【問題描述】
cinder后端設置為NFS,磁盤創建快照失敗。
日志里面發現了這個錯誤:
VolumeDriverException: Volume driver reported an error: NFS driver snapshot support is disabled in cinder.conf.
【修改方法】
在cinder.conf修改或者添加以下參數:
| [nfs] …… nfs_snapshot_support = True nas_secure_file_operations = False |
重啟cinder-volume服務
【原因】
Google了一下,發現cinder后端設置為NFS,默認是不支持快照功能的。
以下為官方解釋
from https://docs.openstack.org/ocata/config-reference/block-storage/drivers/nfs-volume-driver.html
| Configuration option = Default value |
Description |
| [DEFAULT] |
|
| nfs_mount_attempts = 3 |
(Integer) The number of attempts to mount NFS shares before raising an error. At least one attempt will be made to mount an NFS share, regardless of the value specified. |
| nfs_mount_options = None |
(String) Mount options passed to the NFS client. See section of the NFS man page for details. |
| nfs_mount_point_base = $state_path/mnt |
(String) Base dir containing mount points for NFS shares. |
| nfs_qcow2_volumes = False |
(Boolean) Create volumes as QCOW2 files rather than raw files. |
| nfs_shares_config = /etc/cinder/nfs_shares |
(String) File with the list of available NFS shares. |
| nfs_snapshot_support = False |
(Boolean) Enable support for snapshots on the NFS driver. Platforms using libvirt <1.2.7 will encounter issues with this feature. |
| nfs_sparsed_volumes = True |
(Boolean) Create volumes as sparsed files which take no space. If set to False volume is created as regular file. In such case volume creation takes a lot of time. |
修改nfs_snapshot_support = True之后,又發現了新的錯誤:
VolumeDriverException: Volume driver reported an error: Snapshots are not supported with nas_secure_file_operations enabled ('true' or 'auto'). Please set it to 'false' if you intend to have it enabled.
以下為官方解釋
from https://docs.openstack.org/security-guide/block-storage/checklist.html
| Check-Block-07: Is NAS operating in a secure environment?
Cinder supports an NFS driver which works differently than a traditional block storage driver. The NFS driver does not actually allow an instance to access a storage device at the block level. Instead, files are created on an NFS share and mapped to instances, which emulates a block device. Cinder supports secure configuration for such files by controlling the file permissions when cinder volumes are created. Cinder configuration can also control whether file operations are run as the root user or the current OpenStack process user.
Pass: If value of parameter nas_secure_file_permissions under [DEFAULT] section in /etc/cinder/cinder.conf is set to auto. When set to auto, a check is done during cinder startup to determine if there are existing cinder volumes, no volumes will set the option to True, and use secure file permissions. The detection of existing volumes will set the option to False, and use the current insecure method of handling file permissions. If value of parameter nas_secure_file_operations under [DEFAULT] section in /etc/cinder/cinder.conf is set to auto. When set to "auto", a check is done during cinder startup to determine if there are existing cinder volumes, no volumes will set the option to True, be secure and do NOT run as the root user. The detection of existing volumes will set the option to False, and use the current method of running operations as the root user. For new installations, a "marker file" is written so that subsequent restarts of cinder will know what the original determination had been.
Fail: If value of parameter nas_secure_file_permissions under [DEFAULT] section in /etc/cinder/cinder.conf is set to False and if value of parameter nas_secure_file_operations under [DEFAULT] section in /etc/cinder/cinder.conf is set to False. |
原因是因為NFS有些操作不兼容NAS的某些安全特性。
所以需要在配置文件里面修改nas_secure_file_operations = False
【代碼位置】
1 def _check_snapshot_support(self, setup_checking=False): 2 """Ensure snapshot support is enabled in config.""" 3 4 if (not self.configuration.nfs_snapshot_support and 5 not setup_checking): 6 msg = _("NFS driver snapshot support is disabled in cinder.conf.") 7 raise exception.VolumeDriverException(message=msg) 8 9 if (self.configuration.nas_secure_file_operations == 'true' and 10 self.configuration.nfs_snapshot_support): 11 msg = _("Snapshots are not supported with " 12 "nas_secure_file_operations enabled ('true' or 'auto'). " 13 "Please set it to 'false' if you intend to have " 14 "it enabled.") 15 LOG.error(msg) 16 raise exception.VolumeDriverException(message=msg)
【隱患】
這樣修改可能會導致NAS的安全特性不可用。
The NFS backend driver for Cinder implements enhanced NAS security features that default to being enabled.
NFS后端驅動程序實現了增強的NAS安全特性,默認為啟用。
However, the features require non-standard configuration changes in Nova's libvirt, and without those changes some cinder volume operations fail.
然而,這些特性要求nova的libvirt一些非標准配置的變動,如果不去手動修改這些配置,某些cinder volume的操作將會失敗。
Fix: Add TripleO settings to control the NFS driver's NAS secure features, and disable the features by default.
修復:添加TripleO 配置來控制NFS驅動程序的NAS安全特性,並默認禁止這些功能。
Also these features enabled actually disable possibility to use snapshots.
此外,這些特性實際上禁用了使用快照的可能性。
建議一:
as of Queens cinder volume refuses to work with both snapshots/backups and secure nas feature:
截至Q版本,cinder服務拒絕與安全NAS特性共存:
| VolumeDriverException: Volume driver reported an error: Snapshots are not supported with nas_secure_file_operations enabled ('true' or 'auto'). Please set it to 'false' if you intend to have it enabled. |
選擇前者(true/auto),直到NAS安全特性可在所有的openstack環境中工作
Choosing the former until secure nas feature works in all environments
建議二:
Cinder fails to run because snapshots are not compatible with secure NAS。
cinder無法運行,因為快照與NAS安全特性不兼容。
Cinder cannot run with both snapshots or backups of volumes and secure NAS feature. Choosing the former as the latter does not function well everywhere.
cinder不能同時使用快照和備份,和安全的NAS特性。
選擇前者,后者將不起作用。