Re: [ClusterLabs] chap lio-t / iscsitarget disabled - why?
On Tue, Apr 03, 2018 at 04:48:00PM +0200, Stefan Friedel wrote: > we've a running drbd - iscsi cluster (two nodes Debian stretch, pacemaker / > corosync, res group w/ ip + iscsitarget/lio-t + iscsiluns + lvm etc. on top of > drbd etc.). Everything is running fine - but we didn't manage to get CHAP to > work. targetcli / lio-t always switches the authentication off after a > migration > or restart. > > I found the following lines in the iSCSITarget resource file (Debian stretch > /usr/lib/ocf/resource.d/heartbeat/iSCSITarget, also in > https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/iSCSITarget.in): > >[...] ># TODO: add CHAP authentication support when it gets added back into LIO >ocf_run targetcli /iscsi/${OCF_RESKEY_iqn}/tpg1/ set attribute > authentication=0 || exit $OCF_ERR_GENERIC >[...] Yes, another comment in that file suggests that CHAP support was not available at that time (2009) in lio and/or lio-t: lio|lio-t) # TODO: Remove incoming_username and incoming_password # from this check when LIO 3.0 gets CHAP authentication unsupported_params="tid incoming_username incoming_password" ;; If you get it working with the current version of targetcli-fb, you can create a pull request in the ClusterLabs repo :) -- Valentin ___ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
[ClusterLabs] chap lio-t / iscsitarget disabled - why?
Hi all, we've a running drbd - iscsi cluster (two nodes Debian stretch, pacemaker / corosync, res group w/ ip + iscsitarget/lio-t + iscsiluns + lvm etc. on top of drbd etc.). Everything is running fine - but we didn't manage to get CHAP to work. targetcli / lio-t always switches the authentication off after a migration or restart. I found the following lines in the iSCSITarget resource file (Debian stretch /usr/lib/ocf/resource.d/heartbeat/iSCSITarget, also in https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/iSCSITarget.in): [...] # TODO: add CHAP authentication support when it gets added back into LIO ocf_run targetcli /iscsi/${OCF_RESKEY_iqn}/tpg1/ set attribute authentication=0 || exit $OCF_ERR_GENERIC [...] (l384ff on github). This targetcli command actually disables authentication...but why? Is the assumption "LIO does not offer CHAP support" still true? Anybody out there who is successfully using lio-t + iSCSITarget + CHAP? Any hint is welcome! MfG/Sincerely Stefan Friedel -- IWR * 4.317 * INF205 * 69120 Heidelberg T +49 6221 5414404 * F +49 6221 5414427 stefan.frie...@iwr.uni-heidelberg.de signature.asc Description: signature ___ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org