charm-manila-netapp/README.md
Ionut Balutoiu ca2032ba00 Update README.md
Clarify the Active Directory requirement for the `CIFS` shares, when
DHSS is enabled.

Also, add a warning about the AD user credentials being stored plain
text in the Manila database.
2021-03-11 11:58:15 +02:00

4.2 KiB

Manila NetApp Backend Source Charm

Overview

This charm provides NetApp Clustered Data ONTAP as a storage backend for Manila, OpenStack's shared filesystem service. It is written using the Juju operator framework.

Usage

The charm relies on the principal Manila charm, and is a subordinate to it. It provides configuration data to the manila-share service (which is provided by the Manila charm with a role that includes 'share').

Prior to deploying this charm, a NetApp Data ONTAP cluster must be configured. It also needs L3 connectivity between the storage cluster and the Manila services. See the OpenStack driver documentation with details about the NetApp Clustered Data ONTAP driver, and known restrictions.

If multiple, different, NetApp backend configurations are required, then the share-backend-name config option should be used to differentiate between the configuration sections.

Note: This subordinate charm requests that Manila principal charm configures the Neutron conf file section, that the NetApp driver needs to allocate ports for the storage vms when the driver-handles-share-servers config is enabled. The principal charm provides the main Manila service username/password to this charm to enable it to provide this section.

When driver-handles-share-servers is enabled, the driver will launch storage vms (SMVs) within the NetApp Data ONTAP cluster. With this mode enabled, Manila requires a share network to be defined.

A Manila share network is bound to a Neutron network and subnet. During a share creation, the NetApp driver will allocate a port in the Neutron subnet attached to the share network, and use that as the static IP for the SVM spawned into NetApp Data ONTAP cluster. The only limitation to this mode is that the Neutron network bound to the share network, needs to be flat or vlan, when using the NetApp driver.

With DHSS (driver handles share servers) enabled, the CIFS share servers must be configured with an external Active Directory (AD) for authentication. The AD config info is provided to the Manila NetApp share servers via an active_directory security service associated with the share network.

Also, the NetApp driver requires credentials from an AD user with enough privileges to register the new CIFS share servers as computers in the AD domain. These credentials are provided as part of the Manila security service configuration.

WARNING: The credentials for the required AD user are stored in plain text, in the Manila database, as part of the associated security service. Tenant users are able to see these when fetching information about the active_directory security service. This is a potential security risk!

When driver-handles-share-servers is disabled, an existing NetApp ONTAP SVM must be pre-configured, and its name must be given as vserver-name in the charm config.

Building the charm

To build the charm run the following command in the root of the repository:

$ tox -e build

The resultant built charm will be manila-netapp.charm.

Deployment

One way to deploy Manila NetApp is to use a bundle overlay when deploying OpenStack via a bundle:

juju deploy ./base.yaml --overlay ./manila-netapp-overlay.yaml

The Manila NetApp bundle overlay might look like:

applications:
  manila-netapp:
    options:
      driver-handles-share-servers: False
      vserver-name: svm0
      management-address: 10.1.1.10
      admin-name: admin
      admin-password: my-secret-admin-password

Bugs

Please report bugs on Launchpad.

For general charm questions refer to the OpenStack Charm Guide.