[openstack][manila][cephfs]About access rule
Hello. I setup Manila with Cephfs driver-CephFS NFS shares and I use NFS-Ganesha based “ceph nfs” service. I can create a share and can mount after creating access rule: openstack share access create cephnfsshare ip 10.10.11.76 But I can mount my share from any ip. Is it a bug, or do I understand it wrong? My env: Openstack 2024 with Kolla-Ansible deployment Ceph Quincy Thank you. Regards Nguyen Huu Khoi
Hello! Can you please share what the access rule looks for the share access list command? Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello.
I setup Manila with Cephfs driver-CephFS NFS shares and I use NFS-Ganesha based “ceph nfs” service.
I can create a share and can mount after creating access rule:
openstack share access create cephnfsshare ip 10.10.11.76
But I can mount my share from any ip.
Is it a bug, or do I understand it wrong?
My env:
Openstack 2024 with Kolla-Ansible deployment Ceph Quincy
Thank you. Regards
Nguyen Huu Khoi
Hello, here it is +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | id | access_type | access_to | access_level | state | access_key | created_at | updated_at | +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | rw | active | None | 2025-01-26T07:42:44.499015 | 2025-01-26T07:42:44.985683 | +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ Nguyen Huu Khoi On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello! Can you please share what the access rule looks for the share access list command?
Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello.
I setup Manila with Cephfs driver-CephFS NFS shares and I use NFS-Ganesha based “ceph nfs” service.
I can create a share and can mount after creating access rule:
openstack share access create cephnfsshare ip 10.10.11.76
But I can mount my share from any ip.
Is it a bug, or do I understand it wrong?
My env:
Openstack 2024 with Kolla-Ansible deployment Ceph Quincy
Thank you. Regards
Nguyen Huu Khoi
Hello, thank you for sharing the output of the access list command. The access should be limited. I just ran a few tests and access is being denied properly on my env. I have noticed that the IP you mentioned in the first email doesn't match what is in the access rule. Are you attempting to mount this share on a VM that doesn't have access allowed yet? Do you have any other access rules in place? I'd suggest, as a test, to create two VMs, allow access to only one of them and attempt to mount the share in the VM that doesn't have access allowed. Please let me know how that goes if possible. Thank you, carloss Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello, here it is
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | rw | active | None | 2025-01-26T07:42:44.499015 | 2025-01-26T07:42:44.985683 |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+
Nguyen Huu Khoi
On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello! Can you please share what the access rule looks for the share access list command?
Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello.
I setup Manila with Cephfs driver-CephFS NFS shares and I use NFS-Ganesha based “ceph nfs” service.
I can create a share and can mount after creating access rule:
openstack share access create cephnfsshare ip 10.10.11.76
But I can mount my share from any ip.
Is it a bug, or do I understand it wrong?
My env:
Openstack 2024 with Kolla-Ansible deployment Ceph Quincy
Thank you. Regards
Nguyen Huu Khoi
Hello. This is because if I test with different IPs then I can access it with any IP. However, I cannot mount if I dont have any rule in this share. I test with vxlan and vlan IP too. Nguyen Huu Khoi On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello, thank you for sharing the output of the access list command.
The access should be limited. I just ran a few tests and access is being denied properly on my env. I have noticed that the IP you mentioned in the first email doesn't match what is in the access rule.
Are you attempting to mount this share on a VM that doesn't have access allowed yet? Do you have any other access rules in place?
I'd suggest, as a test, to create two VMs, allow access to only one of them and attempt to mount the share in the VM that doesn't have access allowed. Please let me know how that goes if possible.
Thank you, carloss
Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello, here it is
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | rw | active | None | 2025-01-26T07:42:44.499015 | 2025-01-26T07:42:44.985683 |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+
Nguyen Huu Khoi
On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello! Can you please share what the access rule looks for the share access list command?
Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello.
I setup Manila with Cephfs driver-CephFS NFS shares and I use NFS-Ganesha based “ceph nfs” service.
