Design document for adding NFS as storage backend #1740
Conversation
design/nfs.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| Rook is an open source orchestrator for distributed storage systems running in kubernetes, currently in alpha state and has focused initially on orchestrating Ceph on top of Kubernetes. This document explores a design to add NFS to Rook. This is a part of the rook feature request [#1551](https://github.com/rook/rook/issues/1502). |
design/nfs.md
Outdated
|
|
||
| ## Design | ||
|
|
||
| Rook brings storage platforms to Kubernetes with a fully Kubernetes-native design. It integrates deeply into cloud native environments leveraging extension points and providing a seamless experience for scheduling, lifecycle management, resource management, security, monitoring, and user experience. |
There was a problem hiding this comment.
It seems you have already mentioned the overview in the Rook architecture section, so maybe you don't need this line here?
design/nfs.md
Outdated
| 3. Rook is notified of the new CRD | ||
| - Rook starts the NFS daemon on the desired nodes in the cluster | ||
| - Rook creates a storage class | ||
| 4. The pod which requires NFS storage creates a PVC to consume the volume. |
There was a problem hiding this comment.
This bullet is referring to the client consuming the storage? I would suggest either a different title for this section that indicates an end-to-end flow, or else remove this bullet and keep this as just the flow for creating the NFS share
design/nfs.md
Outdated
|
|
||
| ### Deployed service | ||
|
|
||
| When the NFS CRD instance is created, Rook responds to this request by starting the NFS daemon with the configuration and exports stated in the CRD and creates a service to expose NFS. |
There was a problem hiding this comment.
Could this section be merged with step 3 in the previous section? There is some overlap.
design/nfs.md
Outdated
| namespace: rook | ||
| spec: | ||
| replicas: 1 | ||
| serverConfig: |
There was a problem hiding this comment.
you could call this just server. All of these are implied "config" settings
design/nfs.md
Outdated
| | `volumes` | Attach a volume to NFS server Pod for sharing | <none> | | ||
| | `volumes.name` | Name of the volume that will be attached to NFS server pod. | <none> | | ||
| | `volumes.persistentVolumeClaim` | Claim to get volume(Volume could come from hostPath, cephFS, cephRBD, googlePD, EBS etc.). | <none> | | ||
| | `volumes.claimName` | Name of the PVC. | <none> | |
There was a problem hiding this comment.
should this be under volumes.persistentVolumeClaim.claimName?
design/nfs.md
Outdated
| | `replicas` | The no. of NFS daemon to start | `1` | | ||
| | `serverConfig` | NFS server configuration parameters | <none> | | ||
| | `serverConfig.validHosts` | The host or network to which export is being shared. | Current pod network | | ||
| | `serverConfig.accessMode` | Reading and Writing permissions on the share. | `RO` | |
There was a problem hiding this comment.
What values are possible? Would be nice for the CRD to accept readable values such as ReadOnly or ReadWrite.
There was a problem hiding this comment.
Squash and access modes can be a per export or a per client option. You'll need to allow such tunables as well. So A client IP can have RW and No_Squash access to an export, while an another IP can have RO and Root_Squash access to the same export.
See,
https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/config_samples/export.txt
design/nfs.md
Outdated
| | `serverConfig.accessMode` | Reading and Writing permissions on the share. | `RO` | | ||
| | `serverConfig.rootSquash` | This prevents root users connected remotely from having root privileges. | `true` | | ||
| | `serverConfig.sync` | The NFS server will not reply to requests before changes made by previous requests are written to disk. | `true` | | ||
| | `volumes` | Attach a volume to NFS server Pod for sharing | <none> | |
There was a problem hiding this comment.
you could point out that this is a list of volumes to expose
design/nfs.md
Outdated
| | Parameter | Description | Default | | ||
| |---------------------------------|--------------------------------------------------------------------------|----------------------| | ||
| | `replicas` | The no. of NFS daemon to start | `1` | | ||
| | `serverConfig` | NFS server configuration parameters | <none> | |
There was a problem hiding this comment.
