OpenStack Shared File Systems Service (Manila)

vmax manila readonly access policy not working

Bug #1845147 reported by zhimou.peng
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Undecided
Helen Walsh

Bug Description

Test this with OSP14

(overcloud) ()[root@cdh3ctl0 /]# manila create --name nfs12 --share-type vmax1 --share-network 891bb30b-02cd-4476-9797-9e94f1059643 --public NFS 2

(overcloud) ()[root@cdh3ctl0 /]# manila access-allow nfs12 ip 0.0.0.0/0 --access-level ro
+--------------+--------------------------------------+
| Property | Value |
+--------------+--------------------------------------+
| access_key | None |
| share_id | 6e5e84a3-e30a-4217-b0d5-40caef252200 |
| created_at | 2019-09-19T06:27:06.000000 |
| updated_at | None |
| access_type | ip |
| access_to | 0.0.0.0/0 |
| access_level | ro |
| state | queued_to_apply |
| id | 0cc3f668-aae6-435f-a6ca-fa2b7848da2a |
| metadata | {} |
+--------------+--------------------------------------+

[root@test2 ~]# mount -t nfs 80.0.1.86:/8e02d065-9728-49e8-88a3-4c82eafc1e8a /mnt/
mount.nfs: access denied by server while mounting 80.0.1.86:/8e02d065-9728-49e8-88a3-4c82eafc1e8a

And if I open "Host Access Read-only Export" of this share on webgui, I can mount this share on ro mode.

[root@test2 ~]# mount -t nfs 80.0.1.86:/8e02d065-9728-49e8-88a3-4c82eafc1e8a /mnt/
[root@test2 ~]# mkdir /mnt/aaa
mkdir: cannot create directory ‘/mnt/aaa’: Read-only file system

Revision history for this message
Tom Barron (tpb) wrote :

Note that the ``manila access-allow ...`` command output that you cited shows the access rules state is ``queued_to_apply``. Please check again and see that you have the same problem after the state has transitioned to ``active``. If so, then there is likely a problem with the VMAX or its driver. If the state is ``error`` then a different sort of problem needs to be addressed.

tags: added: dell-emc driver vmax
Revision history for this message
zhimou.peng (zhimou-peng) wrote :

Hi, I've test it again. Issue still exist:

(overcloud) ()[root@cdh3ctl0 /]# manila access-show 49316b94-6d43-402d-8d50-45f0b48e568f
+--------------+--------------------------------------+
| Property | Value |
 +--------------+--------------------------------------+
| access_key | None |
| share_id | ad4b57cf-06ad-4c1a-8d7b-c952a29daa44 |
| created_at | 2019-09-25T02:35:47.000000 |
| updated_at | None |
| access_type | ip |
| access_to | 0.0.0.0/0 |
| access_level | ro |
| state | active |
| id | 49316b94-6d43-402d-8d50-45f0b48e568f |
| metadata | {} |
 +--------------+--------------------------------------+

[root@test2 ~]# mount -t nfs 80.0.1.86:/ade9ebe9-28f2-43d0-afe2-8c0d8fab6873 /mnt/
mount.nfs: access denied by server while mounting 80.0.1.86:/ade9ebe9-28f2-43d0-afe2-8c0d8fab6873

Helen Walsh (walshh2)
Changed in manila:
assignee: nobody → Helen Walsh (walshh2)
Revision history for this message
Simon O'Donovan (odonos12) wrote :
Download full text (4.5 KiB)

Moving to confirmed, created an NFS share named test_share with export path of 192.168.0.118:/bef1720c-b108-4a2f-baf7-f5b7d3d7cc61, it is possible to mount the share with read-write level access but not with read-only level access.

With default of no rules we are denied mount access for the share on our Linux vm irco1sd9vm25:
stack@irco1sd9vm01:~/simon$ manila list
+--------------------------------------+----------------+------+-------------+-----------+-----------+-----------------+---------------------------------+-------------------+
| ID | Name | Size | Share Proto | Status | Is Public | Share Type Name | Host | Availability Zone |
 +--------------------------------------+----------------+------+-------------+-----------+-----------+-----------------+---------------------------------+-------------------+
| b223511f-6c04-40bc-bbb6-c2d723f9c385 | test_share | 1 | NFS | available | False | default | irco1sd9vm01@VMAX#os-manila-sg1 | nova | |
 +--------------------------------------+----------------+------+-------------+-----------+-----------+----

