cinder支持nfs快照

【问题描述】

cinder后端设置为NFS，磁盘创建快照失败。

日志里面发现了这个错误：

VolumeDriverException: Volume driver reported an error: NFS driver snapshot support is disabled in cinder.conf.

【修改方法】

在cinder.conf修改或者添加以下参数：

[nfs]

……

nfs_snapshot_support = True

nas_secure_file_operations = False

重启cinder-volume服务

【原因】

Google了一下，发现cinder后端设置为NFS，默认是不支持快照功能的。

以下为官方解释

from https://docs.openstack.org/ocata/config-reference/block-storage/drivers/nfs-volume-driver.html

Configuration option = Default value	Description
[DEFAULT]
nfs_mount_attempts = 3	(Integer) The number of attempts to mount NFS shares before raising an error. At least one attempt will be made to mount an NFS share, regardless of the value specified.
nfs_mount_options = None	(String) Mount options passed to the NFS client. See section of the NFS man page for details.
nfs_mount_point_base = $state_path/mnt	(String) Base dir containing mount points for NFS shares.
nfs_qcow2_volumes = False	(Boolean) Create volumes as QCOW2 files rather than raw files.
nfs_shares_config = /etc/cinder/nfs_shares	(String) File with the list of available NFS shares.
nfs_snapshot_support = False	(Boolean) Enable support for snapshots on the NFS driver. Platforms using libvirt <1.2.7 will encounter issues with this feature.
nfs_sparsed_volumes = True	(Boolean) Create volumes as sparsed files which take no space. If set to False volume is created as regular file. In such case volume creation takes a lot of time.

修改nfs_snapshot_support = True之后，又发现了新的错误：

VolumeDriverException: Volume driver reported an error: Snapshots are not supported with nas_secure_file_operations enabled ('true' or 'auto'). Please set it to 'false' if you intend to have it enabled.

以下为官方解释

from https://docs.openstack.org/security-guide/block-storage/checklist.html

Check-Block-07: Is NAS operating in a secure environment?

Cinder supports an NFS driver which works differently than a traditional block storage driver. The NFS driver does not actually allow an instance to access a storage device at the block level. Instead, files are created on an NFS share and mapped to instances, which emulates a block device. Cinder supports secure configuration for such files by controlling the file permissions when cinder volumes are created. Cinder configuration can also control whether file operations are run as the root user or the current OpenStack process user.

Pass: If value of parameter nas_secure_file_permissions under [DEFAULT] section in /etc/cinder/cinder.conf is set to auto. When set to auto, a check is done during cinder startup to determine if there are existing cinder volumes, no volumes will set the option to True, and use secure file permissions. The detection of existing volumes will set the option to False, and use the current insecure method of handling file permissions. If value of parameter nas_secure_file_operations under [DEFAULT] section in /etc/cinder/cinder.conf is set to auto. When set to "auto", a check is done during cinder startup to determine if there are existing cinder volumes, no volumes will set the option to True, be secure and do NOT run as the root user. The detection of existing volumes will set the option to False, and use the current method of running operations as the root user. For new installations, a "marker file" is written so that subsequent restarts of cinder will know what the original determination had been.

Fail: If value of parameter nas_secure_file_permissions under [DEFAULT] section in /etc/cinder/cinder.conf is set to False and if value of parameter nas_secure_file_operations under [DEFAULT] section in /etc/cinder/cinder.conf is set to False.

原因是因为NFS有些操作不兼容NAS的某些安全特性。

所以需要在配置文件里面修改nas_secure_file_operations = False

【代码位置】

 def _check_snapshot_support(self, setup_checking=False):
     """Ensure snapshot support is enabled in config."""

     if (not self.configuration.nfs_snapshot_support and
             not setup_checking):
         msg = _("NFS driver snapshot support is disabled in cinder.conf.")
         raise exception.VolumeDriverException(message=msg)

     if (self.configuration.nas_secure_file_operations == 'true' and
             self.configuration.nfs_snapshot_support):
         msg = _("Snapshots are not supported with "
                 "nas_secure_file_operations enabled ('true' or 'auto'). "
                 "Please set it to 'false' if you intend to  have "
                 "it enabled.")
         LOG.error(msg)
         raise exception.VolumeDriverException(message=msg)

【隐患】

这样修改可能会导致NAS的安全特性不可用。

from http://fanyi.baidu.com/transpage?query=https%3A%2F%2Fbugs.launchpad.net%2Fkolla-ansible%2F%2Bbug%2F1726836&from=en&to=zh&source=url&render=1

The NFS backend driver for Cinder implements enhanced NAS security features that default to being enabled.

NFS后端驱动程序实现了增强的NAS安全特性，默认为启用。

However, the features require non-standard configuration changes in Nova's libvirt, and without those changes some cinder volume operations fail.

然而，这些特性要求nova的libvirt一些非标准配置的变动，如果不去手动修改这些配置，某些cinder volume的操作将会失败。

Fix: Add TripleO settings to control the NFS driver's NAS secure features, and disable the features by default.

修复：添加TripleO 配置来控制NFS驱动程序的NAS安全特性，并默认禁止这些功能。

Also these features enabled actually disable possibility to use snapshots.

此外，这些特性实际上禁用了使用快照的可能性。

建议一：

as of Queens cinder volume refuses to work with both snapshots/backups and secure nas feature:

截至Q版本，cinder服务拒绝与安全NAS特性共存：

VolumeDriverException: Volume driver reported an error: Snapshots are not supported with nas_secure_file_operations enabled ('true' or 'auto'). Please set it to 'false' if you intend to have it enabled.

选择前者（true/auto），直到NAS安全特性可在所有的openstack环境中工作

Choosing the former until secure nas feature works in all environments

建议二：

Cinder fails to run because snapshots are not compatible with secure NAS。

cinder无法运行，因为快照与NAS安全特性不兼容。

Cinder cannot run with both snapshots or backups of volumes and secure NAS feature. Choosing the former as the latter does not function well everywhere.

cinder不能同时使用快照和备份，和安全的NAS特性。

选择前者，后者将不起作用。