Bug 1351170 - Fix CephFS client eviction
Summary: Fix CephFS client eviction
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-manila
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ga
: 9.0 (Mitaka)
Assignee: Tom Barron
QA Contact: Dustin Schoenbrun
Don Domingo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-29 11:53 UTC by Tom Barron
Modified: 2016-08-24 12:55 UTC (History)
4 users (show)

Fixed In Version: openstack-manila-2.0.0-4.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, when the CephFS native driver was configured for OpenStack File Share service (manila), denying access of a Ceph auth ID to a share was supposed to evict the client based on the auth ID and the share accessed. However, the driver invoked the 'ceph_volume_client' library evict function method incorrectly and the clients using the ID continued to have access to the share. With this update, the calling signature for the 'ceph_volume_client' library evict method in the OpenStack File Share service CephFS native driver has been corrected. As a result, when access to a share is denied for a Ceph auth ID, clients using that ID are no longer able to access that share.
Clone Of:
Environment:
Last Closed: 2016-08-24 12:55:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1567298 0 None None None 2016-06-29 11:53:02 UTC
OpenStack gerrit 304766 0 None MERGED cephfs_native: Fix client eviction 2021-02-04 16:30:45 UTC
OpenStack gerrit 327951 0 None MERGED cephfs_native: Fix client eviction 2021-02-04 16:30:44 UTC
Red Hat Product Errata RHEA-2016:1761 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 9 General Availability Advisory 2016-08-24 16:49:52 UTC

Description Tom Barron 2016-06-29 11:53:03 UTC 
When the CephFS native driver is configured for manila,
denying access of a ceph auth ID to a share is supposed to evict
the client based on the auth ID and the share accessed. Currently,
the driver tries to do this by incorrectly [1] using CephFSVolumeClient.evict() (part of of a Ceph library module), which
itself does not yet evict clients based on auth ID and
path accessed [2].

Fix: Wait for the relevant ceph_volume_client library change, and based
     on the change evict clients correctly when denying access.

[1] https://github.com/openstack/manila/commit/cbb316babf1648f46c7e31e6415470df29dd5377#diff-4256e8eb2400d0325fe689bc36010201R230

[2] http://tracker.ceph.com/issues/15045
Comment 6 Dustin Schoenbrun 2016-08-11 20:16:57 UTC 
I was able to test this against the following packages:

-- OpenStack Server --
openstack-manila-2.0.0-4.el7ost.noarch
python-manilaclient-1.8.1-1.el7ost.noarch
python-manila-2.0.0-4.el7ost.noarch
openstack-manila-share-2.0.0-4.el7ost.noarch

-- Fedora 24 Ceph Client --
ceph-fuse-10.2.2-2.fc24.x86_64

-- Ceph Cluster --
ceph-selinux-10.2.2-32.el7cp.x86_64
ceph-ansible-1.0.5-31.el7scon.noarch
libcephfs1-10.2.2-32.el7cp.x86_64
ceph-common-10.2.2-32.el7cp.x86_64
ceph-base-10.2.2-32.el7cp.x86_64
ceph-mon-10.2.2-32.el7cp.x86_64
ceph-release-1-1.el7.noarch
python-cephfs-10.2.2-32.el7cp.x86_64
ceph-mds-10.2.2-32.el7cp.x86_64
ceph-osd-10.2.2-32.el7cp.x86_64

I was able to create a Manila share, allow access to a Cephx identity, and then delete the share without any issue. I was also able to create a Manila share, allow access to a Cephx identity, mount the share on the Fedora host, and then delete the share without it becoming stuck in "deleting" status. The mount point will remain on the Fedora host and queries to the mount point will hang, but the mount point can be forcibly removed with "umount -f <mount_point>" without issue.
Comment 8 errata-xmlrpc 2016-08-24 12:55:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1761.html
Note You need to log in before you can comment on or make changes to this bug.