NetApp Container Volume Worker – Backend Options Guide
Audience: Cloud operators who will deploy the containerised NetApp Cinder volume worker (NFS‑only).
Why a separate guide? The container image does not support iSCSI; if you need iSCSI, follow the NetApp Volume Worker – Operator Guide instead.
1 Understand the BACKENDS Variable
The container expects a single environment variable – BACKENDS
– that embeds one or more backend definitions. Each backend is a comma‑separated
list of 10 fields; multiple backends are separated by semicolons.
1.1 Field Reference
Index | Field Name | Purpose / Example | Type |
---|---|---|---|
0 | backend_name |
Logical name → becomes volume_backend_name (nfs-prod-a ) |
String |
1 | netapp_login |
API username | String |
2 | netapp_password |
API password (store secret!) | String |
3 | netapp_server_hostname |
FQDN or IP of ONTAP cluster | String |
4 | netapp_server_port |
80 / 443 | Integer |
5 | netapp_vserver |
SVM that exports the NFS volumes | String |
6 | netapp_dedup |
True or False |
Boolean |
7 | netapp_compression |
True or False |
Boolean |
8 | netapp_thick_provisioned |
True (guaranteed) or False (thin) |
Boolean |
9 | netapp_lun_space_reservation |
enabled / disabled |
String |
Dedup + compression combo
ONTAP generally requires both dedup=True
and compression=True
for best space savings on hybrid‐disk aggregates.
2 Operator Workflow
- ✅ Draft backend string
- 🔐 Create Kubernetes secret
- 🚀 Deploy Kustomize manifest
- 🔍 Validate Cinder services & exports
2.1 Draft the BACKENDS String
Fill in real values; keep the order exactly as in § 1.1.
export BACKENDS="nfs-prod-a,netappuser,supersecret,ontap‑01.example.com,443,SVM01,none,True,True,False,disabled"
For multiple backends:
export BACKENDS="nfs-prod-a,netappuser,supersecret,ontap‑01.example.com,443,SVM01,none,True,True,False,disabled; \
nfs-dr-b,netappuser,supersecret,ontap‑02.example.com,443,SVM02,none,True,True,False,disabled"
2.2 Create the Secret
kubectl -n openstack create secret generic cinder-netapp \
--type Opaque \
--from-literal=BACKENDS="${BACKENDS}"
Store passwords securely
Prefer --from-file
with an encrypted backends.env
manifest in GitOps pipelines instead of inline literals.
2.3 Deploy the Worker
The Kustomize overlay mounts the secret as an env‑file and launches the container.
3 Post‑Deployment Checks
3.1 Volume Type Mapping
Create a volume type per backend and attach extra_specs
:
Expected Output
Refer to:
Backend without policies = sad tenants
Skipping this step may leave tenants with a backend they cannot consume or that violates performance guarantees.
3.2 Service Health
You should see entries like:
Expected Output
+------------------+--------------------------------------------------------------------+------+---------+-------+----------------------------+
| Binary | Host | Zone | Status | State | Updated At |
+------------------+--------------------------------------------------------------------+------+---------+-------+----------------------------+
| cinder-scheduler | cinder-volume-worker | az1 | enabled | up | 2023-12-26T17:43:07.000000 |
| cinder-volume | cinder-volume-netapp-worker@nfs-prod-a | az1 | enabled | up | 2023-12-26T17:43:04.000000 |
+------------------+--------------------------------------------------------------------+------+---------+-------+----------------------------+
Appendix
Example Secret Manifest (GitOps‑friendly)
Genestack
Inject secrets manager values (e.g., sealed-secrets
, external-secrets
) in place of ${…}
placeholders.
apiVersion: v1
kind: Secret
metadata:
name: cinder-netapp
namespace: openstack
stringData:
BACKENDS: >
nfs-prod-a,${ONTAP_USER},${ONTAP_PASS},ontap-01.example.com,443,SVM01,none,True,True,False,disabled;
nfs-dr-b,${ONTAP_USER},${ONTAP_PASS},ontap-02.example.com,443,SVM02,none,True,True,False,disabled
Common Issues
Symptom | Likely Cause | Resolution |
---|---|---|
No valid host was found |
Type not mapped to backend | Check volume_backend_name extra‑spec |
HTTP 403 from ONTAP API in logs |
Wrong creds or insufficient role | Verify netapp_login permissions |
Pod crash‑loop with BACKENDS parse |
Missing or extra field | Ensure 11 fields per backend, no trailing ; |
NFS export accessible but perms issue | SVM export‑policy mismatch | Update ONTAP export policy to allow compute CIDRs |