Zed Series Release Notes

15.4.1-4

Bug Fixes

  • NetApp driver bug #2069125: Fixed the issue for the NetApp ONTAP driver in the ZAPI workflow, where certain vserver accounts failed to add access rules for a share when the vserver network interface was not configured with kerberos.

  • When using Neutron networks tagged as external (unmanaged provider networks) as share networks, Manila now creates ports with admin_state_up=False (disabled). This change addresses ARP failures that can occur when using OVN as the Neutron ML2 plugin. For more information, refer to bug 2074504.

15.4.1

Bug Fixes

  • Manila will retry neutron API calls e.g. create_port(), show_port() in case of keystoneauth1 connection error. For more details, please refer to launchpad bug #2049507

15.4.0

New Features

  • Add new config option ‚service_network_host‘ for service instance with ‚dhss‘=True. This helps us to define network host for ports and able to seperate from manila host.

Bug Fixes

  • Changed the error and status code that was raised when share types are not handled in shares api

  • Make snapshot names in CephFS drivers shorter to avoid limitation in Ceph clusters which truncates the subvolume name and makes the snapshots inaccesible.

  • Metadata APIs have been fixed to respond with HTTP 404 / Not Found when the requester does not have access to a resource that the metadata pertains to.

  • The CephFS driver uses a RemoveExport DBUS API call to the NFS/Ganesha service when a user deletes an access rule, or when deleting the share. If this call fails, the driver now provides a log of the failure, and continues cleaning up. Prior to this change, share deletion could fail if the service failed the DBUS command to drop the export. This would leave the share with an „error_deleting“ status, needing administrator intervention. See bug #2035572 for more information.

15.3.0

Bug Fixes

  • Role based access control is enforced on the POST /shares/{share_id}/action API to reset status, task state, replica state and similar fields. This prevents the situation where deployments allow some users access to these APIs, but they don’t belong to projects where the resources exist. See bug 1955627 for more context.

  • NetApp driver: Fixed the issue with replica promotion where the autosize attributes were not being updated on ONTAP. Now, the autosize attributes are updated after promoting the replica. For more details, please refer to launchpad bug #1957075

  • NetApp driver bug #1982808: Fixed issue preventing the storage system from proper clean up unused SnapMirror snapshots after a replica promote, significantly increasing the amount of space consumed in ONTAP volumes by snapshots.

  • Fixed several Manila API error messages with their contents. For more details, please refer to launchpad bug #2007060

  • Share replicas in state error_deleting are now skipped during periodic updates. For more details, please refer to launchpad bug #2024556

  • Share server backend details set function adds db records without checking existing entries. This results in duplicate records for the combination of given share server id and key. Fixed it by updating records if already exist else creating new. See the launchpad bug 2024658 for more details.

  • The „manage“ API for snapshots now validates the format of „provider_location“ and „share_id“ fields and handles errors appropriately. These fields are expected to contain string values.

  • The updated_at field is correctly set on share and snapshot access rules when an update has been made on the database.

15.2.0

New Features

  • The special .snapshot directories for shares created by the Infinidat driver can now be controlled through configuration options: infinidat_snapdir_accessible and infinidat_snapdir_visible. By default, each share allows access to its own .snapshot directory, which contains files and directories of each snapshot taken. To restrict access to the .snapshot directory, the infinidat_snapdir_accessible should be set to False. The infinidat_snapdir_visible option controls visibility of the .snapshot directory. By default, the .snapshot directory is hidden. To make the .snapshot directory visible on the client side, this option should be set to True.

Bug Fixes

  • Launchpad bug 1968891 has been fixed. scheduler will use size increase rather than share size to calculate provisioned_ratio when extending share.

  • When deploying Manila CephFS NFS with cephadm, the manila share service fails to start with the error „Backend cephfsnfs supports neither IPv4 nor IPv6“. This happens because the NFS Ganesha daemon fails to start for some reason, and therefore the driver never gets the location of the NFS Ganesha service that will be used as the backend. We rely on the operator to make sure the CephFS NFS cluster is available when initializing the driver. With this fix in place, we raise an exception to explicitly notify the operator and allow them to take further action.

  • Add the filesystem info in the exports created by the CephFS NFS driver. This fixes inconsistencies when deploying Manila with CephFS NFS with multiple filesystems.

