Wallaby Series Release Notes

12.1.2-29

Security Issues

  • The SSH utility module no longer logs usernames and passwords as debug information.

Bug Fixes

  • The GET /shares/{share_id} API now responds with HTTP 404 (Not Found) for inaccessible resources. See bug 1901210 for further information.

  • NetApp OnTap driver Bug #1915237: Fixed encryption compatibility check on manila share migrate.

  • Adds a check when associating a security service to a share network, so that both resources must have the same project_id. If not, HTTP Bad Request is raised.

  • Fixed an issue that caused Manila to return all projects’ share replicas even when the user was not an administrator. Now, when the user is not an administrator, only the replicas in the project perspective are going to be displayed. For more details, please refer to Launchpad Bug #1922243

  • Changed the error and status code that was raised when share types are not handled in shares api

  • The CephFS driver no longer fails to delete access rules that were never applied or were missing from the back end storage. See LP #1971530 for more details.

  • During share network create API, if either share network or share network subnet db creation fails, manila raises an exception. However quota is not rolled back and its usable only after quota reservations timed out (waiting conf.reservation_expire seconds). Fixed by introducing immediate quota rollback in case any db create api fails.

  • Goodness_function expects integer or float else raise parseException. This causes example such as “(share.share_proto == ‘CIFS’) ? 100 : 50” to fail during evaluation. Fix it by adding support of string evalution.

  • Infinidat Driver bug #1986653: Fixed Infinidat driver to use TLS/SSL communication between the Manila share service and the storage backend. Admin can set True or False for the infinidat_use_ssl and infinidat_suppress_ssl_warnings options in the driver section of manila.conf to enable or disable these features.

  • Deployers now can specify [glance]endpoint_type configuration option (defaults to publicURL for backward compatibility) so that Manila uses Glance endpoint other than the public one (see bug 1991396).

  • Share replicas in state error_deleting are now skipped during periodic updates. For more details, please refer to launchpad bug #2024556

  • Share server backend details set function adds db records without checking existing entries. This results in duplicate records for the combination of given share server id and key. Fixed it by updating records if already exist else creating new. See the launchpad bug 2024658 for more details.

  • The “manage” API for snapshots now validates the format of “provider_location” and “share_id” fields and handles errors appropriately. These fields are expected to contain string values.

  • The updated_at field is correctly set on share and snapshot access rules when an update has been made on the database.

  • The CephFS driver uses a RemoveExport DBUS API call to the NFS/Ganesha service when a user deletes an access rule, or when deleting the share. If this call fails, the driver now provides a log of the failure, and continues cleaning up. Prior to this change, share deletion could fail if the service failed the DBUS command to drop the export. This would leave the share with an “error_deleting” status, needing administrator intervention. See bug #2035572 for more information.

12.1.2

Bug Fixes

  • Fixed an issue with ONTAP AFF platforms while creating shares that forced volumes to have efficient data saving even when the contrary was specified. For more details, please refer to launchpad bug #1929421

12.1.1

Bug Fixes

  • Fixed an issue during snapshot creation where a database error was being mishandled with dead code. See Launchpad bug 1475351 for more details.

  • Fixed periodic_share_replica_update() to skip active replicas similarly to periodic_share_replica_snapshot_update(). The intention is to check on non-active replicas, that can be ‘in_sync’, ‘out_of_sync’ or in ‘error’ state.

  • When cephfs_ganesha_server_ip is not set, the current hostname is used as a default for such config option. The driver was treating this value as an IP address and trying to perform validations on it. The CEPH NFS driver will no longer treat hostnames as ip addresses and try to validate them as such.

12.1.0

Upgrade Notes

  • MON write caps are not longer needed to interact with the backend on the Ceph drivers. The capabilities of the driver user (configured with cephfs_auth_id) can hence be reduced. See the administrator docs for the capabilities required.

Bug Fixes

  • An issue with RPC handling on service restart was addressed by ensuring proper initialization before creating the RPC consumer. See bug 1271568 for more details.

