How does the iSCSI target server make storage available to iSCSI initiators?
One of the primary tasks of a computer center, or any site that supports servers, is to provide adequate disk capacity. Fibre Channel is often used for this purpose. iSCSI (Internet SCSI) solutions provide a lower-cost alternative to Fibre Channel that can leverage commodity servers and Ethernet networking equipment. Linux iSCSI provides iSCSI initiator and iSCSI LIO target software for connecting Linux servers to central storage systems. Show
Figure 14.1: iSCSI SAN with an iSNS Server
Note: LIO LIO (http://linux-iscsi.org) is the standard open source multiprotocol SCSI target for Linux. LIO replaced the STGT (SCSI Target) framework as the standard unified storage target in Linux with Linux kernel version 2.6.38 and later. In SUSE Linux Enterprise Server 12 the iSCSI LIO Target Server replaces the iSCSI Target Server from previous versions. iSCSI is a storage networking protocol that simplifies data transfers of SCSI packets over TCP/IP networks between block storage devices and servers. iSCSI target software runs on the target server and defines the logical units as iSCSI target devices. iSCSI initiator software runs on different servers and connects to the target devices to make the storage devices available on that server. The iSCSI LIO target server and iSCSI initiator servers communicate by sending SCSI packets at the IP level in your LAN. When an application running on the initiator server starts an inquiry for an iSCSI LIO target device, the operating system produces the necessary SCSI commands. The SCSI commands are then embedded in IP packets and encrypted as necessary by software that is commonly known as the iSCSI initiator. The packets are transferred across the internal IP network to the corresponding iSCSI remote station, called the iSCSI LIO target server, or simply the iSCSI target. Many storage solutions provide access over iSCSI, but it is also possible to run a Linux server that provides an iSCSI target. In this case, it is important to set up a Linux server that is optimized for file system services. The iSCSI target accesses block devices in Linux. Therefore, it is possible to use RAID solutions to increase disk space and a lot of memory to improve data caching. For more information about RAID, also see Chapter 7, Software RAID Configuration. 14.1 Installing the iSCSI LIO Target Server and iSCSI Initiator
While the iSCSI initiator is installed by default (packages iqn.yyyy-mm.com.mycompany:n1:n26 and iqn.yyyy-mm.com.mycompany:n1:n27), the iSCSI LIO target packages need to be installed manually. Important: Initiator and Target may not Run on the Same Server It is not supported to run iSCSI target software and iSCSI initiator software on the same server in a production environment. To install the iSCSI LIO Target Server, run the following command in a terminal: sudo zypper in yast2-iscsi-lio-server In case you need to install the iSCSI initiator or any of its dependencies, run the command iqn.yyyy-mm.com.mycompany:n1:n28. Alternatively, use the YaST Software Management module for installation. Any packages required in addition to the ones mentioned above will either be automatically pulled in by the installer, or be installed when you first run the respective YaST module. 14.2 Setting Up an iSCSI LIO Target Server
This section describes how to use YaST to configure an iSCSI LIO Target Server and set up iSCSI LIO target devices. You can use any iSCSI initiator software to access the target devices. 14.2.1 iSCSI LIO Target Service Start-up and Firewall Settings
The iSCSI LIO Target service is by default configured to be started manually. You can configure the service to start automatically at boot time. If you use a firewall on the server and you want the iSCSI LIO targets to be available to other computers, you must open a port in the firewall for each adapter that you want to use for target access. TCP port 3260 is the port number for the iSCSI protocol, as defined by IANA (Internet Assigned Numbers Authority).
