TCP Wrapper (hosts.allow & hosts.deny) Command Options in Linux

Internet Small Computer System Interface (iSCSI) is an IP-based standard for connecting storage devices. iSCSI uses IP networks to encapsulate SCSI commands, allowing data to be transferred over long distances. iSCSI provides shared storage among a number of client systems. Storage devices are attached to servers (targets). Client systems (initiators) access the remote storage devices over IP networks. To the client systems, the storage devices appear to be locally attached. iSCSI uses the existing IP infrastructure and does not require any additional cabling, as is the case with Fibre Channel (FC) storage area networks.


Configuring an iSCSI Server


RHEL/CentOS 7 uses the Linux-IO (LIO) kernel target subsystem for iSCSI. In addition to iSCSI, LIO supports a number of storage fabrics including Fibre Channel over Ethernet (FCoE), iSCSI access over Mellanox InfiniBand networks (iSER), and SCSI access over Mellanox InfiniBand networks (SRP). In RHEL 7, all storage fabrics are managed with the targetcli utility.


To configure RHEL system as an iSCSI server, begin by installing the targetcli software package:

 # yum install targetcli


Installing the targetcli software package also installs the python-rtslib package, which provides the /usr/lib/systemd/system/target.service file. Before using the targetcli utility to create, delete, and view storage targets, use the systemctl command to enable and start the target service on the iSCSI server.

 # systemctl enable target
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/target.service.


# systemctl start target 


targetcli Utility


The targetcli utility is the administration shell for creating, editing, and viewing the configuration of the kernel’s target subsystem. Run targetcli to enter the configuration shell.

# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb46
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> help


Run the help command from the targetcli prompt to view the available commands. Following are some of the available targetcli commands:


ls: View the object hierarchy.

cd: Traverse the object hierarchy.

create: Create storage objects, targets, LUNs, network portals, access control lists.

exit: Exit the targetcli shell and automatically save the configuration.

You can also enter “targetcli [command]”” to run commands without entering the shell.




Backstores are the different kinds of local storage resources that the kernel target uses to “back” the SCSI devices it exports to client systems. The mappings to local storage resources that each backstore creates are called storage objects. Use the targetcli ls command to list the different types of backstores.

# targetcli ls /backstores 


The types of backstores are described as follows:

block: Linux block devices such as /dev/sda

fileio: Any file on a mounted file system such as /tmp/disk1.img

pscsi: Any storage object that supports pass-through SCSI commands

ramdisk: Memory copy RAM disks


To create a block backstore from the targetcli shell:

/> cd /backstores/block
/backstores/block> create name=LUN_1 dev=/dev/xvdb 


To create a fileio backstore from the targetcli shell:

/> cd /backstores/fileio
/backstores/fileio> create name=LUN_3 /root/disk1.img 5G


 Creating an iSCSI Target


To create an iSCSI target from the targetcli shell, use the cd command to change to the /iscsi directory.

 /> cd /iscsi


Use the create command without any arguments to create an iSCSI target by using a default target name. By default, the target is identified by an “iqn” identifier. This is an iSCSI Qualified Name (IQN), which uniquely identifies a target. IQN format addresses are most commonly used to identify a target. This address consists of the following fields:

  • Literal iqn
  • Date (in yyyy-mm format) that the naming authority took ownership of the domain
  • Reversed domain name of the authority
  • Optional “:” that prefixes a storage target name specified by the naming authority


/> cd /iscsi 
/iscsi> create
Created target
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (, port 3260.


To list the created targets, use the below command.

# targetcli ls /iscsi 

To allow remote systems to access an iSCSI target on port 3260, either disable the firewalld service on the iSCSI server or configure firewalld to trust the 3260/tcp port. The following example uses firewall-cmd to open the 3260/tcp port for the firewalld service.

# firewall-cmd --permanent --add-port=3260/tcp


If you include the –permanent option when adding a port, use the firewall-cmd command to reload the configuration.

# firewall-cmd –reload


Creating iSCSI LUNs


The kernel target exports SCSI Logical Units to remote systems. Use the targetcli shell to link previously defined storage objects with a target, and to specify which Logical Unit Number (LUN) the device uses. The following example uses the create command to create two new LUNs for a target. From the targetcli shell, begin by using the cd command to change to the luns directory within the [target/TGP] hierarchy.

/iscsi> cd /iscsi/
/iscsi/iqn.20....b0df6e328beb> cd tpg1/luns


The following commands create a LUN from the previously defined block storage objects. 

/iscsi/iqn.20...beb/tpg1/luns> create /backstores/block/LUN_1 lun1
Created LUN 1.


Creating ACLs


Access Control Lists (ACLs) restrict access to LUNs from remote systems. You can create an ACL for each initiator to enforce authentication when the initiator connects to the target. This allows you to give a specific initiator exclusive access to a specific target. The following example uses the create command to create an ACL for an initiator. From the targetcli shell, begin by using the cd command to change to the acls directory within the [target/TGP] hierarchy.

/> cd /iscsi/ 
/iscsi/iqn.20...beb/tpg1/acls> create
Created Node ACL for
Created mapped LUN 1. 


Configuring an iSCSI Initiator


To configure a Linux system as an iSCSI initiator, install the iscsi-initiator-utils software package. This package is the Linux Open-iSCSI Initiator.

# yum install iscsi-initiator-utils


The package installs several files including the following:

/etc/iscsi/iscsid.conf: The configuration file read by iscsid and iscsiadm. This file is heavily commented with descriptions for each configuration directive.

/sbin/iscsid: The Open-iSCSI daemon that implements the control path and management facilities

/sbin/iscsiadm: The Open-iSCSI administration utility used to discover and log in to iSCSI targets

Edit the /etc/iscsi/initiatorname.iscsi file and replace the InitiatorName parameter with the initiator name that you previously configured as ACL on the target. There is a default iscsi initiator name defined in this file. If you have used the same name while configuring ACL then you will not have to change anything here.

# cat /etc/iscsi/initiatorname.iscsi


Use the systemctl command to enable and start the iscsid service.

# systemctl enable iscsid
# systemctl start iscsid


iSCSI Discovery


Discovery is the process that makes the targets known to an initiator. The following example uses the SendTargets discovery method to discover targets on IP address This command also starts the iscsid daemon if needed.

# iscsiadm -m discovery --type sendtargets –p


After discovery, the nodes table and the send_targets tables in the database are updated:

# ls /var/lib/iscsi/nodes


# systemctl enable iscsid
# systemctl start iscsid# ls /var/lib/iscsi/send_targets,3260


iSCSI Initiator Sessions


A session is a TCP connection between an initiator node port and a target node port. LUNs are not accessible until a session is established. Use the -l (or –login) option to establish a session:

# iscsiadm -m node -l 


To log in to a specific target:

# iscsiadm -m node --targetname –p –l 


Use the -u (or –logout) option to close a session. To view session information:

# iscsiadm -m session [-P [printlevel]] 


The print levels are 1, 2, and 3. Each shows more detail.


Was this answer helpful? 0 Users Found This Useful (0 Votes)