OpenFiler and ESX

Posted by Admin on July 09, 2009

So I decided it was finally time to set up a little ESX cluster with OpenFiler. Everything was going smoothly until it came time to configure OpenFiler… being that I’m not a storage guy. Then the OpenFiler people seem to want to make money off selling the admin guide. *sigh*. Fortunately, there is a *great* little howto here. Thank you Lee Wynne.

Then I got the first ESX host connected no problem, but the second wasn’t connecting despite every bit of troubleshooting I tried. Fortunately, it seems that other people have not only done this before me, but they’re smarter than me. Crumpuppet figured it out here. (scoll down into the thread.) Basically, it looks like a bug – either with ESX or with OpenFiler.  The fix is in the /etc/initiators-allow and /etc/initiators-deny files, a TCPwrappers sorta way of controlling access by iSCSI initiators. It basically only lets the first one in and rejects everything else. Nice. I wasted 2 hours of my life on this one. The fix, in a nutshell:

I was scratching through the openfiler settings on the console, and found two files – initiators.allow, and initiators.deny. I did a couple of tests on OF in adding initiators to the local network. When adding one, it added an entry for it in the “allow” file, as you would expect.

But – the deny file had one single entry that looks like this: ALL

I figured, the allow one gets processed after this one, so my “allowed” initiators will be given access anyway. This was not the case. Every time I made a change to the list of initiators on the OF web interface, this line was added to initiators.deny. I put a comment in front of it and restarted the iscsi-target service. I finally managed to discover my iSCSI target on my esx hosts.

So remember to check these files! If you also have the “ALL” line in initiators.deny, just put a # in front of it, and run:

service iscsi-target restart

This will probably have to be done every time you add a host. I’m not prepared to write-protect the initiators.deny file for in case OF cries about it, but can anyone think of a fix for this?

I recommend you read the entire thread and consider the security implications of this hack. For now at least, I’m up and running.

4 Comments to OpenFiler and ESX

  • I was running into this problem as well, but I think I have solved it.
    The issue (I had) is not the .deny, but the .allowed file.

    My .allowed file had an IP say , but this is not correct.
    It’s either or

    So when your ACL and Network Access Configuration has an ‘single’ IP, not a range in there, use subnet! Now the .deny can be filled with the ‘ALL’ entry.

  • This is interesting… thank you Ian for discovering this. So if I want to allow an individual IP address, I would have to allow, and could presumably have multiple entries. But how could I allow an entire subnet? For example, or for that matter: My annoyance with Open Filer is that such a simple syntax doesn’t work, yet it has always worked with *ix TCP wrappers. Disclaimer: this may have been fixed in the many months since I last played with the product. Thank you for reading my blog! Regards, JT