[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dropbear-initramfs possible with open-iscsi during boot, using different NICs? [SOLVED]

On 10/22/2019 12:22 PM, Christopher David Howie wrote:
>> In a way, yes, but the kernel commandline is unsuitable for this.
>> What you need is a init-premount script (see initramfs-tools(7)) which
>> configures either second or both NICs with "ip" from busybox or
>> "udhcpc".
> Thanks for this pointer. I'll set up a scratch VM to experiment with
> these tools.

Alright, I got a working config and filed a bug report.

My test VM has a local SATA disk with two partitions: /boot and an
md-raid physical device.  The iSCSI disk has one partition: an md-raid
physical device.

The raid PVs were combined to create an md-raid mirror.  The mirror
contains a LUKS volume, which (when unlocked) holds an LVM PV.  The /
volume and swap are LVs.

Here's the lsblk summary for those of us who process information
visually (sda is SATA, sdb is iSCSI):

$ lsblk /dev/sd?
sda                     8:0    0    8G  0 disk
├─sda1                  8:1    0  487M  0 part  /boot
└─sda2                  8:2    0  7.5G  0 part
  └─md0                 9:0    0  7.5G  0 raid1
    └─md0_crypt       253:0    0  7.5G  0 crypt
      ├─vgtest-lvswap 253:1    0  952M  0 lvm   [SWAP]
      └─vgtest-lvroot 253:2    0  6.6G  0 lvm   /
sdb                     8:16   0    8G  0 disk
└─sdb1                  8:17   0    8G  0 part
  └─md0                 9:0    0  7.5G  0 raid1
    └─md0_crypt       253:0    0  7.5G  0 crypt
      ├─vgtest-lvswap 253:1    0  952M  0 lvm   [SWAP]
      └─vgtest-lvroot 253:2    0  6.6G  0 lvm   /

As mentioned before, the sticking point was wanting to run iSCSI and
dropbear-initramfs on two different NICs.  The idea to use an initramfs
init-premount script was a good suggestion, and is what I ended up
doing.  However, it was much easier to use ipconfig than either ip or
udhcpc -- particularly because the other initramfs scripts use ipconfig,
and ipconfig stores configuration state in /run in the initrd
environment meaning that multiple things trying to configure the network
won't stomp on each other.  Rather, the first thing to run ipconfig
against an interface "wins."

So, I created /etc/initramfs-tools/scripts/init-premount/network with
the following contents, chmodded it +x, and rebuild the initramfs:

     echo "$PREREQ"

case $1 in
     exit 0

# iSCSI interface
# Internet-facing interface
ipconfig :::::ens3:dhcp

This works like a charm.  In /etc/network/interfaces, I simply leave out
configuration for these interfaces altogether and they remain configured
after the box comes up.  (In a real environment I might still configure
the Internet-facing interface, but leave the iSCSI interface out because
we absolutely don't want that interface going away because some script
is mucking with ifupdown.)

One last caveat that I ran into is that open-iscsi shutdown scripts will
try to avoid closing the session for / by looking through several
layers, including LVM and crypto.  However, md-raid is not considered at
all.  Since the scripts didn't think that the iSCSI device was in use,
they closed the session during shutdown.  This caused the iSCSI
partition to be kicked out of the mirror during shutdown, requiring a
manual "mdadm /dev/md0 --re-add missing" on every boot to fully
reassemble the array.

This was solved by setting ISCSI_ROOT_KEEP_ALL_SESSIONS_AT_SHUTDOWN=1 in
/etc/default/open-iscsi.  I have also filed bug #943347, requesting that
open-iscsi skip stopping sessions for any devices that are in use by
md-raid during shutdown.

Chris Howie

If you correspond with me on a regular basis, please read this document:

PGP fingerprint: 2B7A B280 8B12 21CC 260A DF65 6FCE 505A CF83 38F5


This document should be read only by those persons to whom it is
addressed.  If you have received this message it was obviously addressed
to you and therefore you can read it.

Additionally, by sending an email to ANY of my addresses or to ANY
mailing lists to which I am subscribed, whether intentionally or
accidentally, you are agreeing that I am "the intended recipient," and
that I may do whatever I wish with the contents of any message received
from you, unless a pre-existing agreement prohibits me from so doing.

This overrides any disclaimer or statement of confidentiality that may
be included on your message.

Reply to: