mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-24 15:20:19 +00:00
b4592a55eb
The address we get from ceph contains the ip in the format of 10.244.0.1:0/2686266785 we need to extract the client IP from this address, we already have a helper to extract it, This makes the helper more generic can be reused by multiple packages in the fence controller. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
183 lines
5.5 KiB
Go
183 lines
5.5 KiB
Go
/*
|
|
Copyright 2022 The Ceph-CSI Authors.
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package rbd
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
nf "github.com/ceph/ceph-csi/internal/csi-addons/networkfence"
|
|
"github.com/ceph/ceph-csi/internal/util"
|
|
|
|
"github.com/csi-addons/spec/lib/go/fence"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
// FenceControllerServer struct of rbd CSI driver with supported methods
|
|
// of CSI-addons networkfence controller service spec.
|
|
type FenceControllerServer struct {
|
|
*fence.UnimplementedFenceControllerServer
|
|
}
|
|
|
|
// NewFenceControllerServer creates a new FenceControllerServer which handles
|
|
// the FenceController Service requests from the CSI-Addons specification.
|
|
func NewFenceControllerServer() *FenceControllerServer {
|
|
return &FenceControllerServer{}
|
|
}
|
|
|
|
func (fcs *FenceControllerServer) RegisterService(server grpc.ServiceRegistrar) {
|
|
fence.RegisterFenceControllerServer(server, fcs)
|
|
}
|
|
|
|
// validateFenceClusterNetworkReq checks the sanity of FenceClusterNetworkRequest.
|
|
func validateNetworkFenceReq(fenceClients []*fence.CIDR, options map[string]string) error {
|
|
if len(fenceClients) == 0 {
|
|
return errors.New("CIDR block cannot be empty")
|
|
}
|
|
|
|
if value, ok := options["clusterID"]; !ok || value == "" {
|
|
return errors.New("missing or empty clusterID")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// FenceClusterNetwork blocks access to a CIDR block by creating a network fence.
|
|
// It adds the range of IPs to the osd blocklist, which helps ceph in denying access
|
|
// to the malicious clients to prevent data corruption.
|
|
func (fcs *FenceControllerServer) FenceClusterNetwork(
|
|
ctx context.Context,
|
|
req *fence.FenceClusterNetworkRequest,
|
|
) (*fence.FenceClusterNetworkResponse, error) {
|
|
err := validateNetworkFenceReq(req.GetCidrs(), req.GetParameters())
|
|
if err != nil {
|
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
|
}
|
|
|
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
defer cr.DeleteCredentials()
|
|
|
|
nwFence, err := nf.NewNetworkFence(ctx, cr, req.GetCidrs(), req.GetParameters())
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
|
|
err = nwFence.AddNetworkFence(ctx)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed to fence CIDR block %q: %s", nwFence.Cidr, err.Error())
|
|
}
|
|
|
|
return &fence.FenceClusterNetworkResponse{}, nil
|
|
}
|
|
|
|
// UnfenceClusterNetwork unblocks the access to a CIDR block by removing the network fence.
|
|
func (fcs *FenceControllerServer) UnfenceClusterNetwork(
|
|
ctx context.Context,
|
|
req *fence.UnfenceClusterNetworkRequest,
|
|
) (*fence.UnfenceClusterNetworkResponse, error) {
|
|
err := validateNetworkFenceReq(req.GetCidrs(), req.GetParameters())
|
|
if err != nil {
|
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
|
}
|
|
|
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
|
if err != nil {
|
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
|
}
|
|
defer cr.DeleteCredentials()
|
|
|
|
nwFence, err := nf.NewNetworkFence(ctx, cr, req.GetCidrs(), req.GetParameters())
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
|
|
err = nwFence.RemoveNetworkFence(ctx)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed to unfence CIDR block %q: %s", nwFence.Cidr, err.Error())
|
|
}
|
|
|
|
return &fence.UnfenceClusterNetworkResponse{}, nil
|
|
}
|
|
|
|
// GetFenceClients fetches the ceph cluster ID and the client address that need to be fenced.
|
|
func (fcs *FenceControllerServer) GetFenceClients(
|
|
ctx context.Context,
|
|
req *fence.GetFenceClientsRequest,
|
|
) (*fence.GetFenceClientsResponse, error) {
|
|
options := req.GetParameters()
|
|
clusterID, err := util.GetClusterID(options)
|
|
if err != nil {
|
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
|
}
|
|
|
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
|
if err != nil {
|
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
|
}
|
|
defer cr.DeleteCredentials()
|
|
|
|
monitors, _ /* clusterID*/, err := util.GetMonsAndClusterID(ctx, clusterID, false)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
}
|
|
|
|
// Get the cluster ID of the ceph cluster.
|
|
conn := &util.ClusterConnection{}
|
|
err = conn.Connect(monitors, cr)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed to connect to MONs %q: %s", monitors, err)
|
|
}
|
|
defer conn.Destroy()
|
|
|
|
fsID, err := conn.GetFSID()
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed to get cephfs id: %s", err)
|
|
}
|
|
|
|
address, err := conn.GetAddrs()
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed to get client address: %s", err)
|
|
}
|
|
|
|
// The example address we get is 10.244.0.1:0/2686266785 from
|
|
// which we need to extract the IP address.
|
|
addr, err := nf.ParseClientIP(address)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed to parse client address: %s", err)
|
|
}
|
|
|
|
// adding /32 to the IP address to make it a CIDR block.
|
|
addr += "/32"
|
|
|
|
resp := &fence.GetFenceClientsResponse{
|
|
Clients: []*fence.ClientDetails{
|
|
{
|
|
Id: fsID,
|
|
Addresses: []*fence.CIDR{
|
|
{
|
|
Cidr: addr,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
return resp, nil
|
|
}
|