This commit updates the policies for messages to understand scope checking and
account for a read-only role. This is part of a broader series of changes
across OpenStack to provide a consistent RBAC experience and improve security.
Change-Id: I30ae2a1d34fb1dcb438880b1a5b46afea7db8d0d
This commit updates the policies for availability zones to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: I1bbb6dc900ef413189c20d41fe08d9263a0038c2
We were using an env var with the IPv4 gateway config
that is not always present. This was causing devstack to fail
in developer environment. Use the local variable instead.
Closes-Bug: #1910760
Change-Id: Iede8a9e59b96d0f21c117ab1464a0a9e3477c24b
Add documentation to the share server migration APIs introduced
during Victoria release.
Partial-bug: #1897903
Change-Id: I13d13c38a3869929bbfdf8083529a597d7982a16
Updates the developer reference with informations regarding the
share server migration feature implemented during Victoria release.
Change-Id: Ia72cf037d2b7dc9fb9d4f19ce141cc044206d6fc
Partial-bug: #1897903
The openstack Ussuri and Victoria versions no longer support the
Centos7 and pyrhon2 environment packages. Correct the missing
problems in the latest document
Change-Id: If139927730071448abc04e1ea7ebb615749e7e3d
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also convert manila/tests/policy.json to manila/tests/policy.yaml
using oslopolicy-convert-json-to-yaml tool and replace
policy.json to policy.yaml ref from doc and tests.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I3748313912b2527c43c9b16a6ba3e3ccd4cf5221
When you run unstack.sh from devstack, other devstack
services are stopped and disabled to provide a clean environment
for a restack, but manila services are left running.
This doesn't matter for CI where a new VM is stood up for each
devstack but it's inconvenient for local devstack and if you
restack without restarting the services manually the results you
see may not actually match the environment you intended.
Change-Id: I6761619042e4bc36ec2f1cab4be33cb1b39d00d7
pip 20.3 brings in a strict dependency resolver which
is enabled by default. This causes our lower-constraints
tests to fail, because the requirement files were out
of date from reality - they had conflicting requirements
which previous versions of pip were ignoring. Let's catch
up package versions to newer ones that are supported in
the python runtimes that the Wallaby release will be
deployed to.
[1] http://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html
[2] https://pip.pypa.io/en/stable/user_guide/#changes-to-the-pip-dependency-resolver-in-20-3-2020
Change-Id: I5a31b561654aa368bb85a56f4dd38276cfdbb91a
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
to make user devstack deployment a bit easier.
Since snapshot_support is now on by default for Ceph
backends, enable it in the default share type extra
specs.
Also specify the SHARE_DRIVER so the manila devstack
plugin doesn't think we're running the generic driver
and try to install kernel NFS and samba servers.
Change-Id: I636a047cacba7c5960df15a99fc79a35a818f45d
encodestring is deprecated since python 3.1 and
removed in python 3.9.
https: //docs.python.org/3.8/library/base64.html
Closes-Bug: #1907494
Change-Id: I56d7622207165b6d875559597c62c31a637b3f26
We don't need to re-initialize the volumes list
on deletion, it still makes sense to add a missing
volume to the list, going by the reasoning defined
in I14835f6c54376737b41cbf78c94908ea1befde15
Related-Bug: #1894362
Change-Id: I96d49f84122a34701328909c929ede4d66746911
This commit adds some really basic check strings that we can re-use in
the existing policies. These checks strings implement a few of the most
common and useful personas. We're also trying to implement them across
OpenStack consistently, which will improve user experience and security.
Change-Id: Ib46402414e8ed9b63f024313500aef85f0c47a41
Added paragraph to the NFS-Ganesha docs with a brief
explanation of the role of ``dbus`` messaging when doing
dynamic updates of exports. Key point is that ``dbus-send``
and NFS-Ganesha must be in the same namespace even if NFS-ganesha
runs in a container.
Close-bug: #1883961
Change-Id: I57b916b16d07a8373143f396b42ea34bf80330a6
Set following 4 attributes when creating nfs shares:
showmount: enabled
v3-ms-dos-client: support
v3-connection-drop: disable
ejukebox-errors: disable
Change-Id: I86c3de32d36940e85545fcb337723e4b3edce216
Closes-bug: 1901937
Co-authored-by: Maurice Escher <maurice.escher@sap.com>
NetApp driver is hard-coding the location of CA certificates for SSL
verification during HTTPS requests. This location may change depending
on the environment or/and backend.