  • Infinidat Driver bug #1992443: Fixed an issue in Infinidat driver to support host assisted migration. The snapdir_visible filesystem property must be disabled to hide .snapshot directory on the client side. However, this behavior can be changed using the infinidat_snapdir_visible configuration option.

  • NetApp driver: Added a guard on getting share server backend detail vserver name when trying to reuse share server. Please refer to Launchpad Bug #1993829.

  • Fixed an issue that made the CephFS driver to override the permissions in a share. After a bugfix, Ceph’s idempotent creation of shares had a change on its behavior. If a share mode was modified outside of Manila, or the configuration value for cephfs_volume_mode was changed in Manila when shares had already been created, these shares would have their mode changed while Manila attempted to ensure that such share exists using the idempotent creation, potentially breaking clients. The CephFS driver will no longer send create calls to the backend when ensuring a share exists. For more details, please refer to Bug #2002394

15.1.0

Bug Fixes

  • The GET /shares/{share_id} API now responds with HTTP 404 (Not Found) for inaccessible resources. See bug 1901210 for further information.

  • The CephFS NFS driver, specifically the NFSProtocolHelper implementation, was passing a wrong param to the Ceph backend and this was preventing users to add and deny access to the created shares. With this fix, users of the CephFS NFS NFSProtocolHelper can normally create and remove access to their shares.

  • Deployers now can specify [glance]endpoint_type configuration option (defaults to publicURL for backward compatibility) so that Manila uses Glance endpoint other than the public one (see bug 1991396).

  • Bug 1991776 was fixed within the CephFS driver. The driver no longer emits repeated warnings concerning supported IP versions when using the NFS protocol.

  • Some neutron integrations might not have the network type, so the neutron network plugin is fixed by taking that scenario in consideration. Launchpad bug #1987315 for more details.

15.0.0

Prelude

RBAC defaults of all Shared File System service (manila) APIs have been updated to remove „system“ scope personas. This is being done in concert with other OpenStack services, and in reaction to operator feedback that the use of system „scope“ introduces backwards incompatibility in existing workflows. The new defaults support the use of „scope“, however, no RBAC rule by default includes „system“ scope. At this time, we do not recommend the use of system scoped personas to interact with the Shared File Systems service (manila) APIs since it is largely un-tested. „reader“ role from the OpenStack Identity service (keystone) is fully supported with this release. Currently, these new „defaults“ are available as „opt-in“ only to prevent breaking existing deployments. To enforce default RBAC rules, set [oslo_policy]/enforce_new_defaults to True in your deployment. This option will be set to True by default in a future release. See the OpenStack TC Secure RBAC goal for more information regarding these changes.

New Features

  • Adds snapshot metadata capabilities inlcuding, create, update all, update single, show, and delete metadata. Snapshots may be filtered using metadata keys. Snapshot metadata is available to admin and nonadmin users.

  • ‚reserved_share_extend_percentage‘ backend config option allows Manila to consider different reservation percentage for share extend operation. This distinct option is useful if operators want to prevent provisioning of new shares but allow extensions of existing shares on storage pools beyond their reserved space.

  • Added Manila driver for Macrosan storage system.

  • NetApp driver now considers last-transfer-size and last-transfer-error fields of the snapmirror in addition to existing last-transfer-end-timestamp to decide whether replica is in_sync or out_of_sync. Added new config option netapp_snapmirror_last_transfer_size_limit (default 1MB). If value of last-transfer-size field is greater than config value or if last-transfer-error field is present, then replica is out_of_sync.

  • If user is configuring ‚Servers‘ in AD Server in the security service then, for NetApp ONTAP, the discovery mode should be changed to ‚none‘. Value of ‚none‘ indicates that domain controller discovery will not be done, and it will depend only on preferred DC’s configured.

  • NFSClusterProtocolHelper has been added to allow users to consume to export CephFS shares over a clustered NFS gateway. This presents many advantages, since the operator no longer needs to maintain their own instances of NFS Ganesha apart of the Ceph cluster. For this, we now communicate with ceph mgr using the nfs plugin. Read more about this plugin in https://docs.ceph.com/en/latest/cephfs/nfs/

Aktualisierungsnotizen

  • When using scheduler filters during share extend, only few filters are necessary. To provide those configurable list of filters for share extend, added new option scheduler_default_extend_filters.