  • Authentication errors when loading service clients of OpenStack Compute (nova), OpenStack Image (glance), OpenStack Volume (cinder) and OpenStack Networking (neutron) services are now handled in a better manner.

  • Fixed bug #1922075 Fixed the problem that “gluster volume set nfs.rpc-auth-reject ‘*’” failed when the glusterfs driver created an instance from a snapshot.

  • mgr-commands are now directed to the mgr-daemon instead of the mon-daemon in the CephFS drivers

  • Fixed NotFound error in share replica periodic tasks. It could happen that the parent share of the replica that was being worked on had already been deleted.

  • Corrected an error message for attempts to create snapshots from shares that do not support this operation. The message said that the share backend has no such support but that is not always true. The original share for the snapshot does not support snapshots because it was created with a share type without the snapshot_support extra-spec set, irrespective of whether the back end used can itself support snapshots or not.

  • Fixed an issue that made migrated shares with replication support to do not have a share instance with its replica_state set to active. Now, when the share supports replication, the destination share instance will have its replica state set as active right after the migration gets completed. For more details, please refer to bug 1927060

  • Filtering shares by share-type “extra_specs” as key=value now returns the expected output.

  • A Ceph version check has been added as part of this change to address the absense of the mon-mgr target in Ceph Nautilus. With this change, Ceph Nautilus users can leverage their storage backend with the OpenStack manila Wallaby release.

  • The Infinidat driver’s been fixed to process single IP Addresses (/32) correctly. See bug 1934345 for more details.

  • NetApp driver: fixed an issue with the ONTAP 9.8 and older, for scoped account users, where the operation of deleting a replica was not working, but returned a message of success. For more details, please refer to launchpad bug #1934889

  • New user message now alerts users when attempting to create a new share without identifying a share type, either through request body or by setting a default share type. See bug #1870280 for more details.

12.0.0

Prelude

Manila v2 API URLs no longer require a project_id to be specified.

The default check strings of all manila API RBAC policies have been updated to support default roles and system-scope from the OpenStack Identity Service (Keystone). This includes support for project member, project reader, project administrator user roles as well as system member, system reader and system administrator roles. A manila “admin” persona is eventually expected to transition to the system scoped “admin” persona and some isolated project administrator privileges (like force-deleting a resource, resyncing a share replica or resetting state of a resource) are retained to an admin user operating within the scope of a project. Do read further impact in the upgrade section of these notes.

New Features

  • The Container Driver is now able to handle LDAP security services configuration while setting up share servers. Also, the Container Driver allows adding or updating LDAP security services to in use share networks.

  • Microversion 2.59 adds optional driver details to the response of migration get progress.

  • The oslo.middleware /healthcheck is now activated by default in the Manila api-paste.ini. Operators can use it to configure HAproxy or the monitoring of Manila APIs. Edit the api-paste.ini file and remove any healthcheck entries to disable this functionality.

  • ‘quota_per_share_gigabytes’ config option allows admin to set per share size limit for a project. The default value is -1[“No Limit”] always unless changed in manila.conf by admin.

  • Two new backend capabilities were added to Manila in order to help administrators to control and balance their cloud resources. The capability called max_shares_per_share_server allows the administrators to define a maximum amount of shares that a share server can have. The capability called max_share_server_size allows the administrator to set a maximum number of gigabytes a share server can grow to, considering its instances, replicas and snapshots. Both capabilities accept only integer values. If at least one of these limits is reached, Manila won’t consider reusing the referred share server. If there aren’t share servers available to reuse, Manila will create another one to place incoming request. If none of these limits were specified in the backend stanza, Manila will consider them as unlimited and allow share servers to be reused regardless the amount of shares or the size they have.

  • Added the possibility to add and update an entire security service when a share network is already being used. A new field called status was added to the share network model and its default value is active. Some operations might be blocked depending on the share network status. A boolean field called security_service_update_support was added to the share server’s model. This field defaults to False, and all of the already deployed share servers are going to get the default value even if their backend support it. Administrators will be able to update the field value using manila-manage commands. The scheduler will filter out backend that does not handle this request during some operations.

