On Wed, Feb 8, 2023 at 11:17 AM The Lee-Man <[email protected]> wrote:
> I wanted to mention some issues I've discovered as part of testing this: > > - Currently, only some sysfs entries are going to be different per > namespace > > Anything that's directly related to the iSCSI host, session, connection, etc. should be filtered, I think. SCSI mid-layer objects and block devices are not. That seemed the cleanest break for being able to isolate the control plane to a network namespace, which is the isolation that I've seen asked for. > > - This means that the Configuration and Initiator Name are going to be > common to all running daemons (this is /etc/iscsi) > - This also means that the Node database (and discovery DB, and > interface DB) are common to all running daemons > > These changes were about making the kernel to iscsid interfaces namespace aware, so that iscsid could be containerized. If you were to do that, wouldn't you give iscsid a separate filesystem view with different configuration and record database space? I think you're right that there are other resources that shouldn't be shared between multiple instances of iscsid, and maybe protecting against some of that misconfiguration needs to happen in Open-iSCSI. - Chris > I'm really not sure all running daemons should have the same initiator > name. If we think of them as separate initiators, then this seems wrong. > > Sharing the Node database may not be a good idea, either. This assumes > that nodes discovered (and saved) from one namespace can actually be > reached from other namespaces, but this may not be true. Having the Node DB > and initiatorname shared means the different iscsid instances must > cooperate with each other, else their requests can collide. Also, I can > imagine situations where different daemons may want to set different > configuration values. Currently they cannot. > > On Wednesday, February 8, 2023 at 9:41:02 AM UTC-8 The Lee-Man wrote: > >> From: Lee Duncan <[email protected]> >> >> This is a request for comment on a set of patches that >> modify the kernel iSCSI initiator communications so that >> they are namespace-aware. The goal is to allow multiple >> iSCSI daemon (iscsid) to run at once as long as they >> are in separate namespaces, and so that iscsid can >> run in containers. >> >> Comments and suggestions are more than welcome. I do not >> expect that this code is production-ready yet, and >> networking isn't my strongest suit (yet). >> >> These patches were originally posted in 2015 by Chris >> Leech. There were some issues at the time about how >> to handle namespaces going away. I hope to address >> any issues raised with this patchset and then >> to merge these changes upstream to address working >> in working in containers. >> >> My contribution thus far has been to update these patches >> to work with the current upstream kernel. >> >> Chris Leech/Lee Duncan (9): >> iscsi: create per-net iscsi netlink kernel sockets >> iscsi: associate endpoints with a host >> iscsi: sysfs filtering by network namespace >> iscsi: make all iSCSI netlink multicast namespace aware >> iscsi: set netns for iscsi_tcp hosts >> iscsi: check net namespace for all iscsi lookup >> iscsi: convert flashnode devices from bus to class >> iscsi: rename iscsi_bus_flash_* to iscsi_flash_* >> iscsi: filter flashnode sysfs by net namespace >> >> drivers/infiniband/ulp/iser/iscsi_iser.c | 7 +- >> drivers/scsi/be2iscsi/be_iscsi.c | 6 +- >> drivers/scsi/bnx2i/bnx2i_iscsi.c | 6 +- >> drivers/scsi/cxgbi/libcxgbi.c | 6 +- >> drivers/scsi/iscsi_tcp.c | 7 + >> drivers/scsi/qedi/qedi_iscsi.c | 6 +- >> drivers/scsi/qla4xxx/ql4_os.c | 64 +-- >> drivers/scsi/scsi_transport_iscsi.c | 625 ++++++++++++++++------- >> include/scsi/scsi_transport_iscsi.h | 63 ++- >> 9 files changed, 537 insertions(+), 253 deletions(-) >> >> -- >> 2.39.1 >> >> -- > You received this message because you are subscribed to the Google Groups > "open-iscsi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/open-iscsi/9ff09a3d-1a75-436a-bbc3-0f154285cfa3n%40googlegroups.com > <https://groups.google.com/d/msgid/open-iscsi/9ff09a3d-1a75-436a-bbc3-0f154285cfa3n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/open-iscsi/CAPnfmXKK5yfB8gy5eaKOW6GsxqH4AHUy8ABtv19KrkTXB%3DsdiQ%40mail.gmail.com.
