[devstack][ci] Modify firewall in ds-plugin

To set up some first party backends such as
ZFSOnLinux, CephFS via NFS gateway, Container
(where the NAS server is containerized) and LVM,
manila's devstack plugin creates a NAS server
on the devstack host.

On test machines, access to this NAS server is
firewalled from networks outside of the host's
internal network namespace (including from private
project networks that are in different network
namespaces, on the same devstack host).

We currently use a legacy devstack-gate script
to disable firewall on NFS ports; however,
anyone that installs devstack with LVM, Container,
ZFSOnLinux, CephFS-NFS drivers will need these
firewall ports to be opened to be able to mount
shares exported off their devstack host machines.

Move these firewall commands to the devstack plugin.
These commands can be invoked by setting the localrc
variable MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST to True.
The value of this variable is False by default,
to preserve existing behavior.

Change-Id: Ic9cad47662f1edf2e5c710dbe64d580bc5f01d44

contrib/ci/post_test_hook.sh

@@ -345,21 +345,6 @@ export OS_USER_DOMAIN_NAME=$ADMIN_DOMAIN_NAME
 source $BASE/new/manila/contrib/ci/common.sh
 manila_wait_for_drivers_init $MANILA_CONF
 
-
-TCP_PORTS=(2049 111 32803 892 875 662)
-UDP_PORTS=(111 32769 892 875 662)
-for ipcmd in iptables ip6tables; do
-    # (aovchinnikov): extra rules are needed to allow instances talk to host.
-    sudo $ipcmd -N manila-nfs
-    sudo $ipcmd -I INPUT 1 -j manila-nfs
-    for port in ${TCP_PORTS[*]}; do
-        sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
-    done
-    for port in ${UDP_PORTS[*]}; do
-        sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
-    done
-done
-
 source $BASE/new/devstack/openrc admin admin
 public_net_id=$(openstack network list --name $PUBLIC_NETWORK_NAME -f value -c ID )
 iniset $TEMPEST_CONFIG network public_network_id $public_net_id

contrib/ci/pre_test_hook.sh

@@ -47,6 +47,8 @@ echo "MANILA_SHARE_BACKEND2_NAME=PARIS" >> $localconf
 
 echo "MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=${MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE:=True}" >> $localconf
 
+echo "MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:=False}" >> $localconf
+
 # === Handle script arguments ===
 # First argument is expected to be a boolean-like value for DHSS.
 DHSS=$1

devstack/plugin.sh

@@ -1010,6 +1010,24 @@ function install_libraries {
     fi
 }
 
+function allow_host_ports_for_share_mounting {
+
+    TCP_PORTS=(2049 111 32803 892 875 662)
+    UDP_PORTS=(111 32769 892 875 662)
+    for ipcmd in iptables ip6tables; do
+        # (aovchinnikov): extra rules are needed to allow instances talk to
+        # host.
+        sudo $ipcmd -N manila-nfs
+        sudo $ipcmd -I INPUT 1 -j manila-nfs
+        for port in ${TCP_PORTS[*]}; do
+            sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
+        done
+        for port in ${UDP_PORTS[*]}; do
+            sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
+        done
+    done
+}
+
 function setup_ipv6 {
 
     # This will fail with multiple default routes and is not needed in CI
@@ -1264,6 +1282,13 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
 
     echo_summary "Update Tempest config"
     update_tempest
+
+
+    if [[ "$(trueorfalse False MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST)" == "True" ]]; then
+        echo_summary "Allowing IPv4 and IPv6 access to NAS ports on the host"
+        allow_host_ports_for_share_mounting
+    fi
+
 fi
 
 if [[ "$1" == "unstack" ]]; then

devstack/settings

@@ -158,6 +158,11 @@ MANILA_SHARE_BACKEND1_NAME=${MANILA_SHARE_BACKEND1_NAME:-GENERIC1}  # deprecated
 MANILA_BACKEND2_CONFIG_GROUP_NAME=${MANILA_BACKEND2_CONFIG_GROUP_NAME:-generic2}  # deprecated
 MANILA_SHARE_BACKEND2_NAME=${MANILA_SHARE_BACKEND2_NAME:-GENERIC2}  # deprecated
 