If multiple volumes are defined in the CRD, they will all have these same server config options, right?
design/nfs.md
Outdated
|
|
||
| ### Examples: | ||
|
|
||
| 1. For sharing a volume(could be hostPath, cephFS, cephRBD, googlePD, EBS etc.) using NFS, which will be shared as /myshare by the NFS server whose Nfs-Ganesha export entry looks like: |
There was a problem hiding this comment.
This example just uses EBS. I'd suggest you mention all the other types (hostPath, cephFS, cephRBD, etc) as part of the table above, perhaps under the claimName property.
There was a problem hiding this comment.
claimName is to provide name for PCV from where to attach volume to NFS for sharing, so it can be any name, will it be good to mention type of volume being attached to NFS server pod eg., volumes.persistentVolumeClaim.volumeType ? But i don't think this option will be useful.
design/nfs.md
Outdated
| | `serverConfig` | NFS server configuration parameters | <none> | | ||
| | `serverConfig.validHosts` | The host or network to which export is being shared. | Current pod network | | ||
| | `serverConfig.accessMode` | Reading and Writing permissions on the share. | `RO` | | ||
| | `serverConfig.rootSquash` | This prevents root users connected remotely from having root privileges. | `true` | |
There was a problem hiding this comment.
Better to rename this as 'squash' option that is not boolean. There are more squash options available than Root_Squash, and No_Root_Squash. See,
nfs-ganesha/nfs-ganesha@9aa84e6e03#diff-c5e45dc21935650ee04682077e967e39R32
design/nfs.md
Outdated
| | `replicas` | The no. of NFS daemon to start | `1` | | ||
| | `serverConfig` | NFS server configuration parameters | <none> | | ||
| | `serverConfig.validHosts` | The host or network to which export is being shared. | Current pod network | | ||
| | `serverConfig.accessMode` | Reading and Writing permissions on the share. | `RO` | |
There was a problem hiding this comment.
Squash and access modes can be a per export or a per client option. You'll need to allow such tunables as well. So A client IP can have RW and No_Squash access to an export, while an another IP can have RO and Root_Squash access to the same export.
See,
https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/config_samples/export.txt
design/nfs.md
Outdated
|
|
||
| When the NFS CRD instance is created, Rook responds to this request by starting the NFS daemon with the configuration and exports stated in the CRD and creates a service to expose NFS. | ||
|
|
||
| ### NFS CRD |
There was a problem hiding this comment.
How would one add, remove or update an export of a NFS ganesha server using the CRD? would it be a `kubectl edit/replace nfs-ganesha-1.yaml' ?
There was a problem hiding this comment.
Yes it will be kubectl edit/replace nfs-ganesha-1.yaml, I have also mentioned this in the updated design.
rohan47
force-pushed
the
nfs-design-doc
branch
2 times, most recently
from
cedd36b
to
ac40dc0
Compare
design/nfs.md
Outdated
| 1. NFS server storage backend configuration. E.g., configuration for various storage backends(ceph, ebs, azure disk etc) that will be shared using NFS. | ||
| 2. NFS server configuration | ||
| - export (The volume being exported) | ||
| - client (The host or network to which the export is being shared) |
There was a problem hiding this comment.
In a dynamic environment like kubernetes, specifying the client here doesn't seem to fit the expected pattern. We don't know what host or IP address the client is going to have. If the client isn't specified, will all clients be allowed? Then we could allow any pod to create a PVC that has access to the storage class.
design/nfs.md
Outdated
| 3. When the NFS CRD instance is created, Rook responds to this request by starting the NFS daemon with the configuration and exports stated in the CRD and creates a service to expose NFS. | ||
| - Rook starts the NFS daemon on the desired nodes in the cluster | ||
| - NFS service is created | ||
| - Rook creates a storage class |
There was a problem hiding this comment.
