|
SLES /
Workaround for iSCSI issues on SLES11SLES.ISCSIOnSLES11 HistoryShow minor edits - Show changes to markup November 13, 2009, at 04:07 PM
by -
Changed line 104 from:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do to:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*[ \t]/|/|'`; do Changed line 116 from:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do to:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*[ \t]/|/|'`; do Changed line 128 from:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do to:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*[ \t]/|/|'`; do November 10, 2009, at 01:59 PM
by -
Changed line 32 from:
UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail 1 2 to:
UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail,noatime 1 2 November 10, 2009, at 01:59 PM
by -
Changed line 32 from:
UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail,_netdev 1 2 to:
UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail 1 2 November 10, 2009, at 01:56 PM
by -
Changed line 18 from:
to:
November 10, 2009, at 11:50 AM
by -
Changed line 32 from:
UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail 1 2 to:
UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail,_netdev 1 2 Added lines 98-102:
#Added to take care of LVM groups on iSCSI vgscan > /dev/null sleep 1 vgchange -a y > /dev/null August 14, 2009, at 01:29 PM
by -
Changed line 99 from:
for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do to:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do Changed line 111 from:
for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do to:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do Changed line 123 from:
for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do to:
for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do August 14, 2009, at 01:04 PM
by -
Changed lines 18-20 from:
to:
August 14, 2009, at 01:03 PM
by -
Changed line 17 from:
to:
August 14, 2009, at 01:02 PM
by -
Added line 11:
Changed lines 16-17 from:
To make this script work it is necessary to slightly modify the iSCSI entries in the to:
To make this script work it is necessary to slightly modify the iSCSI entries in the
August 14, 2009, at 12:57 PM
by -
Changed lines 15-16 from:
To make this script work it is necessary to slightly modify the iSCSI entries in the to:
To make this script work it is necessary to slightly modify the iSCSI entries in the August 14, 2009, at 12:56 PM
by -
Changed line 18 from:
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:150px;":) to:
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:175px;":) August 14, 2009, at 12:56 PM
by -
Changed line 18 from:
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:300px;":) to:
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:150px;":) August 14, 2009, at 12:54 PM
by -
Changed lines 20-28 from:
to:
/dev/system/swap swap swap defaults 0 0 /dev/system/root / ext3 acl,user_xattr 1 1 /dev/sda1 /boot ext3 acl,user_xattr 1 2 /dev/system/home /home ext3 acl,user_xattr 1 2 proc /proc proc defaults 0 0 sysfs /sys sysfs noauto 0 0 debugfs /sys/kernel/debug debugfs noauto 0 0 devpts /dev/pts devpts mode=0620,gid=5 0 0 UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail 1 2 Changed lines 35-134 from:
to:
ISCSISCRIPT=/etc/init.d/open-iscsi MOUNTSCRIPT=/etc/init.d/iscsi-mount RCSCRIPT=/sbin/rciscsi-mount declare -i overallstatus=0 test -h $RCSCRIPT || ln -sf $MOUNTSCRIPT $RCSCRIPT
. /etc/rc.status
rc_reset iscsimount() { rc_reset echo -n "Mounting $1: " mount $1 rc_status -v return $? } iscsiumount() { rc_reset echo -n "Umounting $1: " umount $1 rc_status -v return $? } iscsicheck() { rc_reset echo -n "Verify if $1 is mounted: " mount | grep "on $1\b" > /dev/null rc_status -v return $? } iscsimountall() { # Find all fstab lines with iscsi as the fstype for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do # Only try to mount filesystems that are NOT currently mounted. if ! mount | grep "on $mountpoint\b" > /dev/null then iscsimount $mountpoint || overallstatus=$? fi done return $overallstatus } iscsiumountall() { # Find all fstab lines with iscsi as the fstype for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do # Only try to umount filesystems that are currently mounted. if mount | grep "on $mountpoint\b" > /dev/null then iscsiumount $mountpoint || overallstatus=$? fi done return $overallstatus } iscsicheckall() { # Find all fstab lines with iscsi as the fstype for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do iscsicheck $mountpoint || overallstatus=$? done return $overallstatus } case "$1" in start) $ISCSISCRIPT $@ && sleep 1 && iscsimountall ;;
stop) iscsiumountall && $ISCSISCRIPT $@ ; overallstatus=$? ;;
status) $ISCSISCRIPT $@ && iscsicheckall ;;
restart|reload) $0 stop && sleep 1 && $0 start ; overallstatus=$? ;;
initiator) shift ; $ISCSISCRIPT $@ ; overallstatus=$? ;;
*) echo "Usage: $0 {start|stop|status|restart|reload|initiator}"; overallstatus=1 ;;
esac rc_failed $overallstatus rc_exit August 14, 2009, at 12:52 PM
by -
Changed line 17 from:
/etc/init.d/iscsi-mount
to:
/etc/fstab (an example)
Added lines 23-29:
/etc/init.d/iscsi-mount
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:300px;":) (:divend:) August 14, 2009, at 12:52 PM
by -
Changed lines 5-12 from:
The problem is that you are unable to mount the iSCSI LUNs from within the I also had some minor problems with permissions on the cert.b64 file (make sure radiusd user and group can see the file) If you run into any problems just run the following command to see all the necessary troubleshooting output: radiusd -A -X
