CephFS driver¶
The CephFS driver enables manila to export shared filesystems backed by Ceph’s File System (CephFS) using either the Ceph network protocol or NFS protocol. Guests require a native Ceph client or an NFS client in order to mount the filesystem.
When guests access CephFS using the native Ceph protocol, access is controlled via Ceph’s cephx authentication system. If a user requests share access for an ID, Ceph creates a corresponding Ceph auth ID and a secret key, if they do not already exist, and authorizes the ID to access the share. The client can then mount the share using the ID and the secret key. To learn more about configuring Ceph clients to access the shares created using this driver, please see the Ceph documentation (http://docs.ceph.com/docs/master/cephfs/). If you choose to use the kernel client rather than the FUSE client, the share size limits set in manila may not be obeyed.
And when guests access CephFS through NFS, an NFS-Ganesha server mediates access to CephFS. The driver enables access control by managing the NFS-Ganesha server’s exports.
Supported Operations¶
The following operations are supported with CephFS backend:
Create/delete share
Allow/deny CephFS native protocol access to share
Only
cephx
access type is supported for CephFS native protocol.read-only
access level is supported in Newton or later versions of manila.read-write
access level is supported in Mitaka or later versions of manila.
(or)
Allow/deny NFS access to share
Only
ip
access type is supported for NFS protocol.read-only
andread-write
access levels are supported in Pike or later versions of manila.
Extend/shrink share
Create/delete snapshot
Create/delete consistency group (CG)
Create/delete CG snapshot
Warning
CephFS currently supports snapshots as an experimental feature, therefore the snapshot support with the CephFS Native driver is also experimental and should not be used in production environments. For more information, see (http://docs.ceph.com/docs/master/cephfs/experimental-features/#snapshots).
Prerequisites¶
Important
A manila share backed by CephFS is only as good as the underlying filesystem. Take care when configuring your Ceph cluster, and consult the latest guidance on the use of CephFS in the Ceph documentation ( http://docs.ceph.com/docs/master/cephfs/)
Authorizing the driver to communicate with Ceph¶
Run the following commands to create a Ceph identity for a driver instance to use:
read -d '' MON_CAPS << EOF
allow r,
allow command "auth del",
allow command "auth caps",
allow command "auth get",
allow command "auth get-or-create"
EOF
ceph auth get-or-create client.manila -o manila.keyring \
mds 'allow *' \
osd 'allow rw' \
mon "$MON_CAPS"
manila.keyring
, along with your ceph.conf
file, will then need to be
placed on the server running the manila-share service.
Important
To communicate with the Ceph backend, a CephFS driver instance (represented as a backend driver section in manila.conf) requires its own Ceph auth ID that is not used by other CephFS driver instances running in the same controller node.
In the server running the manila-share service, you can place the
ceph.conf
and manila.keyring
files in the /etc/ceph directory. Set the
same owner for the manila-share process and the manila.keyring
file. Add the following section to the ceph.conf
file.
[client.manila]
client mount uid = 0
client mount gid = 0
log file = /opt/stack/logs/ceph-client.manila.log
admin socket = /opt/stack/status/stack/ceph-$name.$pid.asok
keyring = /etc/ceph/manila.keyring
It is advisable to modify the Ceph client’s admin socket file and log file locations so that they are co-located with manila services’s pid files and log files respectively.
Enabling snapshot support in Ceph backend¶
Enable snapshots in Ceph if you want to use them in manila:
ceph mds set allow_new_snaps true --yes-i-really-mean-it
Warning
Note that the snapshot support for the CephFS driver is experimental and is
known to have several caveats for use. Only enable this and the
equivalent manila.conf
option if you understand these risks. See
(http://docs.ceph.com/docs/master/cephfs/experimental-features/#snapshots)
for more details.
Configuring CephFS backend in manila.conf¶
Known restrictions¶
A CephFS driver instance, represented as a backend driver section in manila.conf, requires a Ceph auth ID unique to the backend Ceph Filesystem. Using a non-unique Ceph auth ID will result in the driver unintentionally evicting other CephFS clients using the same Ceph auth ID to connect to the backend.
The snapshot support of the driver is disabled by default. The
cephfs_enable_snapshots
configuration option needs to be set toTrue
to allow snapshot operations. Snapshot support will also need to be enabled on the backend CephFS storage.Snapshots are read-only. A user can read a snapshot’s contents from the
.snap/{manila-snapshot-id}_{unknown-id}
folder within the mounted share.
Security¶
Each share’s data is mapped to a distinct Ceph RADOS namespace. A guest is restricted to access only that particular RADOS namespace. http://docs.ceph.com/docs/master/cephfs/file-layouts/
An additional level of resource isolation can be provided by mapping a share’s contents to a separate RADOS pool. This layout would be preferred only for cloud deployments with a limited number of shares needing strong resource separation. You can do this by setting a share type specification,
cephfs:data_isolated
for the share type used by the cephfs driver.manila type-key cephfstype set cephfs:data_isolated=True