Managing masked namespaces

In some cases, namespaces require isolation on a per-volume basis including multi-tenancy and for other various security purposes. By default, all hosts with access to a subsystem can see all namespaces within the subsystem. Use this information to change the visibility of a specific namespace, as well as to add and remove hosts from a masked namespace, one that is not automatically visible.

Before you begin

Get the namespace ID. You can retrieve the namespace ID by using the namespace list command. For more information, see Listing namespaces for a specific NVMe-oF subsystem or Listing namespaces for all NVMe-oF subsystems.

About this task

  • To create a namespace with a masked namespace, use the --no-auto-visible in the namespace add command.
  • To change a host from no restrictions, to one with restrictive visibility, use the --auto-visible no option in the namespace change_visibility command.
After a namespace is masked, only hosts that are added to the namespace can connect to it. In a case where a host is not added to the masked namespace, no output regarding the namespace will be visible when connecting to the relevant subsystem.

Creating a namespace with restrictive visibility

Create a namespace with restrictive visibility, by using the --no-auto-visible parameter to the with namespace add command. 
ceph nvmeof namespace add --nqn NQN [--rbd_image_name IMAGE_NAME] [--rbd_pool POOL_NAME] [--create-image] [--size POOL_SIZE] [--rbd_image_size IMAGE_SIZE] --no-auto-visible
For example, 
[root@host01 ~]# ceph nvmeof namespace add --nqn nqn.2016-06.io.spdk:cnode1.group1 --rbd_image_name image1 --rbd_pool pool1 --no-auto-visible
Success
The following parameters can optionally be added to the command:
  • --uuid
  • block_size<int>
  • --nsid
  • --block_size<int>
  • --size
  • --create-image
  • --force

    Use the --force parameter to create a namespace even if its image is already used by another namespace.

  • --rbd-trash-image-on-delete

    Instructs the gateway to automatically delete the Ceph Block Device (RBD) image that is created for the namespace when the namespace is deleted.

  • --force

    Use the --force parameter to create a namespace even if its image is already used by another namespace.

    This parameter only applies to Ceph Block Device images created when adding a namespace. If the namespace was added by using an existing Ceph Block Device image, this image will not be deleted with the namespace.
    Note: The --rbd-trash-image-on-delete parameter can only be used together with the --create-image parameter.
  • --read-only
    Use to create a namespace that cannot be modified. Use read-only namespaces to prevent namespace changes during operations such as during disaster recovery tests. The Read-Only or Read-Write status can be seen in the namespace list output.
    Important: Once a namespace is flagged as read-only it cannot be modified to read-write.

Changing namespace visibility

Namespace automatic visibility allows all hosts to view the namespace. To have a namespace be visible to all hosts, use the auto-visible yes option. To mask a namespace, for a namespace to only be visible to specific hosts, use the auto-visible no option.
Important: When namespace masking is enabled, and is changed from auto-visible yes to auto-visible no the command fails when there are previously connected hosts to the namespace unless the --force parameter is used.
Use the namespace change_visibility command to enable or disable namespace masking on a namespace. 
ceph nvmeof namespace change_visibility --nqn NQN --nsid NSID --auto-visible <yes|no> [--force] [gw_group GW_GROUP] [--server-address SERVER_ADDRESS]

Use no to enable namespace masking and yes to remove namespace masking.

Example for enabling namespace masking
[root@host01 ~]# ceph nvmeof namespace change_visibility --nqn nqn.2016-06.io.spdk:cnode1.group1 --nsid 3 –-auto-visible no
Success
Example for removing namespace masking
[root@host01 ~]# ceph nvmeof namespace change_visibility --nqn nqn.2016-06.io.spdk:cnode1.group1 --nsid 3 –-auto-visible yes --force
Success

Adding a host to a masked namespace

Use the namespace add_host command to add a host to a masked namespace. 
ceph nvmeof namespace add_host --nqn NQN --nsid NSID [--host_nqn HOST_NQN] [--force] [gw_group GW_GROUP] [--server-address SERVER_ADDRESS]
Multiple host NQNs can be added to the namespace.
Note: Do not use commas between host NQNs or quotes (") around the multiple host NQNs. Use the following example format:

--host-nqn HOST01_NQN HOST02_NQN

For example, 
[root@host01 ~]# ceph nvmeof namespace add_host --nqn nqn.2016-06.io.spdk:cnode2.group3 --nsid 3 --host-nqn nqn.2014-08.org.nvmexpress:uuid:950ddadf-f995-47b7-9416-b9bb233f66e3
Success

Removing a host from a masked namespace

Use the namespace del_host command to remove a host from a masked namespace. 
ceph nvmeof namespace del_host --nqn NQN --nsid NSID [--host_nqn HOST_NQN] [gw_group GW_GROUP] [--server-address SERVER_ADDRESS]
Multiple host NQNs can be removed from the namespace.
Note: Do not use commas between host NQNs or quotes (") around the multiple host NQNs. Use the following example format:

--host-nqn HOST01_NQN HOST02_NQN

For example, 
[root@host01 ~]# ceph nvmeof namespace del_host --nqn nqn.2016-06.io.spdk:cnode2.group3 --nsid 3 --host-nqn nqn.2014-08.org.nvmexpress:uuid:950ddadf-f995-47b7-9416-b9bb233f66e3
Success