I can create a share and can mount after creating access rule:
openstack share access create cephnfsshare ip 10.10.11.76
But I can mount my share from any ip.
Is it a bug, or do I understand it wrong?
My env:
Openstack 2024 with Kolla-Ansible deployment Ceph Quincy
Thank you. Regards
Nguyen Huu Khoi
This is my manila.conf [cephfsnfs1] driver_handles_share_servers = False share_backend_name = CEPHFSNFS1 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver cephfs_protocol_helper_type = NFS cephfs_conf_path = /etc/ceph/ceph.conf cephfs_auth_id = manila cephfs_cluster_name = az1 cephfs_filesystem_name = cephfs cephfs_nfs_cluster_id = foo Nguyen Huu Khoi On Wed, Jan 29, 2025 at 10:27 AM Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> wrote:
Hello. This is because if I test with different IPs then I can access it with any IP. However, I cannot mount if I dont have any rule in this share. I test with vxlan and vlan IP too. Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello, thank you for sharing the output of the access list command.
The access should be limited. I just ran a few tests and access is being denied properly on my env. I have noticed that the IP you mentioned in the first email doesn't match what is in the access rule.
Are you attempting to mount this share on a VM that doesn't have access allowed yet? Do you have any other access rules in place?
I'd suggest, as a test, to create two VMs, allow access to only one of them and attempt to mount the share in the VM that doesn't have access allowed. Please let me know how that goes if possible.
Thank you, carloss
Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello, here it is
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | rw | active | None | 2025-01-26T07:42:44.499015 | 2025-01-26T07:42:44.985683 |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+
Nguyen Huu Khoi
On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello! Can you please share what the access rule looks for the share access list command?
Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello.
I setup Manila with Cephfs driver-CephFS NFS shares and I use NFS-Ganesha based “ceph nfs” service.
I can create a share and can mount after creating access rule:
openstack share access create cephnfsshare ip 10.10.11.76
But I can mount my share from any ip.
Is it a bug, or do I understand it wrong?
My env:
Openstack 2024 with Kolla-Ansible deployment Ceph Quincy
Thank you. Regards
Nguyen Huu Khoi
I see that my share is created with RO as default, it should be NONE. Does access rule work only with provider network? I test with vxlan and it wont work though I add router's External Gateway IP. Nguyen Huu Khoi On Wed, Jan 29, 2025 at 12:17 PM Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> wrote:
This is my manila.conf
[cephfsnfs1] driver_handles_share_servers = False share_backend_name = CEPHFSNFS1 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver cephfs_protocol_helper_type = NFS cephfs_conf_path = /etc/ceph/ceph.conf cephfs_auth_id = manila cephfs_cluster_name = az1 cephfs_filesystem_name = cephfs cephfs_nfs_cluster_id = foo
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 10:27 AM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
Hello. This is because if I test with different IPs then I can access it with any IP. However, I cannot mount if I dont have any rule in this share. I test with vxlan and vlan IP too. Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello, thank you for sharing the output of the access list command.
The access should be limited. I just ran a few tests and access is being denied properly on my env. I have noticed that the IP you mentioned in the first email doesn't match what is in the access rule.
Are you attempting to mount this share on a VM that doesn't have access allowed yet? Do you have any other access rules in place?
I'd suggest, as a test, to create two VMs, allow access to only one of them and attempt to mount the share in the VM that doesn't have access allowed. Please let me know how that goes if possible.
Thank you, carloss
Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello, here it is
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | rw | active | None | 2025-01-26T07:42:44.499015 | 2025-01-26T07:42:44.985683 |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+
Nguyen Huu Khoi
On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello! Can you please share what the access rule looks for the share access list command?
Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello.
I setup Manila with Cephfs driver-CephFS NFS shares and I use NFS-Ganesha based “ceph nfs” service.
I can create a share and can mount after creating access rule:
openstack share access create cephnfsshare ip 10.10.11.76
But I can mount my share from any ip.