  • Python 3.6 & 3.7 support has been dropped. The minimum version of Python now supported is Python 3.8.

  • The CephFS driver now supports a new configuration option: * cephfs_nfs_cluster_id (string option): name of the nfs cluster to use. This option can be used to specify which NFS cluster to use.

Deprecation Notes

  • The [DEFAULT] use_forwarded_for parameter has been deprecated. Instead of using this parameter, add the HTTPProxyToWSGI middleware to api pipelines, and [oslo_middleware] enable_proxy_headers_parsing = True to manila.conf.

Security Issues

  • The SSH utility module no longer logs usernames and passwords as debug information.

Bug Fixes

  • In order to let user know when was the last time share instance updated, a field updated_at is added in the response of share instance show API.

  • Decoupled the RBAC share:get_all_security_services from context_is_admin, potentially allowing the use of the all_tenants query by non-administrators.

  • Adds a check when associating a security service to a share network, so that both resources must have the same project_id. If not, HTTP Bad Request is raised.

  • Fixed an issue that caused Manila to return all projects‘ share replicas even when the user was not an administrator. Now, when the user is not an administrator, only the replicas in the project perspective are going to be displayed. For more details, please refer to Launchpad Bug #1922243

  • Bug #1925486 Share replica create API does not support share network option and uses parent share’s share network. Fixed it to allow any share network by providing option share-network. Added in API microversion starting with ‚2.72‘.

  • Fix the bug of TypeError with JsonFilter. If the scheduler_hints value is None, the TypeError exception may occur when creating share with JsonFilter. The TypeError exception is added to solve this problem.

  • Bug #1964696: Fix calling the GaneshaNASHelper update_access method from the gluster GaneshaNFSHelper with the wrong signature.

  • Fixes regression for show_metadata and the response dictionary. The correct response is: {meta: {‚key‘: ‚value}}.

  • The CephFS driver no longer fails to delete access rules that were never applied or were missing from the back end storage. See LP #1971530 for more details.

  • During share network create API, if either share network or share network subnet db creation fails, manila raises an exception. However quota is not rolled back and its usable only after quota reservations timed out (waiting conf.reservation_expire seconds). Fixed by introducing immediate quota rollback in case any db create api fails.

  • Goodness_function expects integer or float else raise parseException. This causes example such as „(share.share_proto == ‚CIFS‘) ? 100 : 50“ to fail during evaluation. Fix it by adding support of string evalution.

  • Drivers using DHSS True mode has the server creation phase. This phase tries to reuse one of available share servers, however, the Manila code is considering all share servers states as available, rather than considering only the active or creating ones. Now, only the correct share servers are passed to drivers as available to be reused.

  • Bug #1983125: Fixed the remaining reference to a deprecated quota option in code, which was causing a warning message.

  • Infinidat Driver bug #1986653: Fixed Infinidat driver to use TLS/SSL communication between the Manila share service and the storage backend. Admin can set True or False for the infinidat_use_ssl and infinidat_suppress_ssl_warnings options in the driver section of manila.conf to enable or disable these features.

  • default route for service subnet wouldn’t be created if connect_share_server_to_tenant_network is on

  • Fix creating from snapshot operation with server limits. If the new share and parent are in the same host, the share server must be resued, so the limits must be ignored. For more details, please refer to launchpad bug #1918845

  • Sometimes NetApp API call fails due to name resolution(DNS) issue. In such case, a client will now make 5 retries on connect and 2 on read calls. Also, the connection retry will be visible in the log. For more details, please refer to launchpad bug #1971542

Other Notes

  • Pure Storage FlashBlade driver - Version number incremented for tracking purposes.

  • Since the CephFS driver is now capable of using ceph manager commands to manage NFS exports, we would like to deprecate and remove support for managing exports with the help of DBUS in a future release. Please use cephadm deployed NFS ganesha clusters in greenfield deployments with OpenStack Manila and refrain from using a standalone non-clustered nfs-ganesha service with this driver. As this solution is hardened for HA within Ceph, we expect to provide code to help migrate existing nfs-ganesha exports to the nfs-ganesha clusters in a future release.