  • Create share from snapshot is now available in CephFS Native and CephFS NFS drivers. This feature is available in Ceph since the Ceph Nautilus release, so a deployment with Ceph Nautilus (v14.2.18 or higher) or Ceph Octopus (v15.2.10 or higher) is required.

  • OSprofiler support was introduced. To allow its usage the api-paste.ini file needs to be modified to contain osprofiler middleware. Also [profiler] section needs to be added to the manila.conf file with enabled, hmac_keys and trace_sqlalchemy flags defined.

  • It is now possible to omit the %{project_id}s from the API endpoints for the v2 API. While the behavior of the APIs have not been altered, the service recognizes URLs with and without project ids in the path. It is recommended that you adjust the service catalog in your cloud to remove the project_id substitution, especially if you would like to enable users operating at system scope.

  • A new “noauth” auth strategy is available, and is named “noauthv2”. It can be enabled by setting the configuration option [DEFAULT]/auth_strategy to noauthv2. This auth strategy can be used when project_id substitution is removed from the manila endpoint URL.

  • The Ceph backend can now work with multiple filesystem clusters. The filesystem to be used by manila can be specified by the driver option ‘cephfs_filesystem_name’. If this option is not specified, the driver will assume that a single filesystem is present in the Ceph cluster and will attempt to use it.

  • Deletion of shares offerd by the CephFS driver (CephFS and NFS) is now faster. Now the Ceph manager moves deleted share’s content to a trash folder and purges the contents asynchronously rather than handling this as part of the synchronous delete operation. The purge can take considerable time if a share contains a significant amount of data.

  • Ability to add minimum and maximum share size restrictions which can be set on a per share-type granularity. Added new extra specs ‘provisioning:max_share_size’ and ‘provisioning:min_share_size’.

  • Added support for FPolicy on NetApp ONTAP driver. FPolicy allows creation of file policies that specify file operation permissions according to file type. This feature can be enabled using the following extra-specs:

    • netapp:fpolicy_extensions_to_include: specifies file extensions to be included for screening. Values should be provided as comma separated list.

    • netapp:fpolicy_extensions_to_exclude: specifies file extensions to be excluded for screening. Values should be provided as comma separated list.

    • netapp:fpolicy_file_operations: specifies all file operations to be monitored. Values should be provided as comma separated list.

    FPolicy works for backends with and without share server management. When using NetApp backends with SVM administrator accounts, make sure that the assigned access-control role has access set to “all” for “vserver fpolicy” directory.

    This feature does not work with share replicas to avoid failures on replica promotion, due to lack of FPolicy resources in the destination SVM.

  • NetApp ONTAP driver now supports add and update security services when they are associated with in use share networks. Both add and update operations are supported by all three security service types: active_directory, kerberos and ldap. In order to update their parameters in a non-disruptive way, active_directory and kerberos don’t support domain updates.

  • Added Manila driver for Zadara VPSA Storage Array/Flash-Array.

Upgrade Notes

  • Added a new config option netapp_ssl_cert_path for NetApp driver. This option enables the user to choose the directory with certificates of trusted CA or the CA bundle. If set to a directory, it must have been processed using the c_rehash utility supplied with OpenSSL. If not informed, it will use the Mozilla’s carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates.

  • manila-manage now supports share server commands, which allow administrators to modify the field value of some share server’s capabilities.

  • In order to make project_id optional in urls, the possible values of project_id had to be constrained. A new configuration option called project_id_regex has been added in the [DEFAULT] section. The default value for this option is [0-9a-f\-]+ and it matches hex UUIDs with and without dashes, therefore covering the formats supported by the OpenStack Identity service. If your cloud uses other formats, set this configuration option accordingly, or remove project_id from the manila endpoint URL in your service catalog.

  • Manila’s CephFS drivers now require the “python3-ceph-argparse” and “python3-rados” packages. Do not upgrade without adding these packages to the environment where the manila-share service runs since without them the driver will refuse to start up. This breaking change is necessary because the old ceph_volume_client has been deprecated by the Ceph community.