This patch adds the `netapp_ssl_cert_path` configuration, enabling
each backend to choose the directory with certificates of trusted CA
or the CA bundle. If set to a directory, it must have been processed
using the c_rehash utility supplied with OpenSSL. If not informed,
it will use the Mozilla's carefully curated collection of Root
Certificates for validating the trustworthiness of SSL certificates.
Closes-Bug: #1900191
Change-Id: Idbed4745104de26af99bb16e07c6890637dfcfd1
When a share is mounted on the same host as the manila-share
process, the kernel prevents us from destroying the
mount directory until the share has been cleanly unmounted
from the host. Kernel mounts can take a few seconds to get
unmounted fully especially when there are a lot of
linux namespaces that the mountpoint has been shared to.
Add a retry on these operations to harden the deletion
process and prevent spurious failures.
Change-Id: I3c1a2ec19d6bc18638db0875519ce60f2c89f33a
Closes-Bug: #1903773
Related-Bug: #1896672
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
When a share is mounted on the same host as the manila-share
process, zfs prevents us from destroying the underlying
dataset until the share has been cleanly unmounted from
the host. Kernel mounts can take a few seconds to get
unmounted fully especially when there are a lot of
linux namespaces that the mountpoint has been shared to.
Add a retry on these operations to harden the deletion
process and prevent spurious failures.
Change-Id: I4aba76b72df274d0a8cb90fe0ab8799523c260ef
Closes-Bug: #1903773
Related-Bug: #1896672
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
Moves the share replica export location API reference out of the
experimental features documentation.
Change-Id: I16cbad169d0c4f89428f17a317840750966d240f
Python modules related to coding style checks (listed in blacklist.txt
in openstack/requirements repo) are dropped from lower-constraints.txt
as they are not actually used in tests
Change-Id: Ia64180303af54c512610add2f55987efea97017a
Moves the manila shares filtering to the database in order to have
the queries performance improved.
Change-Id: I031a3b9775c50e78b6b86752ff8d1a4871a91c0c
Co-Authored-By: MaAoyu <maaoyu@inspur.com>
The share "manage" API checks whether
an existing/known share is being imported by
matching the export path provided to existing
shares.
This lookup does not consider the
fact that shares may have multiple export
locations, because it relies on an old/deprecated
"export_location" property on shares which
was added to provide backwards compatibility
to the API that presented only one export
location per share.
Further, it's possible to get a
"ERROR: Invalid share: Share already exists"
exception even when no such share exists in the
database.
Fix the lookup by using the "export_location_path"
based lookup which is faster, since it performs
a meaningful join on the export locations table;
and remove the parameters "protocol"
and "share_type_id" - these things make no
difference when there's a duplicated export
location. We'll consider "host" as a lookup
parameter since we can't be sure that export
locations are unique in a deployment - but they
ought to be unique for a given host.
Closes-Bug: #1848608
Closes-Bug: #1893718
Change-Id: I1d1aef0c2b48764789b43b91b258def6464b389f
Co-Authored-By: Goutham Pacha Ravi <gouthampravi@gmail.com>
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This patch fixes the 'update_share_replica' operation in the share manager
that wasn't getting the share-server model from the share replica model.
When the operation is executed, the current share replica object may
not have the 'share-server-id' information and need to be updated before
anything else.
Closes-Bug: #1898924
Change-Id: I1d9d69bbdaa27a68a425d959fa8c5da83a157548
Signed-off-by: Douglas Viroel <viroel@gmail.com>
This patch fixes the access rules for NetApp promote replica when
using CIFS protocol. When promoting a replica, the NetApp ONTAP
driver updates the access rules for the promoted CIFS share entity
before actually creating it, failing on having those rules
applied.
The bug is fixed by switching the order of updating the access
and creating the promoted CIFS share entity.
Change-Id: I60e4057dc962d96cff57dea88587a28c2043b499
Closes-Bug: #1896949
