So I decided it was finally time to set up a little ESX cluster with OpenFiler. Everything was going smoothly until it came time to configure OpenFiler… being that I’m not a storage guy. Then the OpenFiler people seem to want to make money off selling the admin guide. *sigh*. Fortunately, there is a *great* little howto here. Thank you Lee Wynne.
Then I got the first ESX host connected no problem, but the second wasn’t connecting despite every bit of troubleshooting I tried. Fortunately, it seems that other people have not only done this before me, but they’re smarter than me. Crumpuppet figured it out here. (scoll down into the thread.) Basically, it looks like a bug – either with ESX or with OpenFiler.Â The fix is in the /etc/initiators-allow and /etc/initiators-deny files, a TCPwrappers sorta way of controlling access by iSCSI initiators. It basically only lets the first one in and rejects everything else. Nice. I wasted 2 hours of my life on this one. The fix, in a nutshell:
I was scratching through the openfiler settings on the console, and found two files – initiators.allow, and initiators.deny. I did a couple of tests on OF in adding initiators to the local network. When adding one, it added an entry for it in the “allow” file, as you would expect.
But – the deny file had one single entry that looks like this:
I figured, the allow one gets processed after this one, so my “allowed” initiators will be given access anyway. This was not the case. Every time I made a change to the list of initiators on the OF web interface, this line was added to initiators.deny. I put a comment in front of it and restarted the iscsi-target service. I finally managed to discover my iSCSI target on my esx hosts.
So remember to check these files! If you also have the “ALL” line in initiators.deny, just put a # in front of it, and run:
service iscsi-target restart
This will probably have to be done every time you add a host. I’m not prepared to write-protect the initiators.deny file for in case OF cries about it, but can anyone think of a fix for this?
I recommend you read the entire thread and consider the security implications of this hack. For now at least, I’m up and running.