Creating an iSCSI target and and initiator with CentOS 7
First, you will probably need to install the necessary packages, as they are not installed by default. For the iSCSI server, target portal, you will need to install scsi-target-utils and targetcli packages, and on the client, the iscsi-initiator-utils package. For testing purposes, it may be useful to have all three installed on the server, or if you are just trying out iSCSI using just a single system for practice. The following command will install all three packages:
yum -y install scsi-target-utils targetcli iscsi-initiator-utils
iSCSI Qualified Name (IQN)
You will need to assign a unique iSCSI Qualified Name (IQN) for your server, client, and each target. The IQN starts with "iqn." followed by the year-month that the target will be available after, like "2015-11". After that, the domain name in reverse, like "com.example", and finally a colon followed by the name of the specific entity like ":lun0", or ":centos7". Put all together the IQN looks like this: "iqn.2015-11.com.example:lun0" or "iqn.2015-11.com.example:centos7".If you want to have a IQN generated for your system that should be universally unique that you can place into /etc/iscsi/initiatorname.iscsi, instead of setting your own, you can execute:
iscsi-iname
which should output something like:
iqn.1994-05.com.redhat:34d4db0d675
iSCSI Target Portal (Server) Configuration
Your system is already identified with an IQN in the file /etc/iscsi/initiatorname.iscsi. You can modify this to something unique for your network (or the world), such as: iqn.2015-11.com.example:centos7. You will need all the IQNs for the clients that will connect to your iSCSI portal. After updating the previous file, the iscsid service should be restarted with:
systemctl restart iscsid
Rather than having to edit configuration files by hand, the targetcli command provides an interface for managing the targets of your portal which uses a directory metaphor for organization and navigation. Start the interface by executing:
targetcli
First navigate, and then create an appropriate backing store. If you have a block device, like /dev/sdd, then you could a backing store named back1 by executing:
cd /backstores/block
create back1 /dev/sdd
To use a file image backing store with a size of 100Mb, you could execute:
cd /backstores/fileio
create back1 /var/lib/iscsi-lun0.img 100M
Next, to create target IQNs, you can create entries under /iscsi. For example, to create a target of iqn.2015-11.com.example:lun0, you would execute:
cd /iscsi
create iqn.2015-11.com.example:lun0
The backing store created earlier must be associated with the target IQN. You do this by navigating under the IQN, the target portal group, and the luns directory like /iscsi/iqn.2015-11.com.example:lun0/tpg1/luns.
Pay attention to which /backstore file you used previously. If you created the block device /backstores/block/back1 earlier then you would execute:
Pay attention to which /backstore file you used previously. If you created the block device /backstores/block/back1 earlier then you would execute:
cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/luns
create /backstores/block/back1
If you created the fileio backstore earlier, then you would execute:
cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/luns
create /backstores/fileio/back1
Then, for each client, an acl must be added. Begin by changing to the acls under your IQN/tpg1:
cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/acls
For each client, add the acl by creating an IQN entry:
create iqn.2015-11.com.example.com:centos7
Optionally, add authentication information (this matches the initiator configuration below):
cd iqn.2015-11.com.example.com:centos7
set auth userid=student
set auth password=password
If you return to the targetcli interface interface later, you can navigate to this "directory" and use the following command to view the authentication information for this client (this command is useful in user "directories" within targetcli, too):
cd /iscsi/iqn.2015-11.com.example.com:lun0/tpg1/acls/iqn.2015-11.com.example.com:centos7
info
which output:
chap_password: password
chap_userid: student
wwns:
iqn.2015-11.com.example:centos7
When you are done, you can leave the program.
which output:
chap_password: password
chap_userid: student
wwns:
iqn.2015-11.com.example:centos7
exit
Hot Tip! Each time you exit targetcli, it informs you that it has updated the /etc/target/saveconfig.json file, which could be edited. Also, targetcli keeps a copy of the last ten configurations you have used in /etc/target/backup. So it is easy to edit the current configuration or restore one of these configuration files by copying the /etc/target/backup/saveconfig-[TIMESTAMP].json file over the /etc/target/saveconfig.json, and then restart the iscsid service.