  • This fix introduces a new configuration item, which named “share_service_inithost_offload”, default value is False, if set it True, will put ensure_share operation into thread pool to speed up startup of manila share service.

  • The default value of [oslo_policy] policy_file config option has been changed from policy.json to policy.yaml. Operators who are utilizing customized or previously generated static policy JSON files (which are not needed by default), should generate new policy files or convert them in YAML format. Use the oslopolicy-convert-json-to-yaml tool to convert a JSON to YAML formatted policy file in backward compatible way.

  • During the Wallaby release, API RBAC policies have new defaults, however, all old behavior is preserved as is, and the new defaults are not enabled. We encourage operators to generate the default policies via oslopolicy-sample-generator --namespace manila and compare them with any overrides you may currently have. These new default rules may enable you to remove matching overrides and reduce your policy maintenance burden. Refer to the document on Service API protection from the OpenStack Identity Service to understand roles, scopes, user personas and the motivation behind these changes. To be able to use systems scoped personas, you will need to enable the enforce_scope configuration option in the [oslo_policy] section of manila.conf. To enforce the new defaults, the configuration option enforce_new_defaults must be enabled from the [oslo_policy] section of manila.conf. We do not advise enabling the new defaults in production deployments yet. The manila developer community is actively adding test coverage and we aim to backport fixes to the Wallaby release and update code when we find any deficiencies. Refer to the future service release notes and the administrator documentation to keep abreast of the changes and the progress with these new defaults.

  • The ability to create a public share (RBAC: “share:create_public_share”) and to update a share to become publicly visible (RBAC: “share:set_public_share”) are now restricted to administator users operating at system scope. Adjust your policy file overrides if you would like to retain the older behavior of allowing all users to create public shares or to update private ones to public. If you do that, be sure that your users are aware of the security implications of publicly accessible shares.

Deprecation Notes

  • The CephFS driver cephfs_enable_snapshots configuration option has been removed. It was deprecated for removal in the Victoria release. Snapshot support is always enabled now.

  • As of the Wallaby release the CephFS driver no longer recognizes the scoped extra-spec cephfs:data_isolated because it is no longer supported by the Ceph community. This style of data isolation required dedicating a Ceph pool for each share and scaled and performed poorly.

  • The ceph_volume_client is deprecated by the CephFS driver in favor of a python rados client that connects to the Ceph manager daemon to interact with the Ceph cluster. This new connection method will enable functionality not available with older client, which has been deprecated by the Ceph community and will be removed in the Quincy release.

  • Use of JSON policy files was deprecated by the oslo.policy library during the Victoria development cycle. As a result, this deprecation is being noted in the Wallaby cycle with an anticipated future removal of support by oslo.policy. As such operators will need to convert to YAML policy files. Please see the upgrade notes for details on migration of any custom policy files.

Security Issues

  • OSprofiler support requires passing of trace information between various OpenStack services. This information is securely signed by one of HMAC keys, defined in manila.conf configuration file. To allow cross-project tracing user should use the key, that is common among all OpenStack services they want to trace.

  • An RBAC policy check has been enforced against the GET /share-access-rules API to ensure that users are permitted to access the share that the access rule belongs to. See bug 1917417 for more details.

Bug Fixes

  • Fixed an issue on ONTAP NetApp driver that caused access rules not to be applied to a promoted replica using CIFS protocol. Please refer to the Launchpad bug #1896949 for more details.

  • Fixed an issue on ONTAP NetApp driver that was forcing the location of CA certificates for SSL verification during HTTPS requests. It adds the netapp_ssl_cert_path configuration, enabling the user to choose the directory with certificates of trusted CA or the CA bundle. If set to a directory, it must have been processed using the c_rehash utility supplied with OpenSSL. If not informed, it will use the Mozilla’s carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates. Please refer to the Launchpad bug #1900191 for more details.

