JT's Blog

JT's little piece of the internet.

Jul-9-2009

OpenFiler and ESX

So I decided it was finally time to set up a little ESX cluster with OpenFiler. Everything was going smoothly until it came time to configure OpenFiler… being that I’m not a storage guy. Then the OpenFiler people seem to want to make money off selling the admin guide. *sigh*. Fortunately, there is a *great* little howto here. Thank you Lee Wynne.

Then I got the first ESX host connected no problem, but the second wasn’t connecting despite every bit of troubleshooting I tried. Fortunately, it seems that other people have not only done this before me, but they’re smarter than me. Crumpuppet figured it out here. (scoll down into the thread.) Basically, it looks like a bug – either with ESX or with OpenFiler.  The fix is in the /etc/initiators-allow and /etc/initiators-deny files, a TCPwrappers sorta way of controlling access by iSCSI initiators. It basically only lets the first one in and rejects everything else. Nice. I wasted 2 hours of my life on this one. The fix, in a nutshell:

I was scratching through the openfiler settings on the console, and found two files – initiators.allow, and initiators.deny. I did a couple of tests on OF in adding initiators to the local network. When adding one, it added an entry for it in the “allow” file, as you would expect.

But – the deny file had one single entry that looks like this:

iqn.2006-01.com.openfiler:tsn.6ef258ca57df ALL

I figured, the allow one gets processed after this one, so my “allowed” initiators will be given access anyway. This was not the case. Every time I made a change to the list of initiators on the OF web interface, this line was added to initiators.deny. I put a comment in front of it and restarted the iscsi-target service. I finally managed to discover my iSCSI target on my esx hosts.

So remember to check these files! If you also have the “ALL” line in initiators.deny, just put a # in front of it, and run:

service iscsi-target restart

This will probably have to be done every time you add a host. I’m not prepared to write-protect the initiators.deny file for in case OF cries about it, but can anyone think of a fix for this?

I recommend you read the entire thread and consider the security implications of this hack. For now at least, I’m up and running.

Posted under IT
  1. Hossain Said,

    Thanks. It worked for me.

  2. JT Said,

    Hmmmm… maybe they’ve upgraded / fixed the bug since I did this experiment, 4 years ago 🙂

  3. Ian Said,

    I was running into this problem as well, but I think I have solved it.
    The issue (I had) is not the .deny, but the .allowed file.

    My .allowed file had an IP say 10.10.10.10/24 , but this is not correct.
    It’s either 10.10.10.0/24 or 10.10.10.10.

    So when your ACL and Network Access Configuration has an ‘single’ IP, not a range in there, use 255.255.255.255 subnet! Now the .deny can be filled with the ‘ALL’ entry.

  4. JT Said,

    This is interesting… thank you Ian for discovering this. So if I want to allow an individual IP address, I would have to allow 10.10.10.10/255.255.255.255, and could presumably have multiple entries. But how could I allow an entire subnet? For example 10.10.10.0/255.255.255.0, or for that matter: 10.10.10.16/255.255.255.248. My annoyance with Open Filer is that such a simple syntax doesn’t work, yet it has always worked with *ix TCP wrappers. Disclaimer: this may have been fixed in the many months since I last played with the product. Thank you for reading my blog! Regards, JT