Hot Tip! Each time you exit targetcli, it informs you that it has updated the /etc/target/saveconfig.json file, which could be edited. Also, targetcli keeps a copy of the last ten configurations you have used in /etc/target/backup. So it is easy to edit the current configuration or restore one of these configuration files by copying the /etc/target/backup/saveconfig-[TIMESTAMP]
After you have finished providing each client acl, you can should review the configuration by using the following suggestions. You can navigate the configuration like a normal filesystem with cd and ls, and use info and help to get information specific to each directory of the configuration:
cd /
ls
cd /backstores/fileio
ls
help
cd /iscsi
ls
If you are satisfied, then exit the interface by executing:
exit
Finally, enable and start the iscsid service:
systemctl enable iscsid
systemctl start iscsid
If this is working correctly, then the port 3260/tcp should be listening and shown by the following command:
ss -tln | grep 3260
which should show:
LISTEN 0 5 *:3260 *:*
You may need to enable the port through the firewalld configuration, which is used for the firewall by default. You have several ways that you could achieve this with greater security, but this example assumes that you want to make the port open for all addresses:
firewall-cmd --zone public --add-port 3260/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all
firewall-cmd --list-all
iSCSI Initiator (Client) Configuration
Just as was done on the server, the client should be identified by a IQN in the /etc/iscsi/initiatorname.iscsi file. Make sure that the you use the same IQN for each client that you used to create the acl entries on the server. Don't forget to update the /etc/iscsi/initiatorname.iscsi file and restart the iscsid service:
systemctl restart iscsid
If you set a userid and password in the acl you created on the server, then in /etc/iscsi/iscsid.conf on the client, uncomment and modify the userid and password to match the one that you used:
node.session.auth.authmethod = CHAP
node.session.auth.username = student
node.session.auth.password = password
First, you need to discover the target at the portal by executing:
iscsiadm -m discovery -t sendtargets -p 10.0.2.5 # where the IP is the target portal server above
The above command should show the IQNs available at the target portal server. You can attempt to login to see if you have any errors, especially if using authentication by using:
iscsiadm -m node --login
For information about the session which is hopefully created, you can use iscsiadm in the session mode. In the session mode, you can print session information in increasing verbosity by setting the -P option from 0 for the lowest verbosity to 3 the highest verbosity. For example, here's the inetadm command run in session mode to print out medium high verbosity:
inetadm -P 2 -m session
which had the output of:
Target: iqn.2015-11.com.example:lun0 (non-flash)
Current Portal: 10.0.2.5:3260,1
Persistent Portal: 10.0.2.5:3260,1
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.2015-11.com.example:centos7
Iface IPaddress: 10.0.2.5
Iface HWaddress:
Iface Netdev:
SID: 1
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE
*********
Timeouts:
*********
Recovery Timeout: 120
Target Reset Timeout: 30
LUN Reset Timeout: 30
Abort Timeout: 15
*****
CHAP:
*****
username: student
password: ********
username_in:
password_in: ********
************************
Negotiated iSCSI params:
************************
HeaderDigest: None
DataDigest: None
MaxRecvDataSegmentLength: 262144
MaxXmitDataSegmentLength: 262144
FirstBurstLength: 65536
MaxBurstLength: 262144
ImmediateData: Yes
InitialR2T: Yes
MaxOutstandingR2T: 1
Once you have resolved any issues with making a connection, you should enable and start the iscsi service:
systemctl enable iscsi
systemctl start iscsi
If everything has gone successfully, then a new SCSI disk device should appear with a name found by listing /dev/sd*. In this example, the new disk appears as /dev/sdb.