Is it a bug, or do I understand it wrong?
My env:
Openstack 2024 with Kolla-Ansible deployment Ceph Quincy
Thank you. Regards
Nguyen Huu Khoi
Please correct me if I am wrong. If I create a share and and add any access rule include RO and RW then NFS volume on CEPH show RO [image: image.png] Should it be configured as NONE by default? Because If RO then It can map from any IP. Note: I use NFSClusterProtocolHelper. Nguyen Huu Khoi On Thu, Jan 30, 2025 at 7:46 PM Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> wrote:
I see that my share is created with RO as default, it should be NONE.
Does access rule work only with provider network? I test with vxlan and it wont work though I add router's External Gateway IP.
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:17 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
This is my manila.conf
[cephfsnfs1] driver_handles_share_servers = False share_backend_name = CEPHFSNFS1 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver cephfs_protocol_helper_type = NFS cephfs_conf_path = /etc/ceph/ceph.conf cephfs_auth_id = manila cephfs_cluster_name = az1 cephfs_filesystem_name = cephfs cephfs_nfs_cluster_id = foo
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 10:27 AM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
Hello. This is because if I test with different IPs then I can access it with any IP. However, I cannot mount if I dont have any rule in this share. I test with vxlan and vlan IP too. Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello, thank you for sharing the output of the access list command.
The access should be limited. I just ran a few tests and access is being denied properly on my env. I have noticed that the IP you mentioned in the first email doesn't match what is in the access rule.
Are you attempting to mount this share on a VM that doesn't have access allowed yet? Do you have any other access rules in place?
I'd suggest, as a test, to create two VMs, allow access to only one of them and attempt to mount the share in the VM that doesn't have access allowed. Please let me know how that goes if possible.
Thank you, carloss
Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello, here it is
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | rw | active | None | 2025-01-26T07:42:44.499015 | 2025-01-26T07:42:44.985683 |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+
Nguyen Huu Khoi
On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello! Can you please share what the access rule looks for the share access list command?
Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
> Hello. > > I setup Manila with Cephfs driver-CephFS NFS shares and I > use NFS-Ganesha based “ceph nfs” service. > > I can create a share and can mount after creating access rule: > > openstack share access create cephnfsshare ip 10.10.11.76 > > But I can mount my share from any ip. > > Is it a bug, or do I understand it wrong? > > My env: > > Openstack 2024 with Kolla-Ansible deployment > Ceph Quincy > > Thank you. Regards > > > Nguyen Huu Khoi >
Please correct me if I am wrong.
If I create a share and and add any access rule include RO and RW then NFS volume on CEPH show RO
[image: image.png]
Should it be configured as NONE by default? Because If RO then It can map from any IP.
Manila shares will be represented as subvolumes, not volumes. If possible,
Em sex., 31 de jan. de 2025 às 04:20, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu: please check the current list of exports in the cluster using these instructions [1] - this will display the list of current authorizations. Manila doesn't allow access (RO or RW) to shares by default, instead, this action should be triggered by someone. Note: I use NFSClusterProtocolHelper.
Nguyen Huu Khoi
On Thu, Jan 30, 2025 at 7:46 PM Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> wrote:
I see that my share is created with RO as default, it should be NONE.
Does access rule work only with provider network? I test with vxlan and it wont work though I add router's External Gateway IP.
IP based access rules in Manila will take a single IP or a subnet [2]. Not
sure if I got the question though :) [1] https://docs.ceph.com/en/quincy/mgr/nfs/#rgw-user-export [2] https://docs.openstack.org/manila/latest/admin/shared-file-systems-crud-shar... Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:17 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
This is my manila.conf
[cephfsnfs1] driver_handles_share_servers = False share_backend_name = CEPHFSNFS1 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver cephfs_protocol_helper_type = NFS cephfs_conf_path = /etc/ceph/ceph.conf cephfs_auth_id = manila cephfs_cluster_name = az1 cephfs_filesystem_name = cephfs cephfs_nfs_cluster_id = foo
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 10:27 AM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
Hello. This is because if I test with different IPs then I can access it with any IP. However, I cannot mount if I dont have any rule in this share. I test with vxlan and vlan IP too. Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello, thank you for sharing the output of the access list command.