to:
The problem is that you are unable to mount the iSCSI LUNs from within the The issue I had was that the system would try to mount the LUNs before the network was up and therefore failed. I tried a number of possible remedies but nothing worked:
What other people have done is to create custom scripts. However my problem with these script is that they seemed sloppy. I needed a system that would handle both the iscsi initiator and the mounting of the filesystems in one go. And I also wanted a system that would work with the existing GNU utilities. What I can up with was a wrapper script for the open-scsi deamon (see below). This handles both the software initiator and mounting of the filesystems - for both starting and stopping. This way I can be sure certain that the system will neither try to mount filesystems before the an iSCSI connection is established nor kill the iSCSI connection without first umounting the filesystems. To make this script work it is necessary to slightly modify the iSCSI entries in the August 14, 2009, at 12:33 PM
by -
Changed line 13 from:
/etc/raddb/radiusd.conf
to:
/etc/init.d/iscsi-mount
August 14, 2009, at 12:26 PM
by -
Changed lines 3-11 from:
FreeRadius is a very versatile, powerful application for network RADIUS authentication. Perhaps too powerful! The problem is that is can seem to have too many options, and unless your a RADIUS expert, your screwed! What I needed for a customer was way to "proxy" LDAP/eDirectory authentication through RADIUS, and perhaps define redundant LDAP servers. That's all! Through a great deal of research, trial and error; I can up with the following slimmed down configuration file. Simple, Secure and Functional! Copy this file (with your specific modifications) and export your eDirectory Self-Signed CA (without private key) as Base64 to /etc/raddb/certs/cert.b64 You might also want to create a link to the init.d script. ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd
to:
I have been using iSCSI with SLES10 for a while without any problems. And even though I have been using SLES11 for months, I never ran across this problem until recently. Turns out that using iSCSI with SLES11 (or SuSE 11.1) has a bit of a problem. The problem is that you are unable to mount the iSCSI LUNs from within the August 14, 2009, at 12:16 PM
by -
Changed lines 20-163 from:
prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct
confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = after lower_pass = no nospace_user = after nospace_pass = no checkrad = ${sbindir}/checkrad
security { max_attributes = 200 reject_delay = 1 status_server = yes }
client 0.0.0.0/0 { secret = companysecret shortname = company }
thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 }
ldap_identity = "cn=RadiusAdmin,ou=RemoteAccess,o=tree" ldap_password = thisisnottherealpassword ldap_basedn = "o=tree" ldap_tls_cacertfile = "/etc/raddb/certs/cert.b64"
modules { ldap ldap1 {
server = "ldap1.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
ldap ldap2 {
server = "ldap2.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
} authorize { ldap1 ldap2 } authenticate { Auth-Type LDAP {
ldap1
ldap2
}
} post-auth { Post-Auth-Type REJECT {
ldap1
ldap2
}
} to:
Deleted lines 22-29:
References:
August 14, 2009, at 12:15 PM
by -
Added lines 1-173:
(:title Workaround for iSCSI issues on SLES11:) FreeRadius is a very versatile, powerful application for network RADIUS authentication. Perhaps too powerful! The problem is that is can seem to have too many options, and unless your a RADIUS expert, your screwed! What I needed for a customer was way to "proxy" LDAP/eDirectory authentication through RADIUS, and perhaps define redundant LDAP servers. That's all! Through a great deal of research, trial and error; I can up with the following slimmed down configuration file. Simple, Secure and Functional! Copy this file (with your specific modifications) and export your eDirectory Self-Signed CA (without private key) as Base64 to /etc/raddb/certs/cert.b64 You might also want to create a link to the init.d script. ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd
I also had some minor problems with permissions on the cert.b64 file (make sure radiusd user and group can see the file) If you run into any problems just run the following command to see all the necessary troubleshooting output: radiusd -A -X
/etc/raddb/radiusd.conf
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:300px;":)
##############################################################################
# #
# /etc/raddb/radiusd.conf #
# #
# Author: Bob Brandt (projects@brandt.ie) #
# #
# FreeRADIUS Redundant LDAP Configuration #
# #
##############################################################################
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = after
lower_pass = no
nospace_user = after
nospace_pass = no
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
# CLIENTS CONFIGURATION
client 0.0.0.0/0 {
secret = companysecret
shortname = company
}
# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
# LDAP Information
ldap_identity = "cn=RadiusAdmin,ou=RemoteAccess,o=tree"
ldap_password = thisisnottherealpassword
ldap_basedn = "o=tree"
ldap_tls_cacertfile = "/etc/raddb/certs/cert.b64"
# MODULE CONFIGURATION
modules {
ldap ldap1 {
server = "ldap1.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
ldap ldap2 {
server = "ldap2.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
}
authorize {
ldap1
ldap2
}
authenticate {
Auth-Type LDAP {
ldap1
ldap2
}
}
post-auth {
Post-Auth-Type REJECT {
ldap1
ldap2
}
}
(:divend:) References:
|