1917356 – [RHOSP 16.1] manila with cephfs using nfs doesn't honor Squash = None provided in the ganesha export template during share creation

Bug 1917356 - [RHOSP 16.1] manila with cephfs using nfs doesn't honor Squash = None provided in the ganesha export template during share creation

Summary: [RHOSP 16.1] manila with cephfs using nfs doesn't honor Squash = None provide...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.1 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	z9
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Goutham Pacha Ravi
QA Contact:	lkuchlan
Docs Contact:
URL:
Whiteboard:
Depends On:	1925646
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-18 10:54 UTC by Punit Kundal
Modified:	2024-03-25 17:52 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-11.3.2-1.20220412063950.29a02c1
Doc Type:	Enhancement
Doc Text:	With this update, director supports specifying overrides for NVSv4 ID mapping when using a CephFS-NFS back end with the Shared File Systems service (manila). Ceph-NFS with the Shared File Systems service only allows client access through NFSv4.1+. With NFSv4.1, usernames and group names are sent over the wire and translated by both the server and the client. Deployers might want to customize their domain settings to better represent organization users who can access Shared File Systems service shares from multiple clients. Director supports customizing NFS ID mapping settings through these parameters: ManilaCephFSNFSIdmapOverrides: Allows specifying configuration objects for override with the default idmapd.conf file used by the NFS service ManilaCephFSNFSIdmapConf: Allows specifying a custom idmapd.conf file for the NFS service
Clone Of:
Environment:
Last Closed:	2022-12-07 20:29:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ceph ceph-ansible pull 6338/	None	None	None	2021-10-05 15:59:09 UTC
OpenStack gerrit	796076	None	MERGED	set ganesha idmap.conf file path and overrides	2021-06-15 00:57:19 UTC
OpenStack gerrit	831410	None	MERGED	Fix attr corresponding to ManilaCephFSNFSIdmapOverrides	2022-05-11 18:12:21 UTC
Red Hat Issue Tracker	OSP-3336	None	None	None	2021-11-18 14:24:31 UTC
Red Hat Product Errata	RHSA-2022:8796	None	None	None	2022-12-07 20:29:37 UTC

Description Punit Kundal 2021-01-18 10:54:31 UTC

Description of problem:

while creating a share in manila; we can see that ganesha export template contains Squash = None; although after mounting the share on client; we can see that any file created by the root user on the client is owned by the nobody user:

create a share in manila; allow access to an ip address:

+++
(overcloud) [stack@undercloud16 ~]$ manila access-allow share2 ip 172.16.70.21
    +--------------+--------------------------------------+
    | Property     | Value                                |
    +--------------+--------------------------------------+
    | id           | dbdb9211-d85e-49c7-9174-caecc95deac0 |
    | share_id     | ae0f39b9-f1dd-425d-8239-9a727fdb01ed |
    | access_level | rw                                   |
    | access_to    | 172.16.70.21                         |
    | access_type  | ip                                   |
    | state        | queued_to_apply                      |
    | access_key   | None                                 |
    | created_at   | 2021-01-14T16:03:01.000000           |
    | updated_at   | None                                 |
    | metadata     | {}                                   |
    +--------------+--------------------------------------+
 