The access should be limited. I just ran a few tests and access is being denied properly on my env. I have noticed that the IP you mentioned in the first email doesn't match what is in the access rule.
Are you attempting to mount this share on a VM that doesn't have access allowed yet? Do you have any other access rules in place?
I'd suggest, as a test, to create two VMs, allow access to only one of them and attempt to mount the share in the VM that doesn't have access allowed. Please let me know how that goes if possible.
Thank you, carloss
Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello, here it is
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | id | access_type | access_to | access_level | state | access_key | created_at | updated_at |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | rw | active | None | 2025-01-26T07:42:44.499015 | 2025-01-26T07:42:44.985683 |
+--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+
Nguyen Huu Khoi
On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva < ces.eduardo98@gmail.com> wrote:
> Hello! Can you please share what the access rule looks for the share > access list command? > > Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < > nguyenhuukhoinw@gmail.com> escreveu: > >> Hello. >> >> I setup Manila with Cephfs driver-CephFS NFS shares and I >> use NFS-Ganesha based “ceph nfs” service. >> >> I can create a share and can mount after creating access rule: >> >> openstack share access create cephnfsshare ip 10.10.11.76 >> >> But I can mount my share from any ip. >> >> Is it a bug, or do I understand it wrong? >> >> My env: >> >> Openstack 2024 with Kolla-Ansible deployment >> Ceph Quincy >> >> Thank you. Regards >> >> >> Nguyen Huu Khoi >> >
You're right but when I add first access rule then It will trigger RO on
Hello. "Manila doesn't allow access (RO or RW) to shares by default, instead, this action should be triggered by someone". this share on Ceph side. I tried to change RO to NONE on Ceph then add or remove access rules and it still reset to RO looks like my picture. IP based access rules in Manila will take a single IP or a subnet [2]. Not sure if I got the question though :)
I can make it work. This is my fault.
Nguyen Huu Khoi On Fri, Jan 31, 2025 at 4:47 PM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Em sex., 31 de jan. de 2025 às 04:20, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Please correct me if I am wrong.
If I create a share and and add any access rule include RO and RW then NFS volume on CEPH show RO
Should it be configured as NONE by default? Because If RO then It can map from any IP.
Manila shares will be represented as subvolumes, not volumes. If possible, please check the current list of exports in the cluster using these instructions [1] - this will display the list of current authorizations. Manila doesn't allow access (RO or RW) to shares by default, instead, this action should be triggered by someone.
Note: I use NFSClusterProtocolHelper.
Nguyen Huu Khoi
On Thu, Jan 30, 2025 at 7:46 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
I see that my share is created with RO as default, it should be NONE.
Does access rule work only with provider network? I test with vxlan and it wont work though I add router's External Gateway IP.
IP based access rules in Manila will take a single IP or a subnet [2].
Not sure if I got the question though :)
[1] https://docs.ceph.com/en/quincy/mgr/nfs/#rgw-user-export [2] https://docs.openstack.org/manila/latest/admin/shared-file-systems-crud-shar...
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:17 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
This is my manila.conf
[cephfsnfs1] driver_handles_share_servers = False share_backend_name = CEPHFSNFS1 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver cephfs_protocol_helper_type = NFS cephfs_conf_path = /etc/ceph/ceph.conf cephfs_auth_id = manila cephfs_cluster_name = az1 cephfs_filesystem_name = cephfs cephfs_nfs_cluster_id = foo
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 10:27 AM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
Hello. This is because if I test with different IPs then I can access it with any IP. However, I cannot mount if I dont have any rule in this share. I test with vxlan and vlan IP too. Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Hello, thank you for sharing the output of the access list command.
