Workaround for iSCSI issues on SLES11

for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*[ \t]/|/|'`; do

for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*[ \t]/|/|'`; do

for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*[ \t]/|/|'`; do

UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail,noatime 1 2

UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail 1 2

*Since the filesystem will not be available when the system first mounts the filesystems, it will fail when if reaches the iSCSI line, so you need to add the '''''nofail''''' option to the end of the option line. (Note: on eariler systems nofail is not a vaild option so use '''''_netdev''''')

UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail,_netdev 1 2

#Added to take care of LVM groups on iSCSI
vgscan > /dev/null
sleep 1
vgchange -a y > /dev/null

for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do

for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do

for mountpoint in `grep "iscsi," /etc/fstab | sed -e 's|\s*iscsi,.*||' -e 's|.*/|/|'`; do

*Since the filesystem will not be available when the system first mounts the filesystems, it will fail when if reaches the iSCSI line, so you need to add the '''''nofail''''' option to the end of the option line.
*Since the filesystem is not physically attached, it is probably best to make sure that all writes are synchronous, so add the '''''sync''''' and '''''dirsync''''' options as well.

*As you can see in the example below, the filesystem type is '''scsi,''something'' '''. Since there is not a iscsi filesystem type it will mount the filesystem as '''''something''''' in this case '''''ext3'''''.

*Using the _netdev and auto options in the [@/etc/fstab@] file.

To make this script work it is necessary to slightly modify the iSCSI entries in the [@/etc/fstab@] file:
*As you can see in the example below, the filesystem type is '''scsi,''something'''''. Since there is not iscsi filesystem type it will mount the filesystem as '''''something''''' in this case '''''ext3'''''.
*Since the filesystem will not be available when the system first mounts the filesystems, it will fail when if reaches the iSCSI line, so you need to add the nofail option to the end of the option line.
*Since the filesystem is not physically attached, it is probably best to make sure that all writes are synchronus, so add the sync and dirsync options as well.

To make this script work it is necessary to slightly modify the iSCSI entries in the [@/etc/fstab@] file. As you can see in the example below, the filesystem type is '''scsi,''something'''''

(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:175px;":)

(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:150px;":)

/dev/system/swap swap swap defaults 0 0
/dev/system/root / ext3 acl,user_xattr 1 1
/dev/sda1 /boot ext3 acl,user_xattr 1 2
/dev/system/home /home ext3 acl,user_xattr 1 2
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
UUID=81ff75b2-c311-46ea-b1b9-bade8b597624 /data iscsi,ext3 acl,user_xattr,sync,dirsync,nofail 1 2

#!/bin/bash
#
# /etc/init.d/open-iscsi
#
### BEGIN INIT INFO
# Provides: iscsi-mount
# Required-Start: $network
# Should-Start: iscsitarget
# Required-Stop: $network
# Should-Stop: iscsitarget
# Default-Start: 3 5
# Default-Stop:
# Short-Description: iSCSI initiator daemon wrapper
# Description: The iSCSI initator is used to create and
# manage iSCSI connections to a iSCSI Target.
# This wrapper also takes care of iSCSI
# fstab entries.
# Created by Bob Brandt <projects@brandt.ie>
#
### END INIT INFO

ISCSISCRIPT=/etc/init.d/open-iscsi
MOUNTSCRIPT=/etc/init.d/iscsi-mount
RCSCRIPT=/sbin/rciscsi-mount
declare -i overallstatus=0

test -h $RCSCRIPT || ln -sf $MOUNTSCRIPT $RCSCRIPT

# Source LSB init functions
. /etc/rc.status

# Reset status of this service
rc_reset

iscsimount() {
rc_reset
echo -n "Mounting $1: "
mount $1
rc_status -v
return $?
}

iscsiumount() {
rc_reset
echo -n "Umounting $1: "
umount $1
rc_status -v
return $?
}

iscsicheck() {
rc_reset
echo -n "Verify if $1 is mounted: "
mount | grep "on $1\b" > /dev/null
rc_status -v
return $?
}

iscsimountall() {
# Find all fstab lines with iscsi as the fstype
for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do
# Only try to mount filesystems that are NOT currently mounted.
if ! mount | grep "on $mountpoint\b" > /dev/null
then
iscsimount $mountpoint || overallstatus=$?
fi
done
return $overallstatus
}

iscsiumountall() {
# Find all fstab lines with iscsi as the fstype
for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do
# Only try to umount filesystems that are currently mounted.
if mount | grep "on $mountpoint\b" > /dev/null
then
iscsiumount $mountpoint || overallstatus=$?
fi
done
return $overallstatus
}

iscsicheckall() {
# Find all fstab lines with iscsi as the fstype
for mountpoint in `grep "iscsi," /etc/fstab | cut -f 2`; do
iscsicheck $mountpoint || overallstatus=$?
done
return $overallstatus
}

case "$1" in
start) $ISCSISCRIPT $@ && sleep 1 && iscsimountall ;;
stop) iscsiumountall && $ISCSISCRIPT $@ ; overallstatus=$? ;;
status) $ISCSISCRIPT $@ && iscsicheckall ;;
restart|reload) $0 stop && sleep 1 && $0 start ; overallstatus=$? ;;
initiator) shift ; $ISCSISCRIPT $@ ; overallstatus=$? ;;
*) echo "Usage: $0 {start|stop|status|restart|reload|initiator}"; overallstatus=1 ;;
esac
rc_failed $overallstatus
rc_exit