14.2.2 Configuring Authentication for Discovery of iSCSI LIO Targets and Initiators
The iSCSI LIO Target Server software supports the PPP-CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), a three-way authentication method defined in the Internet Engineering Task Force (IETF) RFC 1994 (https://datatracker.ietf.org/doc/html/rfc1994). The server uses this authentication method for the discovery of iSCSI LIO targets and initiators, not for accessing files on the targets. If you do not want to restrict the access to the discovery, use No Authentication. The No Discovery Authentication option is enabled by default. Without requiring authentication all iSCSI LIO targets on this server can be discovered by any iSCSI initiator on the same network. If authentication is needed for a more secure configuration, you can use incoming authentication, outgoing authentication, or both. Authentication by Initiators requires an iSCSI initiator to prove that it has the permissions to run a discovery on the iSCSI LIO target. The initiator must provide the incoming user name and password. Authentication by Targets requires the iSCSI LIO target to prove to the initiator that it is the expected target. The iSCSI LIO target must provide the outgoing user name and password to the iSCSI initiator. The password needs to be different for incoming and outgoing discovery. If authentication for discovery is enabled, its settings apply to all iSCSI LIO target groups. Important: Security We recommend that you use authentication for target and initiator discovery in production environments for security reasons. To configure authentication preferences for iSCSI LIO targets:
14.2.3 Preparing the Storage Space
Before you configure LUNs for your iSCSI Target servers, you must prepare the storage you want to use. You can use the entire unformatted block device as a single LUN, or you can subdivide a device into unformatted partitions and use each partition as a separate LUN. The iSCSI target configuration exports the LUNs to iSCSI initiators. You can use the Partitioner in YaST or the command line to set up the partitions. Refer to for details. iSCSI LIO targets can use unformatted partitions with Linux, Linux LVM, or Linux RAID file system IDs. Important: Do Not Mount iSCSI Target Devices After you set up a device or partition for use as an iSCSI target, you never access it directly via its local path. Do not mount the partitions on the target server. 14.2.3.1 Partitioning Devices in a Virtual Environment
You can use a virtual machine guest server as an iSCSI LIO Target Server. This section describes how to assign partitions to a Xen virtual machine. You can also use other virtual environments that are supported by SUSE Linux Enterprise Server. In a Xen virtual environment, you must assign the storage space you want to use for the iSCSI LIO target devices to the guest virtual machine, then access the space as virtual disks within the guest environment. Each virtual disk can be a physical block device, such as an entire disk, partition, or volume, or it can be a file-backed disk image where the virtual disk is a single image file on a larger physical disk on the Xen host server. For the best performance, create each virtual disk from a physical disk or a partition. After you set up the virtual disks for the guest virtual machine, start the guest server, then configure the new blank virtual disks as iSCSI target devices by following the same process as for a physical server. File-backed disk images are created on the Xen host server, then assigned to the Xen guest server. By default, Xen stores file-backed disk images in the iqn.1996-04.de.suse:01:a5dfcea717a0 directory, where iqn.1996-04.de.suse:01:a5dfcea717a1 is the name of the virtual machine. 14.2.4 Setting Up an iSCSI LIO Target Group
You can use YaST to configure iSCSI LIO target devices. YaST uses APIs provided by the iqn.1996-04.de.suse:01:a5dfcea717a2 software. iSCSI LIO targets can use unformatted partitions with Linux, Linux LVM, or Linux RAID file system IDs. Important: Partitions Before you begin, create the unformatted partitions that you want to use as iSCSI LIO targets as described in .
14.2.5 Modifying an iSCSI LIO Target Group
You can modify an existing iSCSI LIO target group as follows:
To view or modify the settings for an iSCSI LIO target group:
14.2.6 Deleting an iSCSI LIO Target Group
Deleting an iSCSI LIO target group removes the definition of the group, and the related setup for initiators, including LUN mappings and authentication credentials. It does not destroy the data on the partitions. To give initiators access again, you can allocate the target LUNs to a different or new target group, and configure the initiator access for them.
14.3 Configuring iSCSI Initiator
The iSCSI initiator can be used to connect to any iSCSI target. This is not restricted to the iSCSI target solution explained in . The configuration of iSCSI initiator involves two major steps: the discovery of available iSCSI targets and the setup of an iSCSI session. Both can be done with YaST. 14.3.1 Using YaST for the iSCSI Initiator Configuration
The iSCSI Initiator Overview in YaST is divided into three tabs: Service: The Service tab can be used to enable the iSCSI initiator at boot time. It also offers to set a unique Initiator Name and an iSNS server to use for the discovery. Connected Targets:The Connected Targets tab gives an overview of the currently connected iSCSI targets. Like the Discovered Targets tab, it also gives the option to add new targets to the system. Discovered Targets:The Discovered Targets tab provides the possibility of manually discovering iSCSI targets in the network. 14.3.1.1 Configuring the iSCSI Initiator
14.3.1.2 Discovering iSCSI Targets by Using iSNS
Before you can use this option, you must have already installed and configured an iSNS server in your environment. For information, see Chapter 13, iSNS for Linux.
14.3.1.3 Discovering iSCSI Targets Manually
Repeat the following process for each of the iSCSI target servers that you want to access from the server where you are setting up the iSCSI initiator.