ls /dev/sd*
Shows the output:
/dev/sda /dev/sda1 /dev/sda2 /dev/sdb
Most likely, the new device will be the last one shown like /dev/sdb above. To get it ready for a filesystem, you can use fdisk and the new device name to create a partition. In the following example, one new partition is created that uses all the space on the device:
fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
First sector (8192-204799, default 8192):
Using default value 8192
Last sector, +sectors or +size{K,M,G} (8192-204799, default 204799):
Using default value 204799
Partition 1 of type Linux and of size 96 MiB is set
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
Now executing the following command should show the new partition, /dev/sdb1:
ls /dev/sd*
Shows the output:
/dev/sda /dev/sda1 /dev/sda2 /dev/sdb /dev/sdb1
To prepare the partition for mounting, create a filesystem on it it, in this case an ext4 filesystem will be created:
mkfs -t ext4 /dev/sdb1
Create the directory where you want to mount the new filesystem such as /mnt/lun0
mkdir /mnt/lun0
Verify that the filesystem can be successfully mounted:
mount /dev/sdb1 /mnt/lun0
mount | grep lun0
If successful, this should output something like:
/dev/sdb1 on /mnt/lun0 type ext4 (rw,relatime,seclabel,stripe=4096,data=ordered)
When you want to make this mount permanent, you have to be careful to add the "_netdev" mount option in your /etc/fstab entry. It is also a good idea to use UUID identifiers instead of device names as device names may change depending on the order in which devices are detected. To discover the UUID for the new device execute:
blkid
or for this specific example
blkid /dev/sdb1
which had the output of:
/dev/sdb1: UUID="3735827d-b4f4-48ed-aca1-a264a3ec956e" TYPE="ext4"
The entry in this example would look similar to the following, but your UUID will be different.
CHECK THE OUTPUT OF blkid FOR YOUR CORRECT UUID:
UUID=3735827d-b4f4-48ed-aca1-a264a3ec956e /mnt/lun0 ext4 _netdev 0 0
After adding the entry, unmount your new device, and the mount all /etc/fstab entries to verify that your new entry is correct.
umount /dev/sdb1
mount -a
mount | grep lun0
should output:
/dev/sdb1 on /mnt/lun0 type ext4 (rw,relatime,seclabel,stripe=4096,data=ordered,_netdev)
If that works, and you won't disturb anyone else on the system, you might reboot the system(s) starting with the server first, and then the client, to verify that everything has been enabled correctly for automatic mounting of the iSCSI device. After the systems have rebooted, check that the client is still mounting the lun0 target with:
mount | grep lun0
If you made it this far, then congratulations! You have a persistent iSCSI target portal server and an iSCSI initiator client able to perform CHAP authentication.
Wrap-up and Troubleshooting
If you are still having issues, then review the files that were updated, and the firewall settings. For example, the wrong IQN for a client will mean failure to authorize, the wrong userid or password, a failure to authenticate. Also, revisit the targetcli interface and review the configuration information. Here's a quick tour of some troubleshooting with commands in bold, the output of the command in italics. and the relevant information highlighted.cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2015-11.com.example:centos7
fdisk -l
Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000d9dbb
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 39938047 19968000 83 Linux
/dev/sda2 39938048 41943039 1002496 82 Linux swap / Solaris
Disk /dev/sdb: 104 MB, 104857600 bytes, 204800 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
Disk label type: dos
Disk identifier: 0x761d8fba
Device Boot Start End Blocks Id System
/dev/sdb1 8192 204799 98304 83 Linux
blkid
/dev/sda1: UUID="cfc6be43-cf4b-4cb5-9bf3-67f24d1d5205" TYPE="ext4"
/dev/sda2: UUID="d5c08700-0ff1-4062-a13b-f3782b80c66b" TYPE="swap"
/dev/sdb1: UUID="3735827d-b4f4-48ed-aca1-a264a3ec956e" TYPE="ext4"
cat /etc/fstab
# /etc/fstab
# Created by anaconda on Fri Nov 6 16:02:18 2015
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=cfc6be43-cf4b-4cb5-9bf3-67f24d1d5205 / ext4 defaults 1 1
UUID=d5c08700-0ff1-4062-a13b-f3782b80c66b swap swap defaults 0 0
UUID=3735827d-b4f4-48ed-aca1-a264a3ec956e /mnt/lun0 ext4 _netdev 0 0
grep -Ev '^#|^$' /etc/iscsi/iscsid.conf # exclude comments and blank lines
iscsid.startup = /bin/systemctl start iscsid.socket iscsiuio.socket
node.startup = automatic
node.leading_login = No
node.session.auth.authmethod = CHAP
node.session.auth.username = student
node.session.auth.password = password
node.session.timeo.replacement_timeout = 120
node.conn[0].timeo.login_timeout = 15
# remaining output omitted
firewall-cmd --list-all
public (default, active)
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 23/tcp 3260/tcp 23/udp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
targetcli
/iscsi> cd /
/> ls
o- / ..................................................................... [...]
