Pages

Saturday, November 20, 2021

iSCSI

Just some experiments I made with iSCSI. If you want to use iSCSI in a productive environment, make sure to set up a dedicated network for your iSCSI traffic. And maybe don't use your wireless network for iSCSI. This article covers the following topics:

  • Basic Setup
  • Reduce access to a specific IP
  • Incoming user from Initiator to Target
  • Add initiator name for access control
  • Automatic lun import on startup

Let's get started with my general setup:

  • Target (Server): ct01 192.168.4.1
  • Initiator (Client): ws02 192.168.4.2

Basic Setup

Start with a very basic configuration to provide one lun from the target to the network:

# vi /etc/tgt/conf.d/ws02.conf
<target iqn.ct01.karellen.local:lun0>
  backing-store /dev/mapper/ct01--local-iscsi0
</target>

# systemctl restart tgt
# tgt-admin -s
Target 1: iqn.ct01.karellen.local:lun0
    System information:
        Driver: iscsi
        State: ready
    I_T nexus information:
    LUN information:
        LUN: 0
            Type: controller
            SCSI ID: IET     00010000
            SCSI SN: beaf10
            Size: 0 MB, Block size: 1
            Online: Yes
            Removable media: No
            Prevent removal: No
            Readonly: No
            SWP: No
            Thin-provisioning: No
            Backing store type: null
            Backing store path: None
            Backing store flags:
        LUN: 1
            Type: disk
            SCSI ID: IET     00010001
            SCSI SN: beaf11
            Size: 10737 MB, Block size: 512
            Online: Yes
            Removable media: No
            Prevent removal: No
            Readonly: No
            SWP: No
            Thin-provisioning: No
            Backing store type: rdwr
            Backing store path: /dev/mapper/ct01--local-iscsi0
            Backing store flags:
    Account information:
    ACL information:
        ALL

On the initiator, import the lun:

# iscsiadm -m discovery -t st -p 192.168.4.1
192.168.4.1:3260,1 iqn.ct01.karellen.local:lun0

# iscsiadm -m node --targetname "iqn.ct01.karellen.local:lun0" --portal "192.168.4.1:3260" --login
Logging in to [iface: default, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260] (multiple)
Login to [iface: default, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260] successful.

# lsblk
NAME         MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda            8:0    0   10G  0 disk
+-sda1         8:1    0   10G  0 part
...

Back on the target, show the current state of the lun and check the I_T nexus information section

# tgt-admin -s
Target 1: iqn.ct01.karellen.local:lun0
...
    I_T nexus information:
        I_T nexus: 2
            Initiator: iqn.1993-08.org.debian:01:b8ae24706873 alias: ws02
            Connection: 0
                IP Address: 192.168.4.2
...

On the iniator again, do your operations (mount, copy, umount) then remove the lun again:

# iscsiadm -m node --targetname "iqn.ct01.karellen.local:lun0" --portal "192.168.4.1:3260" --logout
Logging out of session [sid: 1, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260]
Logout of [sid: 1, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260] successful.

Reduce access to a specific IP

On the target, add a wrong IP for the initiator (wrong IP for testing):

# vi /etc/tgt/conf.d/ws02.conf
<target iqn.ct01.karellen.local:lun0>
  backing-store /dev/mapper/ct01--local-iscsi0
  initiator-address 192.168.4.10
</target>

# systemctl restart tgt

On the initiator, import the lun and note the error massage:

# iscsiadm -m discovery -t st -p 192.168.4.1
iscsiadm: No portals found
# iscsiadm -m node --targetname "iqn.ct01.karellen.local:lun0" --portal "192.168.4.1:3260" --login
iscsiadm: default: 1 session requested, but 1 already present.
iscsiadm: Could not log into all portals

On the target, correct the IP for the initiator:

# vi /etc/tgt/conf.d/ws02.conf
<target iqn.ct01.karellen.local:lun0>
  backing-store /dev/mapper/ct01--local-iscsi0
  initiator-address 192.168.4.2
</target>

# systemctl restart tgt

Run a discovery on the initiator again:

# iscsiadm -m discovery -t st -p 192.168.4.1
192.168.4.1:3260,1 iqn.ct01.karellen.local:lun0

Incoming user from Initiator to Target

Add a user to your configuration:

# vi ct01-iscsi0.conf
<target iqn.ct01.karellen.local:lun0>
  backing-store /dev/mapper/ct01--local-iscsi0
  initiator-address 192.168.4.2
  incominguser iscsi-user password
</target>

# iscsiadm -m discovery -t st -p 192.168.4.1
192.168.4.1:3260,1 iqn.ct01.karellen.local:lun0
# iscsiadm -m node --targetname "iqn.ct01.karellen.local:lun0" --portal "192.168.4.1:3260" --login
Logging in to [iface: default, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals

Enter the following commands to add username and password:

# iscsiadm --mode node -T iqn.ct01.karellen.local:lun0 -p 192.168.4.1:3260 -o update -n node.session.auth.authmethod -v CHAP
# iscsiadm --mode node -T iqn.ct01.karellen.local:lun0 -p 192.168.4.1:3260 -o update -n node.session.auth.username -v iscsi-user
# iscsiadm --mode node -T iqn.ct01.karellen.local:lun0 -p 192.168.4.1:3260 -o update -n node.session.auth.password -v password

Or edit the config file directly:

# vi /etc/iscsi/nodes/iqn.ct01.karellen.local\:lun0/192.168.4.1\,3260\,1/default
...
node.session.auth.authmethod = CHAP
node.session.auth.username = iscsi-user
node.session.auth.password = password
...

# iscsiadm -m node --targetname "iqn.ct01.karellen.local:lun0" --portal "192.168.4.1:3260" --login
Logging in to [iface: default, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260] (multiple)
Login to [iface: default, target: iqn.ct01.karellen.local:lun0, portal: 192.168.4.1,3260] successful.

After a new discovery, authmethod, username and password are reset to default:

# iscsiadm -m discovery -t st -p 192.168.4.1
192.168.4.1:3260,1 iqn.ct01.karellen.local:lun0

Add initiator name for access control

First the initiator name on the initiator has to be set:

# echo "InitiatorName=`/sbin/iscsi-iname`" > /etc/iscsi/initiatorname.iscsi
# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2005-03.org.open-iscsi:28ec27b9454c

Add initiator name on target:

# cat ct01-iscsi0.conf
<target iqn.ct01.karellen.local:lun0>
  backing-store /dev/mapper/ct01--local-iscsi0
  initiator-address 192.168.4.2
  initiator-name iqn.2005-03.org.open-iscsi:28ec27b9454c
  incominguser iscsi-user password
</target> 

Automatic lun import on startup

From what I have figured out, one of the following command is enough to import your lun automatically during startup. But since I saw both all the time I also added both:

# iscsiadm --mode node -T iqn.ct01.karellen.local:lun0 -p 192.168.4.1:3260 -o update -n node.startup -v automatic
# iscsiadm --mode node -T iqn.ct01.karellen.local:lun0 -p 192.168.4.1:3260 -o update -n node.conn[0].startup -v automatic

Then restart the iscsi service:

# systemctl restart iscsi.service

To disable:

# iscsiadm --mode node -T iqn.ct01.karellen.local:lun0 -p 192.168.4.1:3260 -o update -n node.startup -v manual
# iscsiadm --mode node -T iqn.ct01.karellen.local:lun0 -p 192.168.4.1:3260 -o update -n node.conn[0].startup -v manual

That's it for iSCSI what I have tested out. I am not using iSCSI at all (I just have no use for it) but I wanted to know, what is required to get a small configuration up and running.

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)