group (660). If set to +# auto, a check is done to determine if this is a new installation: True is +# used if so, otherwise False. Default is auto. +# Defaults to $::os_service_default +# # [*manage_volume_type*] # (Optional) Whether or not manage Cinder Volume type. # If set to true, a Cinde Volume type will be created @@ -62,18 +79,20 @@ # { 'nfs_backend/param1' => { 'value' => value1 } } # define cinder::backend::nfs ( - $volume_backend_name = $name, - $nfs_servers = [], - $nfs_mount_attempts = $::os_service_default, - $nfs_mount_options = $::os_service_default, - $nfs_disk_util = $::os_service_default, - $nfs_sparsed_volumes = $::os_service_default, - $nfs_mount_point_base = $::os_service_default, - $nfs_shares_config = '/etc/cinder/shares.conf', - $nfs_used_ratio = $::os_service_default, - $nfs_oversub_ratio = $::os_service_default, - $manage_volume_type = false, - $extra_options = {}, + $volume_backend_name = $name, + $nfs_servers = [], + $nfs_mount_attempts = $::os_service_default, + $nfs_mount_options = $::os_service_default, + $nfs_disk_util = $::os_service_default, + $nfs_sparsed_volumes = $::os_service_default, + $nfs_mount_point_base = $::os_service_default, + $nfs_shares_config = '/etc/cinder/shares.conf', + $nfs_used_ratio = $::os_service_default, + $nfs_oversub_ratio = $::os_service_default, + $nas_secure_file_operations = $::os_service_default, + $nas_secure_file_permissions = $::os_service_default, + $manage_volume_type = false, + $extra_options = {}, ) { include ::cinder::deps @@ -85,17 +104,21 @@ define cinder::backend::nfs ( } cinder_config { - "${name}/volume_backend_name": value => $volume_backend_name; - "${name}/volume_driver": value => + "${name}/volume_backend_name": value => $volume_backend_name; + "${name}/volume_driver": value => 'cinder.volume.drivers.nfs.NfsDriver'; - "${name}/nfs_shares_config": value => $nfs_shares_config; - "${name}/nfs_mount_attempts": value => $nfs_mount_attempts; - "${name}/nfs_mount_options": value => $nfs_mount_options; - "${name}/nfs_disk_util": value => $nfs_disk_util; - "${name}/nfs_sparsed_volumes": value => $nfs_sparsed_volumes; - "${name}/nfs_mount_point_base": value => $nfs_mount_point_base; - "${name}/nfs_used_ratio": value => $nfs_used_ratio; - "${name}/nfs_oversub_ratio": value => $nfs_oversub_ratio; + "${name}/nfs_shares_config": value => $nfs_shares_config; + "${name}/nfs_mount_attempts": value => $nfs_mount_attempts; + "${name}/nfs_mount_options": value => $nfs_mount_options; + "${name}/nfs_disk_util": value => $nfs_disk_util; + "${name}/nfs_sparsed_volumes": value => $nfs_sparsed_volumes; + "${name}/nfs_mount_point_base": value => $nfs_mount_point_base; + "${name}/nfs_used_ratio": value => $nfs_used_ratio; + "${name}/nfs_oversub_ratio": value => $nfs_oversub_ratio; + "${name}/nas_secure_file_operations": value => + $nas_secure_file_operations; + "${name}/nas_secure_file_permissions": value => + $nas_secure_file_permissions; } if $manage_volume_type { diff --git a/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml b/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml new file mode 100644 index 00000000..1be3f97b --- /dev/null +++ b/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add new "nas_secure_file_operations" and "nas_secure_file_permissions" + parameters for controlling the similarly named settings in the NFS and + NetApp driver back ends. diff --git a/spec/defines/cinder_backend_netapp_spec.rb b/spec/defines/cinder_backend_netapp_spec.rb index 670ac3e8..ef895995 100644 --- a/spec/defines/cinder_backend_netapp_spec.rb +++ b/spec/defines/cinder_backend_netapp_spec.rb @@ -36,6 +36,8 @@ describe 'cinder::backend::netapp' do :nfs_shares_config => '/etc/cinder/shares.conf', :nfs_mount_options => '', :netapp_webservice_path => '/devmgr/v2', + :nas_secure_file_operations => '', + :nas_secure_file_permissions => '', } end diff --git a/spec/defines/cinder_backend_nfs_spec.rb b/spec/defines/cinder_backend_nfs_spec.rb index 5ee02174..f0aa8e13 100644 --- a/spec/defines/cinder_backend_nfs_spec.rb +++ b/spec/defines/cinder_backend_nfs_spec.rb @@ -6,15 +6,17 @@ describe 'cinder::backend::nfs' do let :params do { - :nfs_servers => ['10.10.10.10:/shares', '10.10.10.10:/shares2'], - :nfs_mount_attempts => '4', - :nfs_mount_options => 'vers=3', - :nfs_shares_config => '/etc/cinder/other_shares.conf', - :nfs_disk_util => 'du', - :nfs_sparsed_volumes => true, - :nfs_mount_point_base => '/cinder_mount_point', - :nfs_used_ratio => '0.7', - :nfs_oversub_ratio => '0.9' + :nfs_servers => ['10.10.10.10:/shares', '10.10.10.10:/shares2'], + :nfs_mount_attempts => '4', + :nfs_mount_options => 'vers=3', + :nfs_shares_config => '/etc/cinder/other_shares.conf', + :nfs_disk_util => 'du', + :nfs_sparsed_volumes => true, + :nfs_mount_point_base => '/cinder_mount_point', + :nfs_used_ratio => '0.7', + :nfs_oversub_ratio => '0.9', + :nas_secure_file_operations => 'auto', + :nas_secure_file_permissions => 'false', } end @@ -41,6 +43,10 @@ describe 'cinder::backend::nfs' do '0.7') is_expected.to contain_cinder_config('hippo/nfs_oversub_ratio').with_value( '0.9') + is_expected.to contain_cinder_config('hippo/nas_secure_file_operations').with_value( + 'auto') + is_expected.to contain_cinder_config('hippo/nas_secure_file_permissions').with_value( + 'false') is_expected.to contain_file('/etc/cinder/other_shares.conf').with( :content => "10.10.10.10:/shares\n10.10.10.10:/shares2", :require => 'Anchor[cinder::install::end]',