cephfs_native: doc fixes
Add more details about driver specific concepts and usage. Also, add known restrictions of the Mitaka version and license details. Change-Id: I03e767454a0f69fce9aebb10aa9866520acc1413
This commit is contained in:
parent
a36ff17041
commit
affc78e711
@ -1,3 +1,18 @@
|
||||
..
|
||||
Copyright 2016 Red Hat, Inc.
|
||||
All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
CephFS Native driver
|
||||
====================
|
||||
@ -6,24 +21,48 @@ The CephFS Native driver enables manila to export shared filesystems to guests
|
||||
using the Ceph network protocol. Guests require a Ceph client in order to
|
||||
mount the filesystem.
|
||||
|
||||
Access is controlled via Ceph's cephx authentication system. Each share has
|
||||
a distinct authentication key that must be passed to clients for them to use
|
||||
it.
|
||||
Access is controlled via Ceph's cephx authentication system. When a user
|
||||
requests share access for an ID, Ceph creates a corresponding Ceph auth ID
|
||||
and a secret key, if they do not already exist, and authorizes the ID to access
|
||||
the share. The client can then mount the share using the ID and the secret
|
||||
key.
|
||||
|
||||
To learn more about configuring Ceph clients to access the shares created
|
||||
using this driver, please see the Ceph documentation(
|
||||
http://docs.ceph.com/docs/master/cephfs/). If you choose to use the kernel
|
||||
client rather than the FUSE client, the share size limits set in Manila
|
||||
client rather than the FUSE client, the share size limits set in manila
|
||||
may not be obeyed.
|
||||
|
||||
Prerequisites
|
||||
--------------
|
||||
Supported Operations
|
||||
--------------------
|
||||
|
||||
The following operations are supported with CephFS backend:
|
||||
|
||||
- Create/delete CephFS share
|
||||
- Allow/deny CephFS share access
|
||||
|
||||
* Only ``cephx`` access type is supported for CephFS protocol.
|
||||
* Only Read/write access level is supported.
|
||||
|
||||
- Extend/shrink share
|
||||
- Create/delete snapshot
|
||||
- Create/delete consistency group (CG)
|
||||
- Create/delete CG snapshot
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
- Mitaka or later versions of manila.
|
||||
- Jewel or later versions of Ceph.
|
||||
- A Ceph cluster with a filesystem configured (
|
||||
http://docs.ceph.com/docs/master/cephfs/createfs/)
|
||||
- ``ceph-common`` package installed in the servers running the
|
||||
:term:`manila-share` service.
|
||||
- Ceph client installed in the guest, preferably the FUSE based client,
|
||||
``ceph-fuse``.
|
||||
- Network connectivity between your Ceph cluster's public network and the
|
||||
server running the :term:`manila-share` service.
|
||||
- Network connectivity between your Ceph cluster's public network and guests
|
||||
servers running the :term:`manila-share` service.
|
||||
- Network connectivity between your Ceph cluster's public network and guests.
|
||||
|
||||
.. important:: A manila share backed onto CephFS is only as good as the
|
||||
underlying filesystem. Take care when configuring your Ceph
|
||||
@ -34,23 +73,52 @@ Prerequisites
|
||||
Authorize the driver to communicate with Ceph
|
||||
---------------------------------------------
|
||||
|
||||
Run the following command to create a Ceph identity for manila to use:
|
||||
Run the following commands to create a Ceph identity for manila to use:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
ceph auth get-or-create client.manila mon 'allow r; allow command "auth del" with entity prefix client.manila.; allow command "auth caps" with entity prefix client.manila.; allow command "auth get" with entity prefix client.manila., allow command "auth get-or-create" with entity prefix client.manila.' mds 'allow *' osd 'allow rw' > keyring.manila
|
||||
read -d '' MON_CAPS << EOF
|
||||
allow r,
|
||||
allow command "auth del",
|
||||
allow command "auth caps",
|
||||
allow command "auth get",
|
||||
allow command "auth get-or-create"
|
||||
EOF
|
||||
|
||||
keyring.manila, along with your ceph.conf file, will then need to be placed
|
||||
on the server where the :term:`manila-share` service runs, and the paths to these
|
||||
configured in your manila.conf.
|
||||
ceph auth get-or-create client.manila -o manila.keyring \
|
||||
mds 'allow *' \
|
||||
osd 'allow rw' \
|
||||
mon "$MON_CAPS"
|
||||
|
||||
|
||||
``manila.keyring``, along with your ``ceph.conf`` file, will then need to be
|
||||
placed on the server running the :term:`manila-share` service.
