Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fsgroupolicy changes for powerscale #159

Closed
wants to merge 4 commits into from
+61 −4
Closed

fsgroupolicy changes for powerscale #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f9a8dc5
Documentation update for POSIX and NFSv4 ACLs support (#147)
spriya-m Feb 24, 2022
c8100b8
Added documentation for NVMeTCP for Powerstore (#154)
francis-nijay Feb 25, 2022
e62e399
fsgroupolicy changes for powerscale
nitesh3108 Feb 25, 2022
82ee66b
added some more notes
nitesh3108 Feb 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions content/docs/csidriver/features/powerscale.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -565,3 +565,21 @@ When this feature is enabled, the existing `ReadWriteOnce(RWO)` access mode rest

To migrate existing PersistentVolumes to use `ReadWriteOncePod`, please follow the instruction from [here](https://kubernetes.io/blog/2021/09/13/read-write-once-pod-access-mode-alpha/#migrating-existing-persistentvolumes).

## FSGroupPolicy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nitesh3108 I don't think we need to mention this under feature since this is already available by default even in the previous release right? Also, we have not implemented anything and we just gave the option to configure with values file
I haven't mentioned this as a feature in csi-powerstore docs.


FSGroupPolicy is made configurable via CSI Driver for Dell EMC PowerScale 2.2.0 and above, supports modifying a volume's ownership or permissions when the volume is being mounted.

It supports three different modes:
- ReadWriteOnceWithFSType
- File
- None

ReadWriteOnceWithFSType: Volume ownership and permissions should be modified to match the pod's security policy only if the "fsType" is defined and the persistent volume's accessModes contains "ReadWriteOnce".
File: Volume ownership and permissions change supported via CSI Driver and kubernetes may use fsGroup to change permissions and ownership of the volume to match user requested fsGroup in the pod's SecurityPolicy regardless of the fsType or access mode.
None: CSI Driver doesn't support these operations and volume will be mounted with no modifications.

fsGroupPolicy will be default to "ReadWriteOnceWithFSType", keeping the previous behavior.

Note:
1. Volume ownership and permissions change would be taken care by kubernetes based on the FSGroupPolicy mode set in the CSI Driver. [here](https://kubernetes-csi.github.io/docs/support-fsgroup.html#csi-volume-fsgroup-policy).
2. FSGroupPolicy may not work as expected with "root_squash", to get the desired behavior "no_root_squash" has to be enabled.
39 changes: 39 additions & 0 deletions content/docs/csidriver/features/powerstore.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -576,6 +576,32 @@ parameters:

> The 1.4 version and later of the driver also enables any container user, to have full access to provisioned NFS volume, in earlier versions only `root` user had access


## POSIX and NFSv4 ACLs

CSI PowerStore driver version 2.2.0 and later allows users to set user-defined permissions on NFS target mount directory using POSIX mode bits or NFSv4 ACLs.

NFSv4 ACLs are supported for NFSv4 shares on NFSv4 enabled NAS servers only. Please ensure the order when providing the NFSv4 ACLs.

To use this feature, provide permissions in `nfsAcls` parameter in values.yaml, secrets or NFS storage class.

For example:

1. POSIX mode bits

```yaml
nfsAcls: "0755"
```

2. NFSv4 ACLs

```yaml
nfsAcls: "A::OWNER@:rwatTnNcCy,A::GROUP@:rxtncy,A::EVERYONE@:rxtncy,A::[email protected]:rxtncy"
```

If no values are specified, default value of "0777" is set.


## Dynamic Logging Configuration

This feature is introduced in CSI Driver for PowerStore version 2.0.0.
Expand Down Expand Up @@ -662,3 +688,16 @@ nfsAcls: "A::OWNER@:rwatTnNcCy,A::GROUP@:rxtncy,A::EVERYONE@:rxtncy,A::user@doma
```

>Note: If no values are specified, default value of "0777" will be set.

## NVMe/TCP Support

CSI Driver for Dell Powerstore 2.2.0 and above supports NVMe/TCP provisioning. To enable NVMe/TCP provisioning, blockProtocol on secret should be specified as `NVMeTCP`. In case blockProtocol is specified as `auto`, the driver will be able to find the initiators on the host and choose the protocol accordingly. If the host has multiple protocols enabled, then FC gets the highest priority followed by iSCSI and then NVMeTCP.

Prerequisites

1. The driver requires NVMe management command-line interface (nvme-cli) to use configure, edit, view or start the NVMe client and target. The nvme-cli utility provides a command-line and interactive shell option. The NVMe CLI tool is installed in the host using the below command.
`sudo apt install nvme-cli`

2. Modules including the nvme, nvme_core, nvme_fabrics, and nvme_tcp are required for using NVMe over Fabrics using TCP. Load the NVMe and NVMe-OF Modules using the below commands.
```modprobe nvme
modprobe nvme-tcp```
6 changes: 3 additions & 3 deletions content/docs/csidriver/installation/helm/powerstore.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,10 +139,10 @@ CRDs should be configured during replication prepare stage with repctl as descri
- *username*, *password*: defines credentials for connecting to array.
- *skipCertificateValidation*: defines if we should use insecure connection or not.
- *isDefault*: defines if we should treat the current array as a default.
- *blockProtocol*: defines what SCSI transport protocol we should use (FC, ISCSI, None, or auto).
- *blockProtocol*: defines what SCSI transport protocol we should use (FC, ISCSI, NVMeTCP, None, or auto).
- *nasName*: defines what NAS should be used for NFS volumes.
- *nfsAcls* (Optional): defines permissions - POSIX or NFSv4 ACLs, to be set on NFS target mount directory.
NFSv4 ACls are supported for NFSv4 shares on NFSv4 enabled NAS servers only.
- *nfsAcls* (Optional): defines permissions - POSIX or NFSv4 ACLs, to be set on NFS target mount directory.
NFSv4 ACls are supported for NFSv4 shares on NFSv4 enabled NAS servers only .

Add more blocks similar to above for each PowerStore array if necessary.
5. Create storage classes using ones from `samples/storageclass` folder as an example and apply them to the Kubernetes cluster by running `kubectl create -f <path_to_storageclass_file>`
Expand Down
2 changes: 1 addition & 1 deletion content/docs/csidriver/installation/operator/powerstore.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Kubernetes Operators make it easy to deploy and manage the entire lifecycle of c
password: "password" # password for connecting to API
skipCertificateValidation: true # indicates if client side validation of (management)server's certificate can be skipped
isDefault: true # treat current array as a default (would be used by storage classes without arrayID parameter)
blockProtocol: "auto" # what SCSI transport protocol use on node side (FC, ISCSI, None, or auto)
blockProtocol: "auto" # what SCSI transport protocol use on node side (FC, ISCSI, NVMeTCP, None, or auto)
nasName: "nas-server" # what NAS should be used for NFS volumes
```
Change the parameters with relevant values for your PowerStore array.
Expand Down