  • In order to optimize the NetApp ONTAP driver, this patch is caching the status of driver pools and reusing for the each share server, given that the pool is not separated by share server. It adds the option netapp_cached_aggregates_status_lifetime for controlling the time that the cached values is considered valid. Please refer to the Launchpad bug #1900469 for more details.

  • NetApp ONTAP driver is now fixed to properly configure and clean up share servers with Kerberos security service, for clustered ONTAP 8.3 or higher. Access rules are now configured with the correct NFS authentication methods based on the security service configured in the share server. Please refer to Launchpad Bug #1901189, Launchpad Bug #1904746, and Launchpad Bug #1907669 for more details.

  • Bug #1900755: Added a driver-agnostic exception to handle insufficient privileges on a security service when trying to create a share. Added a user message to provide useful information to end users. Note that vendors will need to implement the exception provided in this patch in their drivers to take advantage of the more convenient user message.

  • A bug with storage protocol filtering in the scheduler has been fixed. See bug for more details.

  • The API to import shares into manila could sometimes allow a share to be “managed” into manila multiple times via different export paths. This API could also incorrectly disallow a manage operation citing a new share in question was already managed. Both issues have now been fixed. See bug #1848608 and bug #1893718 for more details.

  • Fixed the issue that caused pagination queries to return erroneous results when the argument limit was specified. Also improved the queries performance by moving some filtering operations to the database.

  • Fixed bug #1883506 that caused a quota error when delete or unmanage a share that failed to manage.

  • Fixed an issue that can lead a share replica to fail during the status update operation, due to a concurrency between share replica create and shara replica update operations. Refer to Launchpad Bug #1898924 for more details.

  • The NetApp cDOT driver now sets the required NFS options for clients running Windows operating systems with NFSv3 support.

  • Share cleanup for the LVM driver has been enhanced to retry on known errors that could occur due to mount propagation. See bug 1903773 for more details.

  • Share cleanup for the ZFSOnLinux driver has been enhanced to retry on known errors that could occur due to mount propagation. See bug 1903773 for more details.

  • New user messages now alert users of possible remediations during access rule creation errors with CephFS shares. This includes hints to users to not use cephx client users that are prohibited by CephFS or the share driver. See CVE-2020-27781 and bug #1904015 <https://launchpad.net/bugs/1904015>`_ for more details.

  • Share scheduler will ignore earlier time service capabilities. See bug 1908963 for more details.

  • The manila share servie now can put ensure_share operation into thread pool during service startup process. See Launchpad bug#1890833 for more details.

  • The manila share service now honors the configuration option “share_service_inithost_offload”, and it can be used to reduce the time required for the manila share aervice to start up.

  • Fixed a bug that if extend a volume after shrink it under generic driver, it may have a wrong real size. Please see Launchpad bug for more details.

  • Resizing 0.0.0.0/24 accessible NFS shares with generic driver

  • NetApp ONTAP driver is now fixed to properly configure SVM LDAP client when configuration is provided through ldap security service. Now, the driver chooses the correct LDAP schema based on the given security service parameters. The RFC-2307 schema will be set for Linux/Unix LDAP servers and RFC-2307bis for Active Directory servers. When using a Linux/Unix LDAP server, the security service should be configured setting the server parameter with servers IPs or host names. For Active Directory LDAP server, the domain information must be configured using the the domain parameter. Users should provide at least one DNS server when configuring servers by its host or domain names. The base search distinguished name used for LDAP queries can now be configured using security service ou parameter. Please refer to Launchpad Bug #1916534 for more details.

  • The scheduler stats resource APIs (/scheduler-stats/pools and /scheduler-stats/pools/detail) have been fixed to not return an arbitrary traceback in the error message body to the caller when access to the resource has been denied.

  • Fixed an issue in Zadara driver to support host assisted migration. The existing access rules required to be updated with share migration are deleted and re-added.

  • Dell EMC Manila Driver: Fixes wrong capacity in pool_stat. bug 1890372 powermax manila return size in MB, bug 1890375 vnx manila return size in MB, bug 1890376 unity manila return size in bytes.