|
||||
|
||||
Enable snapshots in Ceph if you want to use them in manila:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
ceph mds set allow_new_snaps true --yes-i-really-mean-it
|
||||
|
||||
In the server running the :term:`manila-share` service, you can place the
|
||||
``ceph.conf`` and ``manila.keyring`` files in the /etc/ceph directory. Set the
|
||||
same owner for the :term:`manila-share` process and the ``manila.keyring``
|
||||
file. Add the following section to the ``ceph.conf`` file.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[client.manila]
|
||||
client mount uid = 0
|
||||
client mount gid = 0
|
||||
log file = /opt/stack/logs/ceph-client.manila.log
|
||||
admin socket = /opt/stack/status/stack/ceph-$name.$pid.asok
|
||||
keyring = /etc/ceph/manila.keyring
|
||||
|
||||
It is advisable to modify the Ceph client's admin socket file and log file
|
||||
locations so that they are co-located with manila services's pid files and
|
||||
log files respectively.
|
||||
|
||||
|
||||
Configure CephFS backend in manila.conf
|
||||
---------------------------------------
|
||||
|
||||
@ -72,11 +140,16 @@ Create a section like this to define a CephFS backend:
|
||||
share_driver = manila.share.drivers.cephfs.cephfs_native.CephFSNativeDriver
|
||||
cephfs_conf_path = /etc/ceph/ceph.conf
|
||||
cephfs_auth_id = manila
|
||||
cephfs_cluster_name = ceph
|
||||
cephfs_enable_snapshots = True
|
||||
|
||||
Set ``cephfs_enable_snapshots`` to True in the section to let the driver
|
||||
perform snapshot related operations.
|
||||
|
||||
Then edit ``enabled_share_backends`` to point to the driver's backend section
|
||||
using the section name. In this example we are also including another backend
|
||||
("generic1"), you would include whatever other backends you have configured.
|
||||
|
||||
Then edit ``enabled_share_backends`` to point to it, using the same
|
||||
name that you used for the backend section. In this example we are
|
||||
also including another backend ("generic1"), you would include
|
||||
whatever other backends you have configured.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
@ -86,7 +159,7 @@ whatever other backends you have configured.
|
||||
Creating shares
|
||||
---------------
|
||||
|
||||
The default share type may have driver_handles_share_servers set to True.
|
||||
The default share type may have ``driver_handles_share_servers`` set to True.
|
||||
Configure a share type suitable for cephfs:
|
||||
|
||||
.. code-block:: console
|
||||
@ -99,38 +172,142 @@ Then create yourself a share:
|
||||
|
||||
manila create --share-type cephfstype --name cephshare1 cephfs 1
|
||||
|
||||
Note the export location of the share:
|
||||
|
||||
Mounting a client with FUSE
|
||||
---------------------------
|
||||
.. code-block:: console
|
||||
|
||||
Using the key from your export location, and the share ID, create a keyring
|
||||
file like:
|
||||
manila share-export-location-list cephshare1
|
||||
|
||||
The export location of the share contains the Ceph monitor (mon) addresses and
|
||||
ports, and the path to be mounted. It is of the form,
|
||||
``{mon ip addr:port}[,{mon ip addr:port}]:{path to be mounted}``
|
||||
|
||||
|
||||
Allowing access to shares
|
||||
--------------------------
|
||||
|
||||
Allow Ceph auth ID ``alice`` access to the share using ``cephx`` access type.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
manila access-allow cephshare1 cephx alice
|
||||
|
||||
|
||||
Mounting shares using FUSE client
|
||||
---------------------------------
|
||||
|
||||
Using the secret key of the authorized ID ``alice`` create a keyring file,
|
||||
``alice.keyring`` like:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[client.share-4c55ad20-9c55-4a5e-9233-8ac64566b98c]
|
||||
[client.alice]
|
||||
key = AQA8+ANW/4ZWNRAAOtWJMFPEihBA1unFImJczA==
|
||||
|
||||
Using the mon IP addresses from your export location, create a ceph.conf file
|
||||
like:
|
||||
.. note::
|
||||
|
||||
In Mitaka release, the secret key is not exposed by any manila API. The
|
||||
Ceph storage admin needs to pass the secret key to the guest out of band of
|
||||
manila. You can refer to the link below to see how the storage admin
|
||||
could obtain the secret key of an ID.
|
||||
http://docs.ceph.com/docs/jewel/rados/operations/user-management/#get-a-user
|
||||
|
||||
Alternatively, the cloud admin can create Ceph auth IDs for each of the
|
||||
tenants. The users can then request manila to authorize the pre-created
|
||||
Ceph auth IDs, whose secret keys are already shared with them out of band
|
||||
of manila, to access the shares.