The access should be limited. I just ran a few tests and access is being denied properly on my env. I have noticed that the IP you mentioned in the first email doesn't match what is in the access rule.
Are you attempting to mount this share on a VM that doesn't have access allowed yet? Do you have any other access rules in place?
I'd suggest, as a test, to create two VMs, allow access to only one of them and attempt to mount the share in the VM that doesn't have access allowed. Please let me know how that goes if possible.
Thank you, carloss
Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
> Hello, here it is > > +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ > | id | access_type | access_to | > access_level | state | access_key | created_at | > updated_at | > > +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ > | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 | > rw | active | None | 2025-01-26T07:42:44.499015 | > 2025-01-26T07:42:44.985683 | > > +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ > > Nguyen Huu Khoi > > > On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva < > ces.eduardo98@gmail.com> wrote: > >> Hello! Can you please share what the access rule looks for the >> share access list command? >> >> Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < >> nguyenhuukhoinw@gmail.com> escreveu: >> >>> Hello. >>> >>> I setup Manila with Cephfs driver-CephFS NFS shares and I >>> use NFS-Ganesha based “ceph nfs” service. >>> >>> I can create a share and can mount after creating access rule: >>> >>> openstack share access create cephnfsshare ip 10.10.11.76 >>> >>> But I can mount my share from any ip. >>> >>> Is it a bug, or do I understand it wrong? >>> >>> My env: >>> >>> Openstack 2024 with Kolla-Ansible deployment >>> Ceph Quincy >>> >>> Thank you. Regards >>> >>> >>> Nguyen Huu Khoi >>> >>
Right, so when you create the access rule, we are expected to update the authorized access in the storage, and we will create a new rule. If you don't specify the access level, Manila will assume an access level and create the rule. We can not have access rules that do not specify either RO or RW and set it to None. In the access rule creation, did you specify read only, read write or none of them? If none, then manila will pick one and create the access for you, because an access rule *must* have the access type. After this rule was applied, have you managed to mount the share only in the correct place and only read or read and write accordingly? Em sex., 31 de jan. de 2025 às 07:38, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello. "Manila doesn't allow access (RO or RW) to shares by default, instead, this action should be triggered by someone".
You're right but when I add first access rule then It will trigger RO on this share on Ceph side. I tried to change RO to NONE on Ceph then add or remove access rules and it still reset to RO looks like my picture.
IP based access rules in Manila will take a single IP or a subnet [2]. Not sure if I got the question though :)
I can make it work. This is my fault.
Nguyen Huu Khoi
On Fri, Jan 31, 2025 at 4:47 PM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Em sex., 31 de jan. de 2025 às 04:20, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Please correct me if I am wrong.
If I create a share and and add any access rule include RO and RW then NFS volume on CEPH show RO
Should it be configured as NONE by default? Because If RO then It can map from any IP.
Manila shares will be represented as subvolumes, not volumes. If possible, please check the current list of exports in the cluster using these instructions [1] - this will display the list of current authorizations. Manila doesn't allow access (RO or RW) to shares by default, instead, this action should be triggered by someone.
Note: I use NFSClusterProtocolHelper.
Nguyen Huu Khoi
On Thu, Jan 30, 2025 at 7:46 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
I see that my share is created with RO as default, it should be NONE.
Does access rule work only with provider network? I test with vxlan and it wont work though I add router's External Gateway IP.
IP based access rules in Manila will take a single IP or a subnet [2].
Not sure if I got the question though :)
[1] https://docs.ceph.com/en/quincy/mgr/nfs/#rgw-user-export [2] https://docs.openstack.org/manila/latest/admin/shared-file-systems-crud-shar...
