Allow specifying custom Ceph user and secret name for mounting #2216
Conversation
galexrt
force-pushed
the
fix_2164
branch
4 times, most recently
from
cfe9d03
to
7610d5c
Compare
|
One thing to add here, this change does not only affect filesystem mounting but also block storage or to put it differently I thought why stop at filesystem. There seems to be one more quirk I have to fix in the code to get the tests green. Will look on Monday, but in general this is ready for review. |
There was a problem hiding this comment.
How much simpler would this be if it was only supported for CephFS? If there isn't a request for block to support this, seems like we should keep it simple. The doc example also only discusses how to use it for the file system, right?
Since mounting cephfs requires using flex directly instead of a storage class seems like this would simplify a number of places.
- The username and secret would be set here
- If they are not set, the
adminaccount would be used, which is the behavior today and would be the new default - No need for an env var in the operator.yaml that controls the policy
| @@ -155,14 +174,30 @@ func (vm *VolumeManager) Detach(image, pool, clusterNamespace string, force bool | |||
| return nil | |||
| } | |||
|
|
|||
| if id == "" && key == "" { | |||
| return fmt.Errorf("no id nor keyring given, can't unmount without credentials") | |||
There was a problem hiding this comment.
ummapping requires the keyring?
There was a problem hiding this comment.
I need to verify, though the unmap command has the keyring flag set on it so I just added it to make sure the credentials are set as in the map command.
| # (Optional) Specify an existing Ceph user that will be used for mounting storage with this StorageClass. | ||
| #mountUser: user1 | ||
| # (Optional) Specify an existing Kubernetes Secret name containing just one key holding the Ceph user secret. | ||
| # The secret must exist in each namespace(s) where the storage will be consumed! |
There was a problem hiding this comment.
should there also be a secret namespace?
There was a problem hiding this comment.
@bassam No, the namespace of the Pod mounting the storage will be used to get the secret. This is in "conformance" with some existing in-tree plugins looking up the secret in the namespace of the pod using storage.
There was a problem hiding this comment.
all storage classes that have a secret also specify the namespace. why this different? https://kubernetes.io/docs/concepts/storage/storage-classes/#ceph-rbd
There was a problem hiding this comment.
That seems to be new for the user provided mount secret ..
https://v1-11.docs.kubernetes.io/docs/concepts/storage/storage-classes/#ceph-rbd
Sure, I'll add that too though would default it to pod namespace.
galexrt
force-pushed
the
fix_2164
branch
3 times, most recently
from
548d0c2
to
5688c1d
Compare
|
@bassam I just realized a security problem with the
I would be for removing the |
|
@galexrt what would it take to update a filesystem integration test to generate and mount with the user creds? It seems like it wouldn't be too big a work item. |
galexrt
force-pushed
the
fix_2164
branch
5 times, most recently
from
e374797
to
76a074c
Compare
|
Came here to whine about authentication... |
galexrt
force-pushed
the
fix_2164
branch
2 times, most recently
from
52caf79
to
edd2fb2
Compare
|
@galexrt looking at the integration tests, here are a few suggestions. It's not clear yet what the underlying issue is for deleting the mds pod. I am not able to repro the issue locally, similarly to your findings. Only jenkins seems to be having the issue anytime deleting the mds pods. It doesn't seem to be inter-related between the integration tests because each test uses the labels to only look for mds pods that it created. To troubleshoot further, i would suggest printing the output of Perhaps on an unrelated note, the operator log shows we are calling an obsolete command to deactivate the mds. |
galexrt
force-pushed
the
fix_2164
branch
2 times, most recently
from
2081085
to
d2b2700
Compare
|
Any chance we will have mount security for basic multi tenancy soon ? |
galexrt
force-pushed
the
fix_2164
branch
3 times, most recently
from
7738eb7
to
b3b078c
Compare
travisn
force-pushed
the
fix_2164
branch
2 times, most recently
from
b9f1c27
to
c3ca160
Compare
|
@travisn I just had three green, restarted CI.. https://jenkins.rook.io/blue/organizations/jenkins/rook%2Frook/detail/PR-2216/60/pipeline/ If it fails another time in 1.8 and 1.9 I'll take a closer look at why it failed.
|
|
Oh well now I have 4 of 5 green.. aws 1.9 failed with |
| @@ -154,7 +154,7 @@ def RunIntegrationTest(k, v) { | |||
| export PATH="/tmp/rook-tests-scripts-helm/linux-amd64:$PATH" \ | |||
| KUBECONFIG=$HOME/admin.conf | |||
| kubectl config view | |||
| _output/tests/linux_amd64/integration -test.v -test.timeout 2400s --host_type '''+"${k}"+''' --helm /tmp/rook-tests-scripts-helm/linux-amd64/helm 2>&1 | tee _output/tests/integrationTests.log''' | |||
| _output/tests/linux_amd64/integration -test.v -test.timeout 7200s --host_type '''+"${k}"+''' --helm /tmp/rook-tests-scripts-helm/linux-amd64/helm 2>&1 | tee _output/tests/integrationTests.log''' | |||
There was a problem hiding this comment.
a timeout of 2h seems too long. how about 60 minutes for now?
There was a problem hiding this comment.
I think I had problems with a timeout of "just" 60 minutes in the CI. As written below, I just "cranked" it up.
There was a problem hiding this comment.
the typical time for the integration tests is currently 35 minutes. If it goes over 60 minutes, seems like jenkins should kill it because the tests are surely failing. The longer we wait, the jenkins backlog just has the potential to get longer. Hopefully we can fix the resource issue with jenkins soon...
| @CGO_ENABLED=0 $(GOHOST) test -v -i $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) | ||
| @CGO_ENABLED=0 $(GOHOST) test -v $(GO_TEST_FLAGS) $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) $(TEST_FILTER_PARAM) 2>&1 | tee $(GO_TEST_OUTPUT)/integration-tests.log | ||
| CGO_ENABLED=0 $(GOHOST) test -v -i $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) | ||
| CGO_ENABLED=0 $(GOHOST) test -v -timeout 7200s $(GO_TEST_FLAGS) $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) $(TEST_FILTER_PARAM) 2>&1 | tee $(GO_TEST_OUTPUT)/integration-tests.log |
There was a problem hiding this comment.
why do we need this timeout? if someone is running the integration tests locally, they could just cancel them.
There was a problem hiding this comment.
@travisn Well.. during local testing when I ran the tests I got test timeouts, so I just "cranked" it up.
Introduce mount security mode for basic multi tenancy Fixes rook#2164. This adds three new parameters/options to StorageClass/flexvolume entry: * `mountUser` * `mountSecret` * `mountSecretNamespace` Signed-off-by: Alexander Trost <galexrt@googlemail.com>
|
@travisn please merge the PR when the CI is green now, as I'm heading to bed now and want to get the PR finally merged. |
|
Crossed all the fingers I have |
|
@travisn it's green! Finally. |
|
So,If the Node reboot,Then will lost security mode env? |
|
@planeo1105 No. You are probably running a Please create a new issue with your problem next time. |
Description of your changes:
Introduce mount security mode for basic multi tenancy
This adds three new parameters/options to StorageClass/flexvolume entry:
mountUsermountSecretmountSecretNamespaceWill test in a minute or two but I'm currently "rebuilding" my vendor directory which takes quite an amount of time.
Which issue is resolved by this Pull Request:
Resolves #2164.
Checklist:
make codegen) has been run to update object specifications, if necessary./cc @dimm0 took me a bit longer than said in the community meeting but here it is