14.3.1.4 Setting the Start-up Preference for iSCSI Target Devices
14.3.2 Setting Up the iSCSI Initiator Manually
Both the discovery and the configuration of iSCSI connections require a running iscsid. When running the discovery the first time, the internal database of the iSCSI initiator is created in the directory iqn.1996-04.de.suse:01:a5dfcea717a7. If your discovery is password protected, provide the authentication information to iscsid. Because the internal database does not exist when doing the first discovery, it cannot be used now. Instead, the configuration file iqn.1996-04.de.suse:01:a5dfcea717a8 must be edited to provide the information. To add your password information for the discovery, add the following lines to the end of iqn.1996-04.de.suse:01:a5dfcea717a8: discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD The discovery stores all received values in an internal persistent database. In addition, it displays all detected targets. Run this discovery with the following command: sudo iscsiadm The output should look like the following: 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems To discover the available targets on an discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD0 server, use the following command: sudo iscsiadm --mode discovery --type isns --portal TARGET_IP For each target defined on the iSCSI target, one line appears. For more information about the stored data, see . The special discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD1 option of discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD2 creates all needed devices: sudo iscsiadm -m node -n iqn.2006-02.com.example.iserv:systems --login The newly generated devices show up in the output of iqn.1996-04.de.suse:01:a5dfcea717a5 and can now be mounted. 14.3.3 The iSCSI Initiator Databases
All information that was discovered by the iSCSI initiator is stored in two database files that reside in discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD4. There is one database for the discovery of targets and one for the discovered nodes. When accessing a database, you first must select if you want to get your data from the discovery or from the node database. Do this with the discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD5 and discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD6 parameters of discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD2. Using discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD2 with one of these parameters gives an overview of the stored records:
The target name in this example is discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD9. This name is needed for all actions that relate to this special data set. To examine the content of the data record with the ID discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD9, use the following command:
To edit the value of one of these variables, use the command discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD2 with the sudo iscsiadm 2 operation. For example, if you want iscsid to log in to the iSCSI target when it initializes, set the variable sudo iscsiadm 3 to the value sudo iscsiadm 4:iqn.yyyy-mm.com.mycompany:n1:n20 Remove obsolete data sets with the sudo iscsiadm 5 operation. If the target discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = USERNAME discovery.sendtargets.auth.password = PASSWORD9 is no longer a valid record, delete this record with the following command: iqn.yyyy-mm.com.mycompany:n1:n21 Important: No Confirmation Use this option with caution because it deletes the record without any additional confirmation prompt. To get a list of all discovered targets, run the sudo iscsiadm 7 command.14.4 Using iSCSI Disks when Installing
Booting from an iSCSI disk on AMD64/Intel 64 and IBM POWER architectures is supported when iSCSI-enabled firmware is used. To use iSCSI disks during installation, it is necessary to add the following parameter to the boot option line: iqn.yyyy-mm.com.mycompany:n1:n22 During installation, an additional screen appears that provides the option to attach iSCSI disks to the system and use them in the installation process. Note: Mount Point Support iSCSI devices will appear asynchronously during the boot process. While the initrd guarantees that those devices are set up correctly for the root file system, there are no such guarantees for any other file systems or mount points like sudo iscsiadm 8. Hence any system mount points like sudo iscsiadm 8 or 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems0 are not supported. To use those devices, ensure correct synchronization of the respective services and devices. 14.5 Troubleshooting iSCSI
This section describes some known issues and possible solutions for iSCSI target and iSCSI initiator issues. 14.5.1 Portal Error When Setting Up Target LUNs on an iSCSI LIO Target Server
When adding or editing an iSCSI LIO target group, you get an error: iqn.yyyy-mm.com.mycompany:n1:n23 The 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems1 log file contains the following error: iqn.yyyy-mm.com.mycompany:n1:n24 This problem occurs if the iSCSI LIO Target Server software is not currently running. To resolve this issue, exit YaST, manually start iSCSI LIO at the command line with 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems2, then try again. You can also enter the following to check if 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems3, 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems4, and 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems5 are loaded. A sample response is shown. iqn.yyyy-mm.com.mycompany:n1:n25 14.5.2 iSCSI LIO Targets Are Not Visible from Other Computers
If you use a firewall on the target server, you must open the iSCSI port that you are using to allow other computers to see the iSCSI LIO targets. For information, see . 14.5.3 Data Packets Dropped for iSCSI Traffic
