| 2024-02-20 13:33:59 |
Bartosz Woronicz |
description |
We are looking for solution with for Manila that support share-networks (DHSS=True, Driver Handles Share Servers) concept and multi-tenancy
More details :
https://docs.openstack.org/manila/yoga/admin/shared-file-systems-share-networks.html
https://docs.openstack.org/manila/yoga/admin/share_back_ends_feature_support_mapping.html#mapping-of-share-drivers-and-common-capabilities
The problem with Ganesha backend does not allow tenant isolation, which would be requirement here.
I see there's manila-generic, but it is more like testing, PoC solution utilizing cinder, nova, neutron all together to create such tenant scoped shares.
https://charmhub.io/manila-generic
https://docs.openstack.org/charm-guide/yoga/project/openstack-charms.html#alpha-charms-edge
Is there any other driver, that could be supported on production level, which does not require external hardware or commercial software like NetApp to fully support share in DHSS=True mode?
What are the options here ?
Is there any possibility that Ganesha can achieve such funtionality ?
Our customer is concerned around security of Ganesha created share.
The security of the shares is least 2-fold:
- the user has to know the unique share path in Ganesha unit like
10.0.0.10:/volumes/_nogroup/d6550e86-5b6c-4d26-a9ea-ce6664a3c82b/00fdd2d9-b1d1-4cfe-bfb3-7d7ad7d25fd9
- the IP needs to be allowed list
The additional option would be to add access_key but this one is optional when creating a share.
The customer is afraid that let us say we have the Ganesha L2 vlan attached directly to instances (cidr:10.0.0.0/24) then have multiple tenant, all have the same 2nd network port to Ganesha, if the other unit have the same IP can potentially mount that share.
The same would be if the Ganesha is available over routing, then the same goes for floating IP pool. We would need to have different provider networks for every tenant, but we lose flexibility. Because in the future there will be more and more tenants.
The would like to have similar experience to public clouds like AWS where shares are tenant scoped. |
We are looking for solution with for Manila that support share-networks (DHSS=True, Driver Handles Share Servers) concept and multi-tenancy
More details :
https://docs.openstack.org/manila/yoga/admin/shared-file-systems-share-networks.html
https://docs.openstack.org/manila/yoga/admin/share_back_ends_feature_support_mapping.html#mapping-of-share-drivers-and-common-capabilities
The problem with Ganesha backend is that it does not allow tenant isolation, which would be the requirement here.
I see there's manila-generic, but it is more like testing, PoC solution utilizing cinder, nova, neutron all together to create such tenant scoped shares.
https://charmhub.io/manila-generic
https://docs.openstack.org/charm-guide/yoga/project/openstack-charms.html#alpha-charms-edge
Is there any other driver, that could be supported on production level, which does not require external hardware or commercial software like NetApp to fully support share in DHSS=True mode?
What are the options here ?
Is there any possibility that Ganesha can achieve such funtionality ?
Our customer is concerned around security of Ganesha created share.
The security of the shares is least 2-fold:
- the user has to know the unique share path in Ganesha unit like
10.0.0.10:/volumes/_nogroup/d6550e86-5b6c-4d26-a9ea-ce6664a3c82b/00fdd2d9-b1d1-4cfe-bfb3-7d7ad7d25fd9
- the IP needs to be allowed list
The additional option would be to add access_key but this one is optional when creating a share.
The customer is afraid that let us say we have the Ganesha L2 vlan attached directly to instances (cidr:10.0.0.0/24) then have multiple tenant, all have the same 2nd network port to Ganesha, if the other unit have the same IP can potentially mount that share.
The same would be if the Ganesha is available over routing, then the same goes for floating IP pool. We would need to have different provider networks for every tenant, but we lose flexibility. Because in the future there will be more and more tenants.
The would like to have similar experience to public clouds like AWS where shares are tenant scoped. |
|