-------------+---------------------------------+-------------------+
stack@irco1sd9vm01:~/simon$ manila access-list test_share
+----+-------------+-----------+--------------+-------+------------+------------+------------+
| id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
 +----+-------------+-----------+--------------+-------+------------+------------+------------+
+----+-------------+-----------+--------------+-------+------------+------------+------------+

stack@irco1sd9vm25:~$ mkdir mnt
stack@irco1sd9vm25:~$ sudo mount -t nfs 192.168.0.118:/bef1720c-b108-4a2f-baf7-f5b7d3d7cc61 mnt/
mount.nfs: access denied by server while mounting 192.168.0.118:/bef1720c-b108-4a2f-baf7-f5b7d3d7cc61

Add a read-write rule with IP 0.0.0.0/0 to the share and we are then allowed to mount the share:

stack@irco1sd9vm01:~/simon$ manila access-allow test_share ip 0.0.0.0/0 --access-level rw
+--------------+--------------------------------------+
| Property | Value |
 +--------------+--------------------------------------+
| access_key | None |
| share_id | b223511f-6c04-40bc-bbb6-c2d723f9c385 |
| created_at | 2019-09-27T14:42:15.000000 |
| updated_at | None |
| access_type | ip |
| access_to | 0.0.0.0/0 |
| access_level | rw |
| state | queued_to_apply |
| id | b352be58-e13e-4e0e-9305-88ce83c84177 |
| metadata | {} |
 +--------------+--------------------------------------+

stack@irco1sd9vm25:~$ sudo mount -t nfs 192.168.0.118:/bef1720c-b108-4a2f-baf7-f5b7d3d7cc61 mnt/

stack@irco1sd9vm25:~$ mount | grep mnt
192.168.0.118:/bef1720c-b108-4a2f-baf7-f5b7d3d7cc61 on /opt/stack/mnt type nfs (rw,relatime,vers=3,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=...

Read more...

Changed in manila:
status: New → Confirmed
Revision history for this message
Sandeep Varma (sandeepvarma) wrote :

Hi,

In case you have access to EMC Unisphere for eNAS with this link : https://Control_Station_IP/start.html
Go to the CS0, Then in top Tabs --> Storage --> Shared Folders --> NFS

Select the File System (Note Identify with the export path ID), And in LHS bottom see the properties button, click it

In next window / POP up, see if you have an extra "-" in the "Access Hosts" properties. If you have an extra "-", remove it, save the changes

Now retry the mount operation as in "ro" mode.

===============================================

Same can be seen from Control_Station CLI terminal also, with cmd below -->

server_export 050d36ca-34c2-4c16-8bb5-4805d967820b

Revision history for this message
Sandeep Varma (sandeepvarma) wrote :

Sample CLI O/P is below,

server_export 050d36ca-34c2-4c16-8bb5-4805d967820b
050d36ca-34c2-4c16-8bb5-4805d967820b :
export "/2194e724-5045-4199-8142-eeb1419d15e3" access=-0.0.0.0/0.0.0.0:192.168.0.44 root=192.168.0.44 ro=192.168.0.44
export "/f543809d-af49-4d2c-b8ca-fb3eba58f503" access=-0.0.0.0/0.0.0.0:192.168.0.44 root=192.168.0.44 ro=192.168.0.44

Revision history for this message
Sandeep Varma (sandeepvarma) wrote :

nas_server -list -vdm --> this cmd when run on Control_Station CLI terminal will give the VDM value similar to --> "050d36ca-34c2-4c16-8bb5-4805d967820b".

On this we can run --> server_export 050d36ca-34c2-4c16-8bb5-4805d967820b

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/687322

Changed in manila:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on manila (master)

Change abandoned by Helen Walsh (<email address hidden>) on branch: master
Review: https://review.opendev.org/687322

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/691878

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.opendev.org/691878
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=75127d82dca9962c9c8aad90a0e0d7e030e80feb
Submitter: Zuul
Branch: master

commit 75127d82dca9962c9c8aad90a0e0d7e030e80feb
Author: Helen Walsh <email address hidden>
Date: Tue Oct 29 14:59:35 2019 +0000

    PowerMax and VNX Manila - Read only policy is not working correctly

    Fix to ensure that hosts that are given access to a share i.e read only,
    will always precede '-0.0.0.0/0.0.0.0' in Access host. Any host after
    this string will be denied access.

    Change-Id: I813191abc592703d6aa7ea55c5be81d1a6089f39
    Closes-Bug: #1845147

Changed in manila:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.