+# Enable this option when using a storage backend that is on the same host
+# as the devstack host, these iptable rules are necessary to allow mounting
+# shares from the host
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=${MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST:-False}
+
 # Options for configuration of LVM share driver
 SHARE_BACKING_FILE_SIZE=${SHARE_BACKING_FILE_SIZE:-8400M}
 SHARE_GROUP=${SHARE_GROUP:-lvm-shares}

doc/source/contributor/samples/cephfs_local.conf

@@ -36,4 +36,7 @@ MANILA_CEPH_DRIVER=cephfsnfs
 # CEPHFS backend options
 MANILA_SERVICE_IMAGE_ENABLED=False
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=False'
-MANILA_CONFIGURE_DEFAULT_TYPES=True
+MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

doc/source/contributor/samples/container_local.conf

@@ -33,3 +33,6 @@ MANILA_OPTGROUP_vienna_driver_handles_share_servers=True
 MANILA_OPTGROUP_prague_driver_handles_share_servers=True
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=false'
 MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

doc/source/contributor/samples/lvm_local.conf

@@ -34,3 +34,6 @@ MANILA_OPTGROUP_denver_driver_handles_share_servers=False
 SHARE_BACKING_FILE_SIZE=32000M
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True revert_to_snapshot_support=True mount_snapshot_support=True'
 MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

doc/source/contributor/samples/zfsonlinux_local.conf

@@ -34,3 +34,6 @@ MANILA_OPTGROUP_mumbai_driver_handles_share_servers=False
 MANILA_REPLICA_STATE_UPDATE_INTERVAL=60
 MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS='snapshot_support=True create_share_from_snapshot_support=True replication_type=readable'
 MANILA_CONFIGURE_DEFAULT_TYPES=True
+
+# Required for mounting shares
+MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True

playbooks/legacy/manila-tempest-dsvm-container-scenario-custom-image/run.yaml

@@ -52,6 +52,7 @@
 
           export ENABLED_SERVICES=tempest
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           # Keep localrc to be able to set some vars in pre_test_hook
           export KEEP_LOCALRC=1

playbooks/legacy/manila-tempest-dsvm-postgres-container/run.yaml

@@ -51,6 +51,7 @@
           export KEEP_LOCALRC=1
           export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           export DEVSTACK_GATE_USE_PYTHON3=True
 

playbooks/legacy/manila-tempest-dsvm-postgres-zfsonlinux/run.yaml

@@ -51,6 +51,7 @@
           export KEEP_LOCALRC=1
           export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           export DEVSTACK_GATE_USE_PYTHON3=True
 

playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs-centos-7/run.yaml

@@ -103,6 +103,7 @@
           export KEEP_LOCALRC=1
           export PROJECTS="openstack/manila-tempest-plugin $PROJECTS"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
           OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
           export OVERRIDE_ENABLED_SERVICES
 

playbooks/legacy/manila-tempest-minimal-dsvm-cephfs-nfs/run.yaml

@@ -65,6 +65,7 @@
           export DEVSTACK_GATE_NEUTRON=1
           export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           export MANILA_SETUP_IPV6=True
           export RUN_MANILA_IPV6_TESTS=True

playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run-ipv6.yaml

@@ -51,6 +51,7 @@
           export MANILA_SETUP_IPV6=True
           export RUN_MANILA_IPV6_TESTS=True
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           # Basic services needed for minimal job
           OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest

playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml

@@ -49,6 +49,7 @@
           export MANILA_SETUP_IPV6=True
           export RUN_MANILA_IPV6_TESTS=True
           export MANILA_INSTALL_TEMPEST_PLUGIN_SYSTEMWIDE=False
+          export MANILA_ALLOW_NAS_SERVER_PORTS_ON_HOST=True
 
           # Basic services needed for minimal job
           OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest