Bug 1917356
| Summary: | [RHOSP 16.1] manila with cephfs using nfs doesn't honor Squash = None provided in the ganesha export template during share creation | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Punit Kundal <pkundal> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Goutham Pacha Ravi <gouthamr> |
| Status: | CLOSED ERRATA | QA Contact: | lkuchlan <lkuchlan> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 16.1 (Train) | CC: | andeshmu, gfidente, gouthamr, jelynch, joflynn, mburns, vhariria, vimartin |
| Target Milestone: | z9 | Keywords: | Triaged |
| Target Release: | 16.1 (Train on RHEL 8.2) | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-11.3.2-1.20220412063950.29a02c1 | Doc Type: | Enhancement |
| Doc Text: |
With this update, director supports specifying overrides for NVSv4 ID mapping when using a CephFS-NFS back end with the Shared File Systems service (manila). Ceph-NFS with the Shared File Systems service only allows client access through NFSv4.1+. With NFSv4.1, usernames and group names are sent over the wire and translated by both the server and the client. Deployers might want to customize their domain settings to better represent organization users who can access Shared File Systems service shares from multiple clients. Director supports customizing NFS ID mapping settings through these parameters:
** ManilaCephFSNFSIdmapOverrides: Allows specifying configuration objects for override with the default idmapd.conf file used by the NFS service
** ManilaCephFSNFSIdmapConf: Allows specifying a custom idmapd.conf file for the NFS service
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-07 20:29:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1925646 | ||
| Bug Blocks: | |||
Tested using:
openstack-tripleo-heat-templates-11.3.2-1.20220114223343.29a02c1.el8ost
Verification steps:
1. Create a custom template file with the following content:
parameter_defaults:
ManilaCephFSNFSIdmapOverrides:
General:
Domain: "testing.openstack.com"
2. Add this template to overcloud_deploy.sh script and run it.
3. Create a manila share.
(overcloud) [stack@undercloud-0 ~]$ manila list --all
+--------------------------------------+-----------------------------------+------+-------------+-----------+-----------+-----------------+-------------------------+-------------------+----------------------------------+
| ID | Name | Size | Share Proto | Status | Is Public | Share Type Name | Host | Availability Zone | Project ID |
+--------------------------------------+-----------------------------------+------+-------------+-----------+-----------+-----------------+-------------------------+-------------------+----------------------------------+
| bded0a1b-eaf3-466d-ba43-2eb1537119ab | tempest-manila-scenario-848109445 | 1 | NFS | available | False | default | hostgroup@cephfs#cephfs | nova | d7ebefb6a5c84b2e8fdab5363487a503 |
+--------------------------------------+-----------------------------------+------+-------------+-----------+-----------+-----------------+-------------------------+-------------------+----------------------------------+
(overcloud) [stack@undercloud-0 ~]$ manila share-export-location-list bded0a1b-eaf3-466d-ba43-2eb1537119ab
+--------------------------------------+---------------------------------------------------------------------+-----------+
| ID | Path | Preferred |
+--------------------------------------+---------------------------------------------------------------------+-----------+
| 952d6ffe-4308-4e51-9b45-5ffd6fd96618 | 172.17.5.126:/volumes/_nogroup/ae23d763-9ea2-4f69-8910-b44e4d0d931b | False |
+--------------------------------------+---------------------------------------------------------------------+-----------+
4. Launch an instance.
(overcloud) [stack@undercloud-0 ~]$ nova list --all
+--------------------------------------+------------------------------------------------+----------------------------------+--------+------------+-------------+----------------------------------------------------------------------------------+
| ID | Name | Tenant ID | Status | Task State | Power State | Networks |
+--------------------------------------+------------------------------------------------+----------------------------------+--------+------------+-------------+----------------------------------------------------------------------------------+
| aaab5d42-2be1-420c-abe1-69d4b6661d57 | tempest-TestShareBasicOpsNFS-server-1447234543 | d7ebefb6a5c84b2e8fdab5363487a503 | ACTIVE | - | Running | StorageNFS=172.17.5.156; tempest-manila-share-1287646977=10.100.0.26, 10.0.0.245 |
+--------------------------------------+------------------------------------------------+----------------------------------+--------+------------+-------------+----------------------------------------------------------------------------------+
5. Allow access to the share.
(overcloud) [stack@undercloud-0 ~]$ manila access-list bded0a1b-eaf3-466d-ba43-2eb1537119ab
+--------------------------------------+-------------+--------------+--------------+--------+------------+----------------------------+------------+
| id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+--------------+--------------+--------+------------+----------------------------+------------+
| 182526b8-9e37-4e89-9eec-eb6c7a8f53c5 | ip | 172.17.5.156 | rw | active | None | 2022-02-15T10:04:34.000000 | None |
+--------------------------------------+-------------+--------------+--------------+--------+------------+----------------------------+------------+
6. Perform ssh to the instance.
7. Mount the share.
[manila@tempest-testsharebasicopsnfs-server-1447234543 ~]$ mount | grep 172.17.5.126
172.17.5.126:/volumes/_nogroup/ae23d763-9ea2-4f69-8910-b44e4d0d931b on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=172.17.5.156,local_lock=none,addr=172.17.5.126)
8. Set the hostname in the client VM to match the domain we set above:
[manila@tempest-testsharebasicopsnfs-server-1447234543 ~]$ sudo hostnamectl set-hostname --transient myserver.testing.openstack.com
9. Verify the files are now owned by the user that created them:
[manila@tempest-testsharebasicopsnfs-server-1447234543 ~]$ cd /mnt
[manila@tempest-testsharebasicopsnfs-server-1447234543 mnt]$ sudo touch file1
[manila@tempest-testsharebasicopsnfs-server-1447234543 mnt]$ ll
totale 0
-rw-r--r--. 1 nobody nobody 0 16 feb 09.27 file1
Tested using: openstack-tripleo-heat-templates-11.3.2-1.20221013153259.el8ost.noarch Verification results: [manila@myserver3 mnt]$ sudo hostnamectl set-hostname myserver.test.open.com [manila@myserver ~]$ cd /mnt/ [manila@myserver mnt]$ touch file1 [manila@myserver mnt]$ sudo touch file2 [manila@myserver mnt]$ ll totale 0 -rw-rw-r--. 1 manila manila 0 17 nov 05.30 file1 -rw-r--r--. 1 root root 0 17 nov 05.30 file2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8796 |
Description of problem: while creating a share in manila; we can see that ganesha export template contains Squash = None; although after mounting the share on client; we can see that any file created by the root user on the client is owned by the nobody user: create a share in manila; allow access to an ip address: +++ (overcloud) [stack@undercloud16 ~]$ manila access-allow share2 ip 172.16.70.21 +--------------+--------------------------------------+ | Property | Value | +--------------+--------------------------------------+ | id | dbdb9211-d85e-49c7-9174-caecc95deac0 | | share_id | ae0f39b9-f1dd-425d-8239-9a727fdb01ed | | access_level | rw | | access_to | 172.16.70.21 | | access_type | ip | | state | queued_to_apply | | access_key | None | | created_at | 2021-01-14T16:03:01.000000 | | updated_at | None | | metadata | {} | +--------------+--------------------------------------+ (overcloud) [stack@undercloud16 ~]$ manila show ae0f39b9-f1dd-425d-8239-9a727fdb01ed +---------------------------------------+---------------------------------------------------------------------------+ | Property | Value | +---------------------------------------+---------------------------------------------------------------------------+ | id | ae0f39b9-f1dd-425d-8239-9a727fdb01ed | | size | 5 | | availability_zone | nova | | created_at | 2021-01-14T16:01:58.000000 | | status | available | | name | share2 | | description | None | | project_id | 66fef91762434f83ae82beaab658a219 | | snapshot_id | None | | share_network_id | None | | share_proto | NFS | | metadata | {} | | share_type | 57e6d5fb-fd86-4c38-a493-6d220d3fc579 | | is_public | False | | snapshot_support | False | | task_state | None | | share_type_name | default | | access_rules_status | active | | replication_type | None | | has_replicas | False | | user_id | b4b5f09744c84ed8a20eeacb75d702dc | | create_share_from_snapshot_support | False | | revert_to_snapshot_support | False | | share_group_id | None | | source_share_group_snapshot_member_id | None | | mount_snapshot_support | False | | share_server_id | None | | host | hostgroup@cephfs#cephfs | | export_locations | | | | id = 56167427-10ff-4f4c-a02a-d39916b4010d | | | path = 172.16.70.9:/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9 | | | preferred = False | | | share_instance_id = 452a7159-d1d7-4b19-89e8-801eb17619c9 | | | is_admin_only = False | +---------------------------------------+---------------------------------------------------------------------------+ +++ from the logs we can see that manila adds a export template: +++ 2021-01-14 16:03:03.854 43 DEBUG ceph_volume_client [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] Authorizing Ceph id 'ganesha-452a7159-d1d7-4b19-89e8-801eb17619c9' for path '/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9' _authorize_ceph /usr/lib/python3.6/site-packages/ceph_volume_client.py:1074 2021-01-14 16:03:04.332 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] Running cmd (subprocess): mktemp -p /etc/ganesha/export.d -t share-452a7159-d1d7-4b19-89e8-801eb17619c9.conf.XXXXXX execute /usr/lib/python3.6/site-packages/oslo_concurrency/processutils.py:372 2021-01-14 16:03:04.371 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] CMD "mktemp -p /etc/ganesha/export.d -t share-452a7159-d1d7-4b19-89e8-801eb17619c9.conf.XXXXXX" returned: 0 in 0.039s execute /usr/lib/python3.6/site-packages/oslo_concurrency/processutils.py:409 2021-01-14 16:03:04.377 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] Running cmd (subprocess): sh -c echo 'EXPORT { Export_Id = 1003; Path = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9"; FSAL { Name = "Ceph"; User_Id = "ganesha-452a7159-d1d7-4b19-89e8-801eb17619c9"; Secret_Access_Key = "AQA3awBgBY1zMxAAkXeV3zDcsZyoy+AfFuzXjw=="; } Pseudo = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9"; SecType = "sys"; Tag = "share-452a7159-d1d7-4b19-89e8-801eb17619c9"; CLIENT { Access_Type = "rw"; Clients = 172.16.70.21; } Squash = "None"; } ' > /etc/ganesha/export.d/share-452a7159-d1d7-4b19-89e8-801eb17619c9.conf.gkHhtg execute /usr/lib/python3.6/site-packages/oslo_concurrency/processutils.py:372 2021-01-14 16:03:04.402 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] CMD "sh -c echo 'EXPORT { Export_Id = 1003; Path = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9"; FSAL { Name = "Ceph"; User_Id = "ganesha-452a7159-d1d7-4b19-89e8-801eb17619c9"; Secret_Access_Key = "AQA3awBgBY1zMxAAkXeV3zDcsZyoy+AfFuzXjw=="; } Pseudo = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9"; SecType = "sys"; Tag = "share-452a7159-d1d7-4b19-89e8-801eb17619c9"; CLIENT { Access_Type = "rw"; Clients = 172.16.70.21; } Squash = "None"; } +++ We can see that it shoudn't set root user to nobody on the client because the parameter is passed in the ganesha config +++ [root@localhost ~]# mount -v 172.16.70.9:/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9 /mnt/ mount.nfs: timeout set for Thu Jan 14 11:08:17 2021 mount.nfs: trying text-based options 'vers=4.1,addr=172.16.70.9,clientaddr=172.16.70.21' [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/vda1 7.9G 945M 6.9G 12% / devtmpfs 897M 0 897M 0% /dev tmpfs 919M 0 919M 0% /dev/shm tmpfs 919M 17M 903M 2% /run tmpfs 919M 0 919M 0% /sys/fs/cgroup tmpfs 184M 0 184M 0% /run/user/0 172.16.70.9:/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9 5.0G 0 5.0G 0% /mnt [root@localhost ~]# cd /mnt/ [root@localhost mnt]# ls -la total 1 drwxr-xr-x. 2 nobody nobody 0 Jan 14 11:01 . dr-xr-xr-x. 17 root root 224 Oct 10 2018 .. [root@localhost mnt]# touch test1 [root@localhost mnt]# ls -la total 1 drwxr-xr-x. 2 nobody nobody 0 Jan 14 11:06 . dr-xr-xr-x. 17 root root 224 Oct 10 2018 .. -rw-r--r--. 1 nobody nobody 0 Jan 14 11:06 test1 [root@localhost mnt]# +++ even if we try starting up the nfs-idmap service on the client and remount the share; it still has the same Version-Release number of selected component (if applicable): +++ [root@overcloud-controller-0 ~]# podman ps | grep -i manila b04b24c0ee4c undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-share:16.1 /bin/bash /usr/lo... 3 days ago Up 3 days ago openstack-manila-share-podman-0 f739fd54b19f undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-scheduler:16.1 kolla_start 5 days ago Up 5 days ago manila_scheduler d3bf4052367d undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-api:16.1 kolla_start 5 days ago Up 5 days ago manila_api [root@overcloud-controller-0 ~]# podman images | grep -i manila undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-api 16.1 6dc72f5e58bf 4 weeks ago 853 MB undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-share 16.1 83db86aa3a30 4 weeks ago 1.05 GB cluster.common.tag/openstack-manila-share pcmklatest 83db86aa3a30 4 weeks ago 1.05 GB undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-scheduler 16.1 431ea55ceaa1 4 weeks ago 801 MB [root@overcloud-controller-0 ~]# podman image inspect 83db86aa3a30 | grep -e version -e tag "cluster.common.tag/openstack-manila-share:pcmklatest" "cluster.common.tag/openstack-manila-share@sha256:50efd71a9e26dbe4aa6a7ba421ef47147babc8e79a696239855ed808fe4a042d", "io.openshift.tags": "rhosp osp openstack osp-16.1", "version": "16.1.3" "io.openshift.tags": "rhosp osp openstack osp-16.1", "version": "16.1.3" +++ How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: