The CephFS Native driver enables manila to export shared filesystems to guests using the Ceph network protocol. Guests require a Ceph client in order to mount the filesystem.
Access is controlled via Ceph’s cephx authentication system. When a user requests share access for an ID, Ceph creates a corresponding Ceph auth ID and a secret key, if they do not already exist, and authorizes the ID to access the share. The client can then mount the share using the ID and the secret key.
To learn more about configuring Ceph clients to access the shares created using this driver, please see the Ceph documentation( http://docs.ceph.com/docs/master/cephfs/). If you choose to use the kernel client rather than the FUSE client, the share size limits set in manila may not be obeyed.
The following operations are supported with CephFS backend:
Important
A manila share backed onto CephFS is only as good as the underlying filesystem. Take care when configuring your Ceph cluster, and consult the latest guidance on the use of CephFS in the Ceph documentation ( http://docs.ceph.com/docs/master/cephfs/)
Run the following commands to create a Ceph identity for manila to use:
read -d '' MON_CAPS << EOF
allow r,
allow command "auth del",
allow command "auth caps",
allow command "auth get",
allow command "auth get-or-create"
EOF
ceph auth get-or-create client.manila -o manila.keyring \
mds 'allow *' \
osd 'allow rw' \
mon "$MON_CAPS"
manila.keyring, along with your ceph.conf file, will then need to be placed on the server running the manila-share service.
Enable snapshots in Ceph if you want to use them in manila:
ceph mds set allow_new_snaps true --yes-i-really-mean-it
In the server running the manila-share service, you can place the ceph.conf and manila.keyring files in the /etc/ceph directory. Set the same owner for the manila-share process and the manila.keyring file. Add the following section to the ceph.conf file.
[client.manila]
client mount uid = 0
client mount gid = 0
log file = /opt/stack/logs/ceph-client.manila.log
admin socket = /opt/stack/status/stack/ceph-$name.$pid.asok
keyring = /etc/ceph/manila.keyring
It is advisable to modify the Ceph client’s admin socket file and log file locations so that they are co-located with manila services’s pid files and log files respectively.
Add CephFS to enabled_share_protocols (enforced at manila api layer). In this example we leave NFS and CIFS enabled, although you can remove these if you will only use CephFS:
enabled_share_protocols = NFS,CIFS,CEPHFS
Create a section like this to define a CephFS backend:
[cephfs1]
driver_handles_share_servers = False
share_backend_name = CEPHFS1
share_driver = manila.share.drivers.cephfs.cephfs_native.CephFSNativeDriver
cephfs_conf_path = /etc/ceph/ceph.conf
cephfs_auth_id = manila
cephfs_cluster_name = ceph
cephfs_enable_snapshots = True
Set cephfs_enable_snapshots to True in the section to let the driver perform snapshot related operations.
Then edit enabled_share_backends to point to the driver’s backend section using the section name. In this example we are also including another backend (“generic1”), you would include whatever other backends you have configured.
enabled_share_backends = generic1, cephfs1
Mitaka release
Consider the driver as a building block for supporting multi-tenant workloads in the future. However, it can be used in private cloud deployments.
Mitaka release
Each share’s data is mapped to a distinct Ceph RADOS namespace. A guest is restricted to access only that particular RADOS namespace. http://docs.ceph.com/docs/master/cephfs/file-layouts/
An additional level of resource isolation can be provided by mapping a share’s contents to a separate RADOS pool. This layout would be be preferred only for cloud deployments with a limited number of shares needing strong resource separation. You can do this by setting a share type specification, cephfs:data_isolated for the share type used by the cephfs driver.
manila type-key cephfstype set cephfs:data_isolated=True
As mentioned earlier, untrusted manila guests pose security risks to the Ceph storage cluster as they would have direct access to the cluster’s public network.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.