->[+/etc/fstab+] ''(an example)''

->[+/etc/init.d/iscsi-mount+]
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:300px;":)
[@

@]
(:divend:)

The problem is that you are unable to mount the iSCSI LUNs from within the [@/etc/fstab@] file when using the open-scsi software initiator. Now I am fully willing to admit that this "problem" is just due to my own stupidity, but from the research I have done online, I am not the only one to notice this problem.

The issue I had was that the system would try to mount the LUNs before the network was up and therefore failed. I tried a number of possible remedies but nothing worked:
*Figuring out what remote_fs is and how to use it.
*Moving the network_remote deamon script till after the iSCSI initiator was up.
*Creating my own [@/etc/fstab.iscsi@] file.
What other people have done is to create custom scripts. However my problem with these script is that they seemed sloppy. I needed a system that would handle both the iscsi initiator and the mounting of the filesystems in one go. And I also wanted a system that would work with the existing GNU utilities.

What I can up with was a wrapper script for the open-scsi deamon (see below). This handles both the software initiator and mounting of the filesystems - for both starting and stopping. This way I can be sure certain that the system will neither try to mount filesystems before the an iSCSI connection is established nor kill the iSCSI connection without first umounting the filesystems.

To make this script work it is necessary to slightly modify the iSCSI entries in the [@/etc/fstab@] file

->[+/etc/init.d/iscsi-mount+]

I have been using iSCSI with SLES10 for a while without any problems. And even though I have been using SLES11 for months, I never ran across this problem until recently. Turns out that using iSCSI with SLES11 (or SuSE 11.1) has a bit of a problem.

The problem is that you are unable to mount the iSCSI LUNs from within the [@/etc/fstab@] file. Now I am fully willing to admit that this "problem" is just due to my own stupidity, but from the research I have done online, I am not the only one to notice this problem.

(:title Workaround for iSCSI issues on SLES11:)

FreeRadius is a very versatile, powerful application for network RADIUS authentication. Perhaps too powerful! The problem is that is can seem to have too many options, and unless your a RADIUS expert, your screwed!
What I needed for a customer was way to "proxy" LDAP/eDirectory authentication through RADIUS, and perhaps define redundant LDAP servers. That's all!
Through a great deal of research, trial and error; I can up with the following slimmed down configuration file. Simple, Secure and Functional!

Copy this file (with your specific modifications) and export your eDirectory Self-Signed CA (without private key) as Base64 to /etc/raddb/certs/cert.b64

You might also want to create a link to the init.d script.
->[@ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd@]

I also had some minor problems with permissions on the cert.b64 file (make sure radiusd user and group can see the file)

If you run into any problems just run the following command to see all the necessary troubleshooting output:
->[@radiusd -A -X@]

->[+/etc/raddb/radiusd.conf+]
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:300px;":)
[@
##############################################################################
# #
# /etc/raddb/radiusd.conf #
# #
# Author: Bob Brandt (projects@brandt.ie) #
# #
# FreeRADIUS Redundant LDAP Configuration #
# #
##############################################################################

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid

user = radiusd
group = radiusd

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024

bind_address = *
port = 0

hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = after
lower_pass = no
nospace_user = after
nospace_pass = no

checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}

# CLIENTS CONFIGURATION
client 0.0.0.0/0 {
secret = companysecret
shortname = company
}

# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

# LDAP Information
ldap_identity = "cn=RadiusAdmin,ou=RemoteAccess,o=tree"
ldap_password = thisisnottherealpassword
ldap_basedn = "o=tree"
ldap_tls_cacertfile = "/etc/raddb/certs/cert.b64"

# MODULE CONFIGURATION
modules {
ldap ldap1 {
server = "ldap1.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"

start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}

ldap ldap2 {
server = "ldap2.domain.name"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"

start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
}

authorize {
ldap1
ldap2
}

authenticate {
Auth-Type LDAP {
ldap1
ldap2
}
}

post-auth {
Post-Auth-Type REJECT {
ldap1
ldap2
}
}
@]
(:divend:)




References:
* %newwin% http://www.novell.com/coolsolutions/tip/15922.html
* %newwin% http://www.novell.com/documentation/edir_radius/index.html
* %newwin% http://en.opensuse.org/RadiusServerHOWTO