SOLVED iSCSI initiator from a jail

[xilouris]

Hello all!

I am trying to configure iscsi initiator in one of the jails I have created. I am trying to mount a drive on another host. However there seems to be some issue as when I try to start the iscsid or the iscsi_initiator I get an error that /dev/iscsi does not exist.

Is there anything I am missing? Of course there is no issue when I use initiator from the host it self.

Thanks
George.

 

[Samuel Tai]

By default, the jail's devfs_ruleset setting limits the devices under /dev that are visible inside the jail. To make all the host's devices visible to the jail, you'll need to change some of the jail's settings:

• devfs_ruleset=0
• securelevel=0
• allow_mount=1
• allow_mount_devfs=1
• allow_mount_procfs=1

You'll also need to adjust the host's security policy via System->Tunables, and add the following sysctl tunables:

• security.jail.enforce_statfs: 0
• security.jail.mount_allowed: 1
• security.jail.mount_devfs_allowed: 1
• security.jail.mount_procfs_allowed: 1

After these changes, /dev/iscsi should be visible inside the jail.

 

[Samuel Tai]

Alternatively, if this is too much trouble, you could always mount the remote volume on the host, and make it available to the jail via the jail fstab mechanism.

 

[xilouris]

Thanks ! This worked. I wonder where could I have picked up this information without asking I mean I have searched all over the place.

Cheers

G

 

[jgreco]

Sometimes if you're doing strange things, you simply need to know all the parts of a system to know if something is even possible. Part of the power of UNIX is that you can do random and obscure things that aren't commonly done. Many people doing unusual things just go about their business and don't bother writing long blog posts about some incredibly arcane thing that will only get two views in the next ten years from people trying to figure out how to do a similar thing.

I write jails from scratch, that is, I don't install a full FreeBSD environment inside a jail, or even FreeBSD ports. I build something like Apache within the jail with the bare minimum set of files needed to make it work, from original source. This is far too much work for most Linux or FreeBSD users these days. However, it's worth it, because it means that my servers are far safer exposed to the Internet because common stack-smash exploits don't get to a /bin/sh. I don't bother documenting this for the random public because either you're a UNIX hacker of sufficient expertise where that concept might cause your eyebrows to raise, a light bulb goes on, and you intuitively come to a theory about how to do this, at which point you probably don't actually need much guidance, or it is beyond your pay grade/skill level and therefore it'd be simpler just to give you a tarball package that builds the thing.

All sorts of systems engineering stuff is like that. In some ways it is a little bit unfortunate.