cephfs: Fix Removal of IPs from blocklist

[black-dragon74]

While dealing with CephFS fencing we evict the
clients and block the IPs from the CIDR range
that do not have any active clients individually.

While Unfencing, the IP is removed via the
CIDR range which fails to remove the individual
IPs from Ceph's blacklist.

This PR fetches the blocklist from ceph and
removes the IPs in blocklist that lie inside
the CIDR range along with their unique nonces.

[black-dragon74]

❯ oc apply -f /tmp/a.yml
networkfence.csiaddons.openshift.io/fence-test-1 created

❯ oc exec -it rook-ceph-tools-67bf494bc8-tq69s -- ceph osd blocklist ls
100.64.0.3:0/0 2024-09-02T16:39:14.528296+0000
100.64.0.2:0/0 2024-09-02T16:39:09.325046+0000
100.64.0.0:0/0 2024-09-02T16:39:04.855016+0000
cidr:100.64.0.0:0/30 2029-09-02T20:44:33.360855+0000
listed 4 entries

❯ nvim /tmp/a.yml
❯ oc apply -f /tmp/a.yml
networkfence.csiaddons.openshift.io/fence-test-1 configured

❯ oc exec -it rook-ceph-tools-67bf494bc8-tq69s -- ceph osd blocklist ls
listed 0 entries

Logs:

I0902 15:38:32.883931       1 utils.go:240] ID: 25 GRPC call: /fence.FenceController/FenceClusterNetwork
I0902 15:38:32.884117       1 utils.go:241] ID: 25 GRPC request: {"cidrs":[{"cidr":"100.64.0.0/30"}],"parameters":{"clusterID":"openshift-storage"},"secrets":"***stripped***"}
I0902 15:38:33.040084       1 cephcmds.go:159] ID: 25 command succeeded: ceph [tell mds.0 client ls --id csi-cephfs-provisioner --keyfile=***stripped*** -m 172.30.248.221:3300,172.30.217.51:3300,172.30.161.182:3300]
I0902 15:38:33.767875       1 cephcmds.go:105] ID: 25 command succeeded: ceph [osd blocklist range add 100.64.0.0/30 157784760 --id csi-cephfs-provisioner --keyfile=***stripped*** -m 172.30.248.221:3300,172.30.217.51:3300,172.30.161.182:3300]
I0902 15:38:33.767916       1 fencing.go:115] ID: 25 blocklisted IP "100.64.0.0/30" successfully
I0902 15:38:33.768008       1 utils.go:247] ID: 25 GRPC response: {}