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:17 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
This is my manila.conf
[cephfsnfs1] driver_handles_share_servers = False share_backend_name = CEPHFSNFS1 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver cephfs_protocol_helper_type = NFS cephfs_conf_path = /etc/ceph/ceph.conf cephfs_auth_id = manila cephfs_cluster_name = az1 cephfs_filesystem_name = cephfs cephfs_nfs_cluster_id = foo
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 10:27 AM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
Hello. This is because if I test with different IPs then I can access it with any IP. However, I cannot mount if I dont have any rule in this share. I test with vxlan and vlan IP too. Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva < ces.eduardo98@gmail.com> wrote:
> Hello, thank you for sharing the output of the access list command. > > The access should be limited. I just ran a few tests and access is > being > denied properly on my env. I have noticed that the IP you mentioned > in > the first email doesn't match what is in the access rule. > > Are you attempting to mount this share on a VM that doesn't have > access allowed yet? Do you have any other access rules in place? > > I'd suggest, as a test, to create two VMs, allow access to only one > of them and attempt to mount the share in the VM that doesn't have > access allowed. Please let me know how that goes if possible. > > Thank you, > carloss > > Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < > nguyenhuukhoinw@gmail.com> escreveu: > >> Hello, here it is >> >> +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ >> | id | access_type | access_to >> | access_level | state | access_key | created_at | >> updated_at | >> >> +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ >> | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 >> | rw | active | None | 2025-01-26T07:42:44.499015 | >> 2025-01-26T07:42:44.985683 | >> >> +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ >> >> Nguyen Huu Khoi >> >> >> On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva < >> ces.eduardo98@gmail.com> wrote: >> >>> Hello! Can you please share what the access rule looks for the >>> share access list command? >>> >>> Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < >>> nguyenhuukhoinw@gmail.com> escreveu: >>> >>>> Hello. >>>> >>>> I setup Manila with Cephfs driver-CephFS NFS shares and I >>>> use NFS-Ganesha based “ceph nfs” service. >>>> >>>> I can create a share and can mount after creating access rule: >>>> >>>> openstack share access create cephnfsshare ip 10.10.11.76 >>>> >>>> But I can mount my share from any ip. >>>> >>>> Is it a bug, or do I understand it wrong? >>>> >>>> My env: >>>> >>>> Openstack 2024 with Kolla-Ansible deployment >>>> Ceph Quincy >>>> >>>> Thank you. Regards >>>> >>>> >>>> Nguyen Huu Khoi >>>> >>>
When I create a share with any access rule then I can mount it from any IP with RO, I worry about this. Nguyen Huu Khoi On Sat, Feb 1, 2025 at 3:37 AM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Right, so when you create the access rule, we are expected to update the authorized access in the storage, and we will create a new rule. If you don't specify the access level, Manila will assume an access level and create the rule. We can not have access rules that do not specify either RO or RW and set it to None. In the access rule creation, did you specify read only, read write or none of them? If none, then manila will pick one and create the access for you, because an access rule *must* have the access type. After this rule was applied, have you managed to mount the share only in the correct place and only read or read and write accordingly?
Em sex., 31 de jan. de 2025 às 07:38, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Hello. "Manila doesn't allow access (RO or RW) to shares by default, instead, this action should be triggered by someone".
You're right but when I add first access rule then It will trigger RO on this share on Ceph side. I tried to change RO to NONE on Ceph then add or remove access rules and it still reset to RO looks like my picture.
IP based access rules in Manila will take a single IP or a subnet [2]. Not sure if I got the question though :)
I can make it work. This is my fault.
Nguyen Huu Khoi
On Fri, Jan 31, 2025 at 4:47 PM Carlos Silva <ces.eduardo98@gmail.com> wrote:
Em sex., 31 de jan. de 2025 às 04:20, Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> escreveu:
Please correct me if I am wrong.
If I create a share and and add any access rule include RO and RW then NFS volume on CEPH show RO
Should it be configured as NONE by default? Because If RO then It can map from any IP.
Manila shares will be represented as subvolumes, not volumes. If possible, please check the current list of exports in the cluster using these instructions [1] - this will display the list of current authorizations. Manila doesn't allow access (RO or RW) to shares by default, instead, this action should be triggered by someone.