o- backstores .......................................................... [...]
| o- block .............................................. [Storage Objects: 0]
| o- fileio ............................................. [Storage Objects: 1]
| | o- back1 ....... [/var/lib/iscsi-lun0.img (100.0MiB) write-back activated]
| o- pscsi .............................................. [Storage Objects: 0]
| o- ramdisk ............................................ [Storage Objects: 0]
o- iscsi ........................................................ [Targets: 1]
| o- iqn.2015-11.com.example:lun0 .................................. [TPGs: 1]
| o- tpg1 ........................................... [no-gen-acls, no-auth]
| o- acls ...................................................... [ACLs: 1]
| | o- iqn.2015-11.com.example:centos7 .................. [Mapped LUNs: 1]
| | o- mapped_lun0 ............................ [lun0 fileio/back1 (rw)]
| o- luns ...................................................... [LUNs: 1]
| | o- lun0 ..................... [fileio/back1 (/var/lib/iscsi-lun0.img)]
| o- portals ................................................ [Portals: 1]
| o- 0.0.0.0:3260 ................................................. [OK]
o- loopback ..................................................... [Targets: 0]
/> cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/acls/iqn.2015-11.com.example:centos7/
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 23/tcp 3260/tcp 23/udp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
targetcli
/iscsi> cd /
/> ls
o- / ..................................................................... [...]
o- backstores .......................................................... [...]
| o- block .............................................. [Storage Objects: 0]
| o- fileio ............................................. [Storage Objects: 1]
| | o- back1 ....... [/var/lib/iscsi-lun0.img (100.0MiB) write-back activated]
| o- pscsi .............................................. [Storage Objects: 0]
| o- ramdisk ............................................ [Storage Objects: 0]
o- iscsi ........................................................ [Targets: 1]
| o- iqn.2015-11.com.example:lun0 .................................. [TPGs: 1]
| o- tpg1 ........................................... [no-gen-acls, no-auth]
| o- acls ...................................................... [ACLs: 1]
| | o- iqn.2015-11.com.example:centos7 .................. [Mapped LUNs: 1]
| | o- mapped_lun0 ............................ [lun0 fileio/back1 (rw)]
| o- luns ...................................................... [LUNs: 1]
| | o- lun0 ..................... [fileio/back1 (/var/lib/iscsi-lun0.img)]
| o- portals ................................................ [Portals: 1]
| o- 0.0.0.0:3260 ................................................. [OK]
o- loopback ..................................................... [Targets: 0]
/> cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/acls/iqn.2015-11.com.example:centos7/
/iscsi/iqn.20...ample:centos7> info
chap_password: password
chap_userid: student
wwns:
iqn.2015-11.com.example:centos7
exit
iscsiadm -m discovery -t sendtargets -p 10.0.2.5 # the -p must be the correct IP for the portal
10.0.2.5:3260,1 iqn.2015-11.com.example:lun0
iscsiadm -m node -v --login
10.0.2.5:3260,1 iqn.2015-11.com.example:lun0
iscsiadm -P3 -m session
iSCSI Transport Class version 2.0-870
version 6.2.0.873-28
Target: iqn.2015-11.com.example:lun0 (non-flash)
Current Portal: 10.0.2.5:3260,1
Persistent Portal: 10.0.2.5:3260,1
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.2015-11.com.example:centos7
Iface IPaddress: 10.0.2.5
Iface HWaddress:
Iface Netdev:
SID: 1
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE
*********
Timeouts:
*********
Recovery Timeout: 120
Target Reset Timeout: 30
LUN Reset Timeout: 30
Abort Timeout: 15
*****
CHAP:
*****
username: student
password: ********
username_in:
password_in: ********
************************
Negotiated iSCSI params:
************************
HeaderDigest: None
DataDigest: None
MaxRecvDataSegmentLength: 262144
MaxXmitDataSegmentLength: 262144
FirstBurstLength: 65536
MaxBurstLength: 262144
ImmediateData: Yes
InitialR2T: Yes
MaxOutstandingR2T: 1
************************
Attached SCSI devices:
************************
Host Number: 3 State: running
scsi3 Channel 00 Id 0 Lun: 0
Attached scsi disk sdb State: running
Good Luck!
No comments:
Post a Comment