|
||||
|
||||
Following is a command that the the cloud admin could run from the
|
||||
server running the :term:`manila-share` service to create a Ceph auth ID
|
||||
and get its keyring file.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
ceph --name=client.manila --keyring=/etc/ceph/manila.keyring auth \
|
||||
get-or-create client.alice -o alice.keyring
|
||||
|
||||
For more details, please see the Ceph documentation.
|
||||
http://docs.ceph.com/docs/jewel/rados/operations/user-management/#add-a-user
|
||||
|
||||
Using the mon IP addresses from the share's export location, create a
|
||||
configuration file, ``ceph.conf`` like:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[client]
|
||||
client quota = true
|
||||
|
||||
[mon.a]
|
||||
mon addr = 192.168.1.7:6789
|
||||
|
||||
[mon.b]
|
||||
mon addr = 192.168.1.8:6789
|
||||
|
||||
[mon.c]
|
||||
mon addr = 192.168.1.9:6789
|
||||
mon host = 192.168.1.7:6789, 192.168.1.8:6789, 192.168.1.9:6789
|
||||
|
||||
Finally, mount the filesystem, substituting the filenames of the keyring and
|
||||
configuration files you just created:
|
||||
configuration files you just created, and substituting the path to be mounted
|
||||
from the share's export location:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
ceph-fuse --id=share-4c55ad20-9c55-4a5e-9233-8ac64566b98c -c ./client.conf --keyring=./client.keyring --client-mountpoint=/volumes/share-4c55ad20-9c55-4a5e-9233-8ac64566b98c ~/mnt
|
||||
sudo ceph-fuse ~/mnt \
|
||||
--id=alice \
|
||||
--conf=./ceph.conf \
|
||||
--keyring=./alice.keyring \
|
||||
--client-mountpoint=/volumes/_nogroup/4c55ad20-9c55-4a5e-9233-8ac64566b98c
|
||||
|
||||
|
||||
Known restrictions
|
||||
------------------
|
||||
|
||||
Mitaka release
|
||||
|
||||
Consider the driver as a building block for supporting multi-tenant
|
||||
workloads in the future. However, it can be used in private cloud
|
||||
deployments.
|
||||
|
||||
- The guests have direct access to Ceph's public network.
|
||||
|
||||
- The secret-key of a Ceph auth ID required to mount a share is not exposed to
|
||||
an user by a manila API. To workaround this, the storage admin would need to
|
||||
pass the key out of band of manila, or the user would need to use the Ceph ID
|
||||
and key already created and shared with her by the cloud admin.
|
||||
|
||||
- The snapshot support of the driver is disabled by default.
|
||||
``cephfs_enable_snapshots`` configuration option needs to be set to ``True``
|
||||
to allow snapshot operations.
|
||||
|
||||
- Snapshots are read-only. A user can read a snapshot's contents from the
|
||||
``.snap/{manila-snapshot-id}_{unknown-id}`` folder within the mounted
|
||||
share.
|
||||
|
||||
- To restrict share sizes, CephFS uses quotas that are enforced in the client
|
||||
side. The CephFS clients are relied on to respect quotas.
|
||||
|
||||
|
||||
Security
|
||||
--------
|
||||
|
||||
Mitaka release
|
||||
|
||||
- Each share's data is mapped to a distinct Ceph RADOS namespace. A guest is
|
||||
restricted to access only that particular RADOS namespace.
|
||||
http://docs.ceph.com/docs/master/cephfs/file-layouts/
|
||||
|
||||
- An additional level of resource isolation can be provided by mapping a
|
||||
share's contents to a seperate RADOS pool. This layout would be be preferred
|
||||
only for cloud deployments with a limited number of shares needing strong
|
||||
resource separation. You can do this by setting a share type specification,
|
||||
``cephfs:data_isolated`` for the share type used by the cephfs driver.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
manila type-key cephfstype set cephfs:data_isolated=True
|
||||
|
||||
- As mentioned earlier, untrusted manila guests pose security risks to the
|
||||
Ceph storage cluster as they would have direct access to the cluster's
|
||||
public network.
|
||||
|
||||
|
||||
The :mod:`manila.share.drivers.cephfs.cephfs_native` Module
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
.. automodule:: manila.share.drivers.cephfs.cephfs_native
|
||||
:noindex:
|
||||
:members:
|
||||
:undoc-members:
|
||||
:show-inheritance:
|
||||
|
Loading…
x
Reference in New Issue
Block a user