Chapter 3. Post-deployment configuration
You must complete some post-deployment configuration tasks before you create NFS shares, grant user access, and mount NFS shares.
- Map the Networking service (neutron) storage network to the isolated data center storage network.
- Make the storage provider network available to trusted tenants only through custom role based access control (RBAC). Do not share the storage provider network globally.
- Create a private share type.
- Grant access to specific trusted tenants.
After you complete these steps, the tenant compute instances can create, allow access to, and mount native CephFS shares.
3.1. Creating the storage provider network
You must map the new isolated storage network to a Networking (neutron) provider network. The Compute VMs attach to the network to access native CephFS share export locations.
For information about network security with the Shared File Systems service, see Hardening the Shared File Systems Service in the Security and Hardening Guide.
Procedure
The openstack network create
command defines the configuration for the storage neutron network.
From an undercloud node, enter the following command:
[stack@undercloud ~]$ source ~/overcloudrc
On an undercloud node, create the storage network:
(overcloud) [stack@undercloud-0 ~]$ openstack network create Storage --provider-network-type vlan --provider-physical-network datacentre --provider-segment 30
You can enter this command with the following options:
-
For the
--provider-physical-network
option, use the default valuedatacentre
, unless you set another tag for the br-isolated bridge through NeutronBridgeMappings in your tripleo-heat-templates. -
For the
--provider-segment
option, use the value set for the Storage isolated network in your network environment file. If this was not customized, the default environment file is/usr/share/openstack-tripleo-heat-templates/network_data.yaml
. The VLAN associated with the Storage network value is30
unless you modified the isolated network definitions. -
For the
--provider-network-type
option, use the valuevlan
.
-
For the
3.2. Configuring the storage provider network
Create a corresponding StorageSubnet
on the neutron provider network. Ensure that the subnet is the same for the storage_subnet
in the undercloud, and that the allocation range for the storage subnet and the corresponding undercloud subnet do not overlap.
Requirements
- The starting and ending IP range for the allocation pool
- The subnet IP range
Procedure
From an undercloud node, enter the following command:
[stack@undercloud ~]$ source ~/overcloudrc
Use the sample command to provision the network. Update the values to suit your environment.
(overcloud) [stack@undercloud-0 ~]$ openstack subnet create \ --allocation-pool start=172.17.3.10,end=172.17.3.149 \ --dhcp \ --network Storage \ --subnet-range 172.17.3.0/24 \ --gateway none StorageSubnet
-
For the
--allocation-pool
option, replace thestart=172.17.3.10,end=172.17.3.149
IP values with the IP values for your network. -
For the
--subnet-range
option, replace the172.17.3.0/24
subnet range with the subnet range for your network.
-
For the
3.3. Configuring role-based access control for the storage provider network
After you identify the trusted tenants or projects that can use the storage network, configure role-based access control (RBAC) rules for them through the Networking service (neutron).
Requirements
Names of the projects that need access to the storage network
Procedure
From an undercloud node, enter the following command:
[stack@undercloud ~]$ source ~/overcloudrc
Identify the projects that require access:
(overcloud) [stack@undercloud-0 ~]$ openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 06f1068f79d2400b88d1c2c33eacea87 | demo | | 5038dde12dfb44fdaa0b3ee4bfe487ce | service | | 820e2d9c956644c2b1530b514127fd0d | admin | +----------------------------------+---------+
Create network RBAC rules with the desired projects:
(overcloud) [stack@undercloud-0 ~]$ openstack network rbac create \ --action access_as_shared Storage \ --type network \ --target-project demo
Repeat this step for all of the projects that require access to the storage network.
3.4. Configuring a default share type
You can use the Shared File Systems service (manila) to define share types that you can use to create shares with specific settings. Share types work like Block Storage volume types. Each type has associated settings, for example, extra specifications. When you invoke the type during share creation the settings apply to the shared file system.
To secure the native CephFS back end against untrusted users, Red Hat recommends that you do not create a default share type. When a default share type does not exist, users are forced to specify a share type, and trusted users can use a custom private share type to which they have exclusive access rights.
If you must create a default share type for untrusted tenants, you can steer provisioning away from the native CephFS back end.
Procedure
From an undercloud node, enter the following command:
[stack@undercloud ~]$ source ~/overcloudrc
Set an extra specification on the share type:
(overcloud) [stack@undercloud-0 ~] manila type-create default False (overcloud) [stack@undercloud-0 ~] manila type-key default set share_backend_name='s!= cephfs'
Create a private share type and provide trusted tenants with access to this share type:
(overcloud) [stack@undercloud-0 ~]$ manila type-create --is-public false nativecephfstype false (overcloud) [stack@undercloud-0 ~]$ manila type-key nativecephfstype set share_backend_name='cephfs' (overcloud) [stack@undercloud-0 ~]$ manila type-access-add nativecephfstype <trusted_tenant_project_id>
For more information about share types, see Creating a share type in the Storage Guide.