Note: I use NFSClusterProtocolHelper.
Nguyen Huu Khoi
On Thu, Jan 30, 2025 at 7:46 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
I see that my share is created with RO as default, it should be NONE.
Does access rule work only with provider network? I test with vxlan and it wont work though I add router's External Gateway IP.
IP based access rules in Manila will take a single IP or a subnet [2].
Not sure if I got the question though :)
[1] https://docs.ceph.com/en/quincy/mgr/nfs/#rgw-user-export [2] https://docs.openstack.org/manila/latest/admin/shared-file-systems-crud-shar...
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 12:17 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
This is my manila.conf
[cephfsnfs1] driver_handles_share_servers = False share_backend_name = CEPHFSNFS1 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver cephfs_protocol_helper_type = NFS cephfs_conf_path = /etc/ceph/ceph.conf cephfs_auth_id = manila cephfs_cluster_name = az1 cephfs_filesystem_name = cephfs cephfs_nfs_cluster_id = foo
Nguyen Huu Khoi
On Wed, Jan 29, 2025 at 10:27 AM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
> Hello. > This is because if I test with different IPs then I can access it > with any IP. However, I cannot mount if I dont have any rule in this > share. I test with vxlan and vlan IP too. > Nguyen Huu Khoi > > > On Wed, Jan 29, 2025 at 12:25 AM Carlos Silva < > ces.eduardo98@gmail.com> wrote: > >> Hello, thank you for sharing the output of the access list command. >> >> The access should be limited. I just ran a few tests and access is >> being >> denied properly on my env. I have noticed that the IP you mentioned >> in >> the first email doesn't match what is in the access rule. >> >> Are you attempting to mount this share on a VM that doesn't have >> access allowed yet? Do you have any other access rules in place? >> >> I'd suggest, as a test, to create two VMs, allow access to only one >> of them and attempt to mount the share in the VM that doesn't have >> access allowed. Please let me know how that goes if possible. >> >> Thank you, >> carloss >> >> Em seg., 27 de jan. de 2025 às 20:36, Nguyễn Hữu Khôi < >> nguyenhuukhoinw@gmail.com> escreveu: >> >>> Hello, here it is >>> >>> +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ >>> | id | access_type | access_to >>> | access_level | state | access_key | created_at | >>> updated_at | >>> >>> +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ >>> | 4f31edd7-4726-4ad0-9f10-95d6126a5233 | ip | 10.10.11.75 >>> | rw | active | None | 2025-01-26T07:42:44.499015 | >>> 2025-01-26T07:42:44.985683 | >>> >>> +--------------------------------------+-------------+-------------+--------------+--------+------------+----------------------------+----------------------------+ >>> >>> Nguyen Huu Khoi >>> >>> >>> On Tue, Jan 28, 2025 at 12:32 AM Carlos Silva < >>> ces.eduardo98@gmail.com> wrote: >>> >>>> Hello! Can you please share what the access rule looks for the >>>> share access list command? >>>> >>>> Em seg., 27 de jan. de 2025 às 06:06, Nguyễn Hữu Khôi < >>>> nguyenhuukhoinw@gmail.com> escreveu: >>>> >>>>> Hello. >>>>> >>>>> I setup Manila with Cephfs driver-CephFS NFS shares and I >>>>> use NFS-Ganesha based “ceph nfs” service. >>>>> >>>>> I can create a share and can mount after creating access rule: >>>>> >>>>> openstack share access create cephnfsshare ip 10.10.11.76 >>>>> >>>>> But I can mount my share from any ip. >>>>> >>>>> Is it a bug, or do I understand it wrong? >>>>> >>>>> My env: >>>>> >>>>> Openstack 2024 with Kolla-Ansible deployment >>>>> Ceph Quincy >>>>> >>>>> Thank you. Regards >>>>> >>>>> >>>>> Nguyen Huu Khoi >>>>> >>>>
participants (2)
-
Carlos Silva
-
Nguyễn Hữu Khôi