    (overcloud) [stack@undercloud16 ~]$ manila show ae0f39b9-f1dd-425d-8239-9a727fdb01ed
    +---------------------------------------+---------------------------------------------------------------------------+
    | Property                              | Value                                                                     |
    +---------------------------------------+---------------------------------------------------------------------------+
    | id                                    | ae0f39b9-f1dd-425d-8239-9a727fdb01ed                                      |
    | size                                  | 5                                                                         |
    | availability_zone                     | nova                                                                      |
    | created_at                            | 2021-01-14T16:01:58.000000                                                |
    | status                                | available                                                                 |
    | name                                  | share2                                                                    |
    | description                           | None                                                                      |
    | project_id                            | 66fef91762434f83ae82beaab658a219                                          |
    | snapshot_id                           | None                                                                      |
    | share_network_id                      | None                                                                      |
    | share_proto                           | NFS                                                                       |
    | metadata                              | {}                                                                        |
    | share_type                            | 57e6d5fb-fd86-4c38-a493-6d220d3fc579                                      |
    | is_public                             | False                                                                     |
    | snapshot_support                      | False                                                                     |
    | task_state                            | None                                                                      |
    | share_type_name                       | default                                                                   |
    | access_rules_status                   | active                                                                    |
    | replication_type                      | None                                                                      |
    | has_replicas                          | False                                                                     |
    | user_id                               | b4b5f09744c84ed8a20eeacb75d702dc                                          |
    | create_share_from_snapshot_support    | False                                                                     |
    | revert_to_snapshot_support            | False                                                                     |
    | share_group_id                        | None                                                                      |
    | source_share_group_snapshot_member_id | None                                                                      |
    | mount_snapshot_support                | False                                                                     |
    | share_server_id                       | None                                                                      |
    | host                                  | hostgroup@cephfs#cephfs                                                   |
    | export_locations                      |                                                                           |
    |                                       | id = 56167427-10ff-4f4c-a02a-d39916b4010d                                 |
    |                                       | path = 172.16.70.9:/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9 |
    |                                       | preferred = False                                                         |
    |                                       | share_instance_id = 452a7159-d1d7-4b19-89e8-801eb17619c9                  |
    |                                       | is_admin_only = False                                                     |
    +---------------------------------------+---------------------------------------------------------------------------+
+++

from the logs we can see that manila adds a export template:

+++
    2021-01-14 16:03:03.854 43 DEBUG ceph_volume_client [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] Authorizing Ceph id 'ganesha-452a7159-d1d7-4b19-89e8-801eb17619c9' for path '/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9' _authorize_ceph /usr/lib/python3.6/site-packages/ceph_volume_client.py:1074
    2021-01-14 16:03:04.332 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] Running cmd (subprocess): mktemp -p /etc/ganesha/export.d -t share-452a7159-d1d7-4b19-89e8-801eb17619c9.conf.XXXXXX execute /usr/lib/python3.6/site-packages/oslo_concurrency/processutils.py:372
    2021-01-14 16:03:04.371 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] CMD "mktemp -p /etc/ganesha/export.d -t share-452a7159-d1d7-4b19-89e8-801eb17619c9.conf.XXXXXX" returned: 0 in 0.039s execute /usr/lib/python3.6/site-packages/oslo_concurrency/processutils.py:409
    2021-01-14 16:03:04.377 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] Running cmd (subprocess): sh -c echo 'EXPORT {
        Export_Id = 1003;
        Path = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9";
        FSAL {
            Name = "Ceph";
            User_Id = "ganesha-452a7159-d1d7-4b19-89e8-801eb17619c9";
            Secret_Access_Key = "AQA3awBgBY1zMxAAkXeV3zDcsZyoy+AfFuzXjw==";
        }
        Pseudo = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9";
        SecType = "sys";
        Tag = "share-452a7159-d1d7-4b19-89e8-801eb17619c9";
        CLIENT {
            Access_Type = "rw";
            Clients = 172.16.70.21;
        }
     
        Squash = "None";
    }
    ' > /etc/ganesha/export.d/share-452a7159-d1d7-4b19-89e8-801eb17619c9.conf.gkHhtg execute /usr/lib/python3.6/site-packages/oslo_concurrency/processutils.py:372
    2021-01-14 16:03:04.402 43 DEBUG oslo_concurrency.processutils [req-878e689c-1a45-4774-877b-6b9fd4377ba8 b4b5f09744c84ed8a20eeacb75d702dc 66fef91762434f83ae82beaab658a219 - - -] CMD "sh -c echo 'EXPORT {
        Export_Id = 1003;
        Path = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9";
        FSAL {
            Name = "Ceph";
            User_Id = "ganesha-452a7159-d1d7-4b19-89e8-801eb17619c9";
            Secret_Access_Key = "AQA3awBgBY1zMxAAkXeV3zDcsZyoy+AfFuzXjw==";
        }
        Pseudo = "/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9";
        SecType = "sys";
        Tag = "share-452a7159-d1d7-4b19-89e8-801eb17619c9";
        CLIENT {
            Access_Type = "rw";
            Clients = 172.16.70.21;
        }
     
        Squash = "None";
    }
+++

We can see that it shoudn't set root user to nobody on the client because the parameter is passed in the ganesha config


+++
 [root@localhost ~]# mount -v 172.16.70.9:/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9 /mnt/
    mount.nfs: timeout set for Thu Jan 14 11:08:17 2021
    mount.nfs: trying text-based options 'vers=4.1,addr=172.16.70.9,clientaddr=172.16.70.21'
    [root@localhost ~]# df -h
    Filesystem                                                          Size  Used Avail Use% Mounted on
    /dev/vda1                                                           7.9G  945M  6.9G  12% /
    devtmpfs                                                            897M     0  897M   0% /dev
    tmpfs                                                               919M     0  919M   0% /dev/shm
    tmpfs                                                               919M   17M  903M   2% /run
    tmpfs                                                               919M     0  919M   0% /sys/fs/cgroup
    tmpfs                                                               184M     0  184M   0% /run/user/0
    172.16.70.9:/volumes/_nogroup/452a7159-d1d7-4b19-89e8-801eb17619c9  5.0G     0  5.0G   0% /mnt
    [root@localhost ~]# cd /mnt/
    [root@localhost mnt]# ls -la
    total 1
    drwxr-xr-x.  2 nobody nobody   0 Jan 14 11:01 .
    dr-xr-xr-x. 17 root   root   224 Oct 10  2018 ..
    [root@localhost mnt]# touch test1
    [root@localhost mnt]# ls -la
    total 1
    drwxr-xr-x.  2 nobody nobody   0 Jan 14 11:06 .
    dr-xr-xr-x. 17 root   root   224 Oct 10  2018 ..
    -rw-r--r--.  1 nobody nobody   0 Jan 14 11:06 test1
    [root@localhost mnt]#
+++

even if we try starting up the nfs-idmap service on the client and remount the share; it still has the same



Version-Release number of selected component (if applicable):

+++
[root@overcloud-controller-0 ~]# podman ps | grep -i manila
b04b24c0ee4c  undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-share:16.1            /bin/bash /usr/lo...  3 days ago  Up 3 days ago         openstack-manila-share-podman-0
f739fd54b19f  undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-scheduler:16.1        kolla_start           5 days ago  Up 5 days ago         manila_scheduler
d3bf4052367d  undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-api:16.1              kolla_start           5 days ago  Up 5 days ago         manila_api
[root@overcloud-controller-0 ~]# podman images | grep -i manila
undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-api               16.1         6dc72f5e58bf   4 weeks ago   853 MB
undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-share             16.1         83db86aa3a30   4 weeks ago   1.05 GB
cluster.common.tag/openstack-manila-share                                               pcmklatest   83db86aa3a30   4 weeks ago   1.05 GB
undercloud16.ctlplane.rhlab2961.com:8787/rhosp-rhel8/openstack-manila-scheduler         16.1         431ea55ceaa1   4 weeks ago   801 MB
[root@overcloud-controller-0 ~]# podman image inspect 83db86aa3a30 | grep -e version -e tag
            "cluster.common.tag/openstack-manila-share:pcmklatest"
            "cluster.common.tag/openstack-manila-share@sha256:50efd71a9e26dbe4aa6a7ba421ef47147babc8e79a696239855ed808fe4a042d",
                "io.openshift.tags": "rhosp osp openstack osp-16.1",
                "version": "16.1.3"
            "io.openshift.tags": "rhosp osp openstack osp-16.1",
            "version": "16.1.3"
+++

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 27 lkuchlan 2022-02-16 14:29:09 UTC

Tested using:
openstack-tripleo-heat-templates-11.3.2-1.20220114223343.29a02c1.el8ost

Verification steps:

1. Create a custom template file with the following content:
parameter_defaults:
ManilaCephFSNFSIdmapOverrides: 
    General: 
         Domain: "testing.openstack.com"

2. Add this template to overcloud_deploy.sh script and run it.

3. Create a manila share.
(overcloud) [stack@undercloud-0 ~]$ manila list --all
+--------------------------------------+-----------------------------------+------+-------------+-----------+-----------+-----------------+-------------------------+-------------------+----------------------------------+
| ID                                   | Name                              | Size | Share Proto | Status    | Is Public | Share Type Name | Host                    | Availability Zone | Project ID                       |
+--------------------------------------+-----------------------------------+------+-------------+-----------+-----------+-----------------+-------------------------+-------------------+----------------------------------+
| bded0a1b-eaf3-466d-ba43-2eb1537119ab | tempest-manila-scenario-848109445 | 1    | NFS         | available | False     | default         | hostgroup@cephfs#cephfs | nova              | d7ebefb6a5c84b2e8fdab5363487a503 |
+--------------------------------------+-----------------------------------+------+-------------+-----------+-----------+-----------------+-------------------------+-------------------+----------------------------------+

