[FEATURE REQUEST] NFS Storage for Epiphany

[baurbaniak]

Is your feature request related to a problem? Please describe.
We need to check if feature/nfs-storage branch if it is implementing complete solution for NFS storage.

Describe the solution you'd like
We need to verify implementation in if feature/nfs-storage branch for different environments:

• AWS: EFS
• Azure: NFS server
• On-premise: Linux VM with NFS server

Describe alternatives you've considered
No alternatives.

Additional context
None

---

DoD checklist

• Changelog
  • updated
  • not needed
• COMPONENTS.md
  • updated
  • not needed
• Schema
  • updated
  • not needed
• Backport tasks
  • created
  • not needed
• Documentation
  • added
  • updated
  • not needed
• Feature has automated tests
• Automated tests passed (QA pipelines)
  • apply
  • upgrade
  • backup/restore
• Idempotency tested
• All conversations in PR resolved
• Solution meets requirements and is done according to design doc
• Usage compliant with license

[to-bar]

We also need a shared file system to make backup of clustered ES:
https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshots-register-repository.html#snapshots-filesystem-repository
https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshot-restore.html
elastic/elasticsearch#6638

[to-bar]

Tasks left to do:

1. Files created by any user on NFS client are saved on NFS server as owned by the anonymous user (nfsnobody on RHEL) when NFS share is kerberized (i.e. sec=krb5p). The behavior is the same as using all_squash option. For sec=sys this issue is not present. It's similar to the one described here but not limited to root.

2. Test scenario when domain is undefined (on-premise it's possible). In such case ansible_domain may contain empty string. Depending on the test result we may need to add a pre-flight check to fail if domain is undefined.

3. Ensure time synchronization (NTP). Kerberos permits only small differences in the system times of the server and its clients. There is separate issue #1298 for that.

4. Review and refactor Kerberos config files (Jinja templates) - the default configuration (provided with packages) differs between RHEL and Ubuntu. Nice to have the same settings for both distros for easier maintenance (where it makes sense).

5. Update list of ports (used by NFS and Kerberos) in SECURITY.md.

6. Verify rules of Security Groups, they were added but access from Kerberos server to NFS clients was not tested (see point "Source port 88 UDP inbound from Kerberos KDCs" at https://uit.stanford.edu/service/kerberos/firewalls)

7. Add nfs OS group and use it when creating non-existing directories to be exported. See section "Create NFS Group and Configure NFS Share Directory" at https://www.tecmint.com/setting-up-nfs-server-with-kerberos-based-authentication/

8. Verify configuration of logging (locations, verbosity, rotation).

9. Add information about NFS to Epiphany docs.

[mkyc]

@to-bar @rafzei @toszo I just added it to Cloud Native Storage epic, but I would like to know from you if that should even be left here. Are we going to use NFS? That is not what current approach with Rook Operator defined but I might not be aware of something.

[to-bar]

The solution with Kerberos has failed due to permissions issue (manual ownership mapping or LDAP required).
The new approach is to use NFS over stunnel. PoC succeded.

[seriva]

Not going todo anymore feature requests for Epiphany.