A firewall might drop packets if it gets too busy. The default for the SUSE Firewall is to drop packets after three minutes. If you find that iSCSI traffic packets are being dropped, you can consider configuring the SUSE Firewall to queue packets instead of dropping them when it gets too busy. 14.5.4 Using iSCSI Volumes with LVM
Use the troubleshooting tips in this section when using LVM on iSCSI targets. 14.5.4.1 Check if the iSCSI Initiator Discovery Occurs at Boot
When you set up the iSCSI Initiator, ensure that you enable discovery at boot time so that udev can discover the iSCSI devices at boot time and set up the devices to be used by LVM. 14.5.4.2 Check that iSCSI Target Discovery Occurs at Boot
Remember that 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems6 provides the default setup for devices. Ensure that all of the applications that create devices are started at boot time so that 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems6 can recognize and assign devices for them at system start-up. If the application or service is not started until later, 10.44.171.99:3260,1 iqn.2006-02.com.example.iserv:systems6 does not create the device automatically as it would at boot time. 14.5.5 iSCSI Targets Are Mounted When the Configuration File Is Set to Manual
When Open-iSCSI starts, it can mount the targets even if the sudo iscsiadm 3 option is set to manual in the sudo iscsiadm --mode discovery --type isns --portal TARGET_IP0 file if you manually modified the configuration file. Check the sudo iscsiadm --mode discovery --type isns --portal TARGET_IP1 file. It contains a sudo iscsiadm 3 setting that overrides the sudo iscsiadm --mode discovery --type isns --portal TARGET_IP0 file. Setting the mount option to manual by using the YaST interface also sets sudo iscsiadm --mode discovery --type isns --portal TARGET_IP4 in the sudo iscsiadm --mode discovery --type isns --portal TARGET_IP1files. 14.6 iSCSI LIO Target Terminology
backstore A physical storage object that provides the actual storage underlying an iSCSI endpoint. CDB (command descriptor block)The standard format for SCSI commands. CDBs are commonly 6, 10, or 12 bytes long, though they can be 16 bytes or of variable length. CHAP (Challenge Handshake Authentication Protocol)A point-to-point protocol (PPP) authentication method used to confirm the identity of one computer to another. After the Link Control Protocol (LCP) connects the two computers, and the CHAP method is negotiated, the authenticator sends a random Challenge to the peer. The peer issues a cryptographically hashed Response that depends upon the Challenge and a secret key. The authenticator verifies the hashed Response against its own calculation of the expected hash value, and either acknowledges the authentication or terminates the connection. CHAP is defined in the RFC 1994. CID (connection identifier)A 16‐bit number, generated by the initiator, that uniquely identifies a connection between two iSCSI devices. This number is presented during the login phase. endpointThe combination of an iSCSI Target Name with an iSCSI TPG (IQN + Tag). EUI (extended unique identifier)A 64‐bit number that uniquely identifies every device in the world. The format consists of 24 bits that are unique to a given company, and 40 bits assigned by the company to each device it builds. initiatorThe originating end of an SCSI session. Typically a controlling device such as a computer. IPS (Internet Protocol storage)The class of protocols or devices that use the IP protocol to move data in a storage network. FCIP (Fibre Channel over Internet Protocol), iFCP (Internet Fibre Channel Protocol), and iSCSI (Internet SCSI) are all examples of IPS protocols. IQN (iSCSI qualified name)A name format for iSCSI that uniquely identifies every device in the world (for example: sudo iscsiadm --mode discovery --type isns --portal TARGET_IP6).ISID (initiator session identifier) A 48‐bit number, generated by the initiator, that uniquely identifies a session between the initiator and the target. This value is created during the login process, and is sent to the target with a Login PDU. MCS (multiple connections per session)A part of the iSCSI specification that allows multiple TCP/IP connections between an initiator and a target. MPIO (multipath I/O)A method by which data can take multiple redundant paths between a server and storage. network portalThe combination of an iSCSI endpoint with an IP address plus a TCP (Transmission Control Protocol) port. TCP port 3260 is the port number for the iSCSI protocol, as defined by IANA (Internet Assigned Numbers Authority). SAM (SCSI architectural model)A document that describes the behavior of SCSI in general terms, allowing for different types of devices communicating over various media. targetThe receiving end of an SCSI session, typically a device such as a disk drive, tape drive, or scanner. target group (TG)A list of SCSI target ports that are all treated the same when creating views. Creating a view can help simplify LUN (logical unit number) mapping. Each view entry specifies a target group, host group, and a LUN. target portThe combination of an iSCSI endpoint with one or more LUNs. target port group (TPG)A list of IP addresses and TCP port numbers that determines which interfaces a specific iSCSI target will listen to. target session identifier (TSID)A 16‐bit number, generated by the target, that uniquely identifies a session between the initiator and the target. This value is created during the login process, and is sent to the initiator with a Login Response PDU (protocol data units). 14.7 Additional Information
The iSCSI protocol has been available for several years. There are many reviews comparing iSCSI with SAN solutions, benchmarking performance, and there also is documentation describing hardware solutions. Important sources of more information about open-iscsi are:
|