While it would be convenient to generate the storage class, the admin may want to have more control about the storage classes. We might want to start with examples for how the admin can create the storage classes and then automate it later after we understand better if the flow really requires that simplification. It's a security tradeoff for simplification. Note that the operator actually doesn't currently have RBAC privileges to create storage classes, so we would have to add the create access.
rohan47
force-pushed
the
nfs-design-doc
branch
3 times, most recently
from
f9fb46c
to
ab3ba38
Compare
design/nfs.md
Outdated
|
|
||
| The parameters to configure NFS CRD are: | ||
|
|
||
| | Parameter | Description | Default | |
There was a problem hiding this comment.
Before this table I think it would be helpful to show an example yaml that uses all the properties. Then the reader can visualize the hierarchy
There was a problem hiding this comment.
will it be fine if this table is after the example 1?
There was a problem hiding this comment.
i was suggesting a pattern of a simple example, followed by the detailed table, followed by more advanced examples. That's fine as well if the table is after all of the examples.
There was a problem hiding this comment.
something like this?
apiVersion: rook.io/v1alpha1
kind: NetworkFileSystem
metadata:
name: nfs-vol
namespace: rook
spec:
replicas: 1
exports:
- name: nfs-share
server:
accessMode: ReadOnly
squash: root
allowedClients:
- name: host1
clients: 172.17.0.5
accessMode: ReadOnly
squash: root
persistentVolumeClaim:
claimName: ebs-claimThere was a problem hiding this comment.
Yes, looks good. We might consider not including the allowedClients in the first example though. It could be in a more advanced example later.
design/nfs.md
Outdated
|
|
||
| | Parameter | Description | Default | | ||
| |-------------------------------------------|--------------------------------------------------------------------------|----------------------| | ||
| | `replicas` | The no. of NFS daemon to start | `1` | | ||
| | `volumes` | These are the volumes to be exposed by NFS server | <none> | | ||
| | `server` | NFS server configuration | <none> | | ||
| | `server.volumeMount.name` | `volume.name` of the attached volume for sharing via NFS server | <none> | |
There was a problem hiding this comment.
For each volume in the volumes element, there is a corresponding volumeMount in the server section, right? What if we combine these into a single list? For example:
volumes:
- name: nfs-share
mount:
accessMode: ReadWrite
squash: root
persistentVolumeClaim:
claimName: googlePD-claimThere was a problem hiding this comment.
Okay, and instead of mount we can name it options or server
exports:
- name: nfs-share
server:
accessMode: ReadWrite
squash: root
persistantVolumeClaim:
claimName: googlePD-claimand for client specific example it can be
exports:
- name: nfs-share
server:
allowedClients:
- name: host1
clients: 172.17.0.5
accessMode: ReadOnly
squash: root
- name: host2
clients:
- 172.17.0.0/16
- serverX
accessMode: ReadWrire
squash: none
persistantVolumeClaim:
claimName: googlePD-claim
Signed-off-by: rohan47 <rohanrgupta1996@gmail.com>
rohan47
force-pushed
the
nfs-design-doc
branch
2 times, most recently
from
982c1b8
to
1a613f6
Compare
design/nfs.md
Outdated
| | `exports.persistentVolumeClaim` | Claim to get volume(Volume could come from hostPath, cephFS, cephRBD, googlePD, EBS etc. and these volumes will be exposed by NFS server ). | <none> | | ||
| | `exports.persistentVolumeClaim.claimName` | Name of the PVC | <none> | | ||
|
|
||
| *note: if `server.volumeMount.accessMode` and `server.volumeMount.squash` options are mentioned, `server.volumeMount.allowedClients.accessMode` and `server.volumeMount.allowedClients.squash` are overridden respectively. |
There was a problem hiding this comment.
looks like you need to update these paths
rohan47
force-pushed
the
nfs-design-doc
branch
3 times, most recently
from
d3a4f3c
to
e21cded
Compare
Signed-off-by: rohan47 rohanrgupta1996@gmail.com
Design documentation for the feature request #1551
[skip ci]