(overcloud) [stack@undercloud-0 ~]$ manila share-export-location-list bded0a1b-eaf3-466d-ba43-2eb1537119ab
+--------------------------------------+---------------------------------------------------------------------+-----------+
| ID                                   | Path                                                                | Preferred |
+--------------------------------------+---------------------------------------------------------------------+-----------+
| 952d6ffe-4308-4e51-9b45-5ffd6fd96618 | 172.17.5.126:/volumes/_nogroup/ae23d763-9ea2-4f69-8910-b44e4d0d931b | False     |
+--------------------------------------+---------------------------------------------------------------------+-----------+

4. Launch an instance.
(overcloud) [stack@undercloud-0 ~]$ nova list --all
+--------------------------------------+------------------------------------------------+----------------------------------+--------+------------+-------------+----------------------------------------------------------------------------------+
| ID                                   | Name                                           | Tenant ID                        | Status | Task State | Power State | Networks                                                                         |
+--------------------------------------+------------------------------------------------+----------------------------------+--------+------------+-------------+----------------------------------------------------------------------------------+
| aaab5d42-2be1-420c-abe1-69d4b6661d57 | tempest-TestShareBasicOpsNFS-server-1447234543 | d7ebefb6a5c84b2e8fdab5363487a503 | ACTIVE | -          | Running     | StorageNFS=172.17.5.156; tempest-manila-share-1287646977=10.100.0.26, 10.0.0.245 |
+--------------------------------------+------------------------------------------------+----------------------------------+--------+------------+-------------+----------------------------------------------------------------------------------+

5. Allow access to the share.
(overcloud) [stack@undercloud-0 ~]$ manila access-list bded0a1b-eaf3-466d-ba43-2eb1537119ab
+--------------------------------------+-------------+--------------+--------------+--------+------------+----------------------------+------------+
| id                                   | access_type | access_to    | access_level | state  | access_key | created_at                 | updated_at |
+--------------------------------------+-------------+--------------+--------------+--------+------------+----------------------------+------------+
| 182526b8-9e37-4e89-9eec-eb6c7a8f53c5 | ip          | 172.17.5.156 | rw           | active | None       | 2022-02-15T10:04:34.000000 | None       |
+--------------------------------------+-------------+--------------+--------------+--------+------------+----------------------------+------------+

6. Perform ssh to the instance.

7. Mount the share.
[manila@tempest-testsharebasicopsnfs-server-1447234543 ~]$ mount | grep 172.17.5.126
172.17.5.126:/volumes/_nogroup/ae23d763-9ea2-4f69-8910-b44e4d0d931b on /mnt type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=172.17.5.156,local_lock=none,addr=172.17.5.126)

8. Set the hostname in the client VM to match the domain we set above:
[manila@tempest-testsharebasicopsnfs-server-1447234543 ~]$ sudo hostnamectl set-hostname --transient myserver.testing.openstack.com

9. Verify the files are now owned by the user that created them:
[manila@tempest-testsharebasicopsnfs-server-1447234543 ~]$ cd /mnt
[manila@tempest-testsharebasicopsnfs-server-1447234543 mnt]$ sudo touch file1
[manila@tempest-testsharebasicopsnfs-server-1447234543 mnt]$ ll
totale 0
-rw-r--r--. 1 nobody nobody 0 16 feb 09.27 file1

Comment 42 lkuchlan 2022-11-22 08:36:10 UTC

Tested using:
openstack-tripleo-heat-templates-11.3.2-1.20221013153259.el8ost.noarch

Verification results:
[manila@myserver3 mnt]$ sudo hostnamectl set-hostname  myserver.test.open.com

[manila@myserver ~]$ cd /mnt/
[manila@myserver mnt]$ touch file1
[manila@myserver mnt]$ sudo touch file2
[manila@myserver mnt]$ ll
totale 0
-rw-rw-r--. 1 manila manila 0 17 nov 05.30 file1
-rw-r--r--. 1 root   root   0 17 nov 05.30 file2

Comment 47 errata-xmlrpc 2022-12-07 20:29:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8796

Note You need to log in before you can comment on or make changes to this bug.