What the heck are DHSS Driver Modes in OpenStack Manila? Victoria - - PowerPoint PPT Presentation

what the heck are dhss driver modes in openstack manila
SMART_READER_LITE
LIVE PREVIEW

What the heck are DHSS Driver Modes in OpenStack Manila? Victoria - - PowerPoint PPT Presentation

May 28, 2023 472 likes •703 views

What the heck are DHSS Driver Modes in OpenStack Manila? Victoria Martnez Rodrigo Barbieri Goutham Pacha Ravi de la Cruz 1 Who we are Victoria Martnez de la Cruz Software Engineer, Red Hat Inc. OpenStack Manila contributor Rodrigo

slide-1
SLIDE 1

1

What the heck are DHSS Driver Modes in OpenStack Manila?

Rodrigo Barbieri Goutham Pacha Ravi Victoria Martínez de la Cruz

slide-2
SLIDE 2

Rodrigo Barbieri

2

Goutham Pacha Ravi Victoria Martínez de la Cruz

Software Engineer, Red Hat Inc. OpenStack Manila contributor Software Developer, NetApp Inc. OpenStack Manila core reviewer Software Developer, NetApp Inc. OpenStack Manila core reviewer

Who we are

slide-3
SLIDE 3

Why we are doing this presentation

  • DHSS (driver_handles_share_servers) is THE MOST IMPORTANT config option in Manila
  • It is the first manila key concept that deployers stumble when deploying Manila
  • It is something deployers should know before deploying Manila, so they can set up the network correctly
  • It is documented, but even so, not very easy to understand

3

slide-4
SLIDE 4

Agenda

  • Architecting NAS in a cloud

▪ Simplest NAS deployment ▪ Introducing multi-tenancy to our simplest NAS deployment ▪ Concerns ▪ An ideal NAS architecture

  • The OpenStack Solution

▪ Introduction to Manila ▪ Driver modes ▪ DHSS=False deployment ▪ DHSS=True deployment

  • Things to consider when deploying
  • Future enhancements
  • Questions

4

slide-5
SLIDE 5

Simplest NAS deployment

5

1) A server exports shared file systems over a network, we call it a share server 2) The share server controls access permissions to different clients 3) Client A is authorized and mounts a share provided by the share server 4) Client B is not authorized and cannot mount that same share

mount access denied Client A Client B

slide-6
SLIDE 6

Introducing Multi-tenancy

Security concerns arise when providing shares to multiple tenants

▪ Data isolation - the underlying filesystem should not be shared and exports should not be visible ▪ Network isolation - there should not be connectivity to prevent spoofing and unintended access ▪ Filesystem metadata isolation - Filesystems have metadata, the universe of users for tenants is going to be different.

6

access denied

Client A Client B Client X Client Y

Tenant One Tenant Two

mount access denied mount

slide-7
SLIDE 7

Scaling through automation

  • For single or few tenant clouds (ex: small private clouds), the desired level of isolation can be

achieved by

  • Network segmentation outside of OpenStack (Provider Networks)
  • Isolated storage systems or share servers
  • For multi-tenant clouds (ex: large private clouds, public clouds), the number of tenants can

grow over time. The tasks involved to provision secure shared file systems get harder for a cloud administrator.

7

slide-8
SLIDE 8
  • Setting up unique share servers to provide shares to different tenants
  • Provides data path and network isolation guarantees between tenants, even while

using the same back end storage

mount

An ideal NAS architecture

8

mount

Client A Client B Client X Client Y

access denied

Tenant One Tenant Two

mount

slide-9
SLIDE 9

OpenStack Manila

  • File share project in OpenStack

▪ Provisioning of shared filesystems to VMs

  • Manila was conceived with the ideal

NAS architecture in mind

  • Several supported protocols

▪ NFS, CIFS, CephFS, MAPRFS, HDFS, GlusterFS

  • Feature-filled

▪ Quota Control ▪ Share Migration ▪ Tenant driven Share Replication ▪ Snapshots for Cloning, Recovery and Reverting

9

▪ Storage Service Catalog via Share Types ▪ Access Control, Authentication Services ▪ Grouping of shares, consistent snapshots

slide-10
SLIDE 10

Driver modes

  • Some back ends cannot provide automated ways to scale share servers with isolation
  • A flag driver_handles_share_servers (DHSS) was created to distinguish that capability
  • True: The driver creates multiple share servers to provide multi-tenancy isolation
  • False: The driver has a single share server and offer no multi-tenancy or isolation guarantees
  • Share drivers operate in at least one of the two possible driver modes
  • One instance of the driver can only operate in one driver mode

10

slide-11
SLIDE 11

DHSS = False

  • Drivers have a single share server configured for each back end storage system
  • All shares are to be provided by this share server, irrespective of the tenant consuming them
  • Configuration complexity can be fairly low, especially networking
  • Multi-tenancy, data path and network isolation could be achieved outside of Manila, but may

not be guaranteed

  • Limited by scale, ideal for private clouds with a small number of tenants

11

slide-12
SLIDE 12

DHSS = False Networking using LVM and CephFS Native drivers

12

Client A Client B Client X Client Y

Tenant One Tenant Two

Provider Network

Service Tenant

L V M

slide-13
SLIDE 13

Let’s achieve isolation by playing with the networking

13

Client A Client B Client X Client Y

Tenant One Tenant Two Service Tenant

Provider Network

slide-14
SLIDE 14

DHSS = True

  • Drivers create share servers per share network
  • This multi-tenant focused mode guarantees isolation and provides scalability
  • Manila manages the lifecycle of the share server and the associated networking
  • necessary. No administrator intervention is necessary
  • Supports tenant defined authentication mechanisms and ACL domains
  • LDAP
  • Active Directory
  • Kerberos

14

slide-15
SLIDE 15

DHSS = True Networking Highlights

15

Client A Client B Client X Client Y

Tenant One Tenant Two

Backend

slide-16
SLIDE 16

Demo of a driver configured in DHSS = True mode

16

slide-17
SLIDE 17

CIFS / Active Directory in a multi-tenant cloud

17

slide-18
SLIDE 18

Things to consider

▪ The driver_handles_share_servers configuration option MUST be specified for each back end stanza in manila.conf ▪ For any driver mode, plan your networking design carefully before deploying ▪ Share servers are abstracted away from end users, users can request shares to be exported

  • n a “share-network” that they designate. In most cases, this would be the private Neutron

network that tenants set up to host their VMs on. ▪ One or more security services can be associated with a share network.

18

slide-19
SLIDE 19

Roadmap

  • Share Server HA
  • Improvements to the Generic Driver
  • Support for Dual IPv6, IPv4 networking
  • Support for Replication in DHSS=True driver mode
  • Integrating Neutron L2GW

19

slide-20
SLIDE 20

Questions?

20

Rodrigo Barbieri IRC: ganso email: rodrigo.barbieri2010@gmail.com Victoria Martínez de la Cruz IRC: vkmc email: victoria@redhat.com Goutham Pacha Ravi IRC: gouthamr email: gouthampravi@gmail.com

slide-21
SLIDE 21

Thank You

21