I0902 15:40:44.821312       1 utils.go:240] ID: 26 GRPC call: /fence.FenceController/UnfenceClusterNetwork
I0902 15:40:44.821407       1 utils.go:241] ID: 26 GRPC request: {"cidrs":[{"cidr":"100.64.0.0/30"}],"parameters":{"clusterID":"openshift-storage"},"secrets":"***stripped***"}
I0902 15:40:46.014550       1 cephcmds.go:105] ID: 26 command succeeded: ceph [osd blocklist range rm 100.64.0.0/30 --id csi-cephfs-provisioner --keyfile=***stripped*** -m 172.30.248.221:3300,172.30.217.51:3300,172.30.161.182:3300]
I0902 15:40:46.014589       1 fencing.go:376] ID: 26 unblocked IP "100.64.0.0/30" successfully
I0902 15:40:46.336832       1 cephcmds.go:159] ID: 26 command succeeded: ceph [osd blocklist ls --id csi-cephfs-provisioner --keyfile=***stripped*** -m 172.30.248.221:3300,172.30.217.51:3300,172.30.161.182:3300]
I0902 15:40:46.336872       1 fencing.go:432] ID: 26 fetched blocklist: 100.64.0.3:0/0 2024-09-02T16:39:14.528296+0000 100.64.0.2:0/0 2024-09-02T16:39:09.325046+0000 100.64.0.0:0/0 2024-09-02T16:39:04.855016+0000
I0902 15:40:46.336904       1 fencing.go:441] ID: 26 parsed blocklist for CIDR 100.64.0.0/30: [{IP:100.64.0.3 Nonce:0} {IP:100.64.0.2 Nonce:0} {IP:100.64.0.0 Nonce:0}]
I0902 15:40:47.043587       1 cephcmds.go:105] ID: 26 command succeeded: ceph [osd blocklist rm 100.64.0.3:0/0 --id csi-cephfs-provisioner --keyfile=***stripped*** -m 172.30.248.221:3300,172.30.217.51:3300,172.30.161.182:3300]
I0902 15:40:47.043617       1 fencing.go:376] ID: 26 unblocked IP "100.64.0.3" successfully
I0902 15:40:48.065347       1 cephcmds.go:105] ID: 26 command succeeded: ceph [osd blocklist rm 100.64.0.2:0/0 --id csi-cephfs-provisioner --keyfile=***stripped*** -m 172.30.248.221:3300,172.30.217.51:3300,172.30.161.182:3300]
I0902 15:40:48.065383       1 fencing.go:376] ID: 26 unblocked IP "100.64.0.2" successfully
I0902 15:40:49.094710       1 cephcmds.go:105] ID: 26 command succeeded: ceph [osd blocklist rm 100.64.0.0:0/0 --id csi-cephfs-provisioner --keyfile=***stripped*** -m 172.30.248.221:3300,172.30.217.51:3300,172.30.161.182:3300]
I0902 15:40:49.094739       1 fencing.go:376] ID: 26 unblocked IP "100.64.0.0" successfully
I0902 15:40:49.094820       1 utils.go:247] ID: 26 GRPC response: {}

[Madhu-1]

@black-dragon74 can you please also make sure you have cephfs PVC mounted on the node which you are blocklisting and restart the csi-addons manager pod multiple times (to check cephcsi cephfs fencing is idempotent or not) and provide the logs here?

[Madhu-1]

can you please test the csi-addons restart case and paste the logs here?

[Rakshith-R]

@black-dragon74 Why is "0" used as nonce here ?

[black-dragon74]

This is to remove just the blacklist entry without specifying any extra details such as port and nonce. If you do not specify the port and nonce explicitly, ceph uses the default of 0/0 for port and nonce respectively.

Ex: ceph osd blocklist rm x.x.x.x, IP = x.x.x.x:0/0

[Rakshith-R]

This is to remove just the blacklist entry without specifying any extra details such as port and nonce. If you do not specify the port and nonce explicitly, ceph uses the default of 0/0 for port and nonce respectively.

Ex: ceph osd blocklist rm x.x.x.x, IP = x.x.x.x:0/0

Can you add it as comment just above this line ?
its a bit confusing why "0" pops as nonce all of a sudden.

Pull request has been modified.

[Rakshith-R]

Thanks

[Madhu-1]

@Mergifyio queue

[mergify]

queue

✅ The pull request has been merged automatically

The pull request has been merged automatically at 6c704bc

[ceph-csi-bot]

/test ci/centos/upgrade-tests-cephfs

[ceph-csi-bot]

/test ci/centos/upgrade-tests-rbd

[ceph-csi-bot]

/test ci/centos/k8s-e2e-external-storage/1.30

[ceph-csi-bot]

/test ci/centos/mini-e2e-helm/k8s-1.30

[ceph-csi-bot]

/test ci/centos/k8s-e2e-external-storage/1.29

[ceph-csi-bot]

/test ci/centos/mini-e2e/k8s-1.30

[ceph-csi-bot]

/test ci/centos/k8s-e2e-external-storage/1.31

[ceph-csi-bot]

/test ci/centos/mini-e2e-helm/k8s-1.29

[ceph-csi-bot]

/test ci/centos/mini-e2e-helm/k8s-1.31

[ceph-csi-bot]

/test ci/centos/mini-e2e/k8s-1.29

[ceph-csi-bot]

/test ci/centos/mini-e2e/k8s-1.31