TCP Wrapper (hosts.allow & hosts.deny) Command Options in Linux

Internet Small Computer System Interface (iSCSI) is an IP-based standard for connecting storage devices. iSCSI uses IP networks to encapsulate SCSI commands, allowing data to be transferred over long distances. iSCSI provides shared storage among a number of client systems. Storage devices are attached to servers (targets). Client systems (initiators) access the remote storage devices over IP networks. To the client systems, the storage devices appear to be locally attached. iSCSI uses the existing IP infrastructure and does not require any additional cabling, as is the case with Fibre Channel (FC) storage area networks.

 

Configuring an iSCSI Server

 

RHEL/CentOS 7 uses the Linux-IO (LIO) kernel target subsystem for iSCSI. In addition to iSCSI, LIO supports a number of storage fabrics including Fibre Channel over Ethernet (FCoE), iSCSI access over Mellanox InfiniBand networks (iSER), and SCSI access over Mellanox InfiniBand networks (SRP). In RHEL 7, all storage fabrics are managed with the targetcli utility.

 

To configure RHEL system as an iSCSI server, begin by installing the targetcli software package:

 # yum install targetcli

 

Installing the targetcli software package also installs the python-rtslib package, which provides the /usr/lib/systemd/system/target.service file. Before using the targetcli utility to create, delete, and view storage targets, use the systemctl command to enable and start the target service on the iSCSI server.

 # systemctl enable target
Created symlink from /etc/systemd/system/multi-user.target.wants/target.service to /usr/lib/systemd/system/target.service.

 

# systemctl start target 

 

targetcli Utility

 

The targetcli utility is the administration shell for creating, editing, and viewing the configuration of the kernel’s target subsystem. Run targetcli to enter the configuration shell.

# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb46
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> help

 

Run the help command from the targetcli prompt to view the available commands. Following are some of the available targetcli commands:

 

ls: View the object hierarchy.

cd: Traverse the object hierarchy.

create: Create storage objects, targets, LUNs, network portals, access control lists.

exit: Exit the targetcli shell and automatically save the configuration.

You can also enter “targetcli [command]”” to run commands without entering the shell.

 

Backstores

 

Backstores are the different kinds of local storage resources that the kernel target uses to “back” the SCSI devices it exports to client systems. The mappings to local storage resources that each backstore creates are called storage objects. Use the targetcli ls command to list the different types of backstores.

# targetcli ls /backstores 

 

The types of backstores are described as follows:

block: Linux block devices such as /dev/sda

fileio: Any file on a mounted file system such as /tmp/disk1.img

pscsi: Any storage object that supports pass-through SCSI commands

ramdisk: Memory copy RAM disks

 

To create a block backstore from the targetcli shell:

/> cd /backstores/block
/backstores/block> create name=LUN_1 dev=/dev/xvdb 

 

To create a fileio backstore from the targetcli shell:

/> cd /backstores/fileio
/backstores/fileio> create name=LUN_3 /root/disk1.img 5G

 

 Creating an iSCSI Target

 

To create an iSCSI target from the targetcli shell, use the cd command to change to the /iscsi directory.

 /> cd /iscsi
/iscsi>

 

Use the create command without any arguments to create an iSCSI target by using a default target name. By default, the target is identified by an “iqn” identifier. This is an iSCSI Qualified Name (IQN), which uniquely identifies a target. IQN format addresses are most commonly used to identify a target. This address consists of the following fields:

  • Literal iqn
  • Date (in yyyy-mm format) that the naming authority took ownership of the domain
  • Reversed domain name of the authority
  • Optional “:” that prefixes a storage target name specified by the naming authority

 

/> cd /iscsi 
/iscsi> create
Created target iqn.2003-01.org.linux-iscsi.user.x8664:sn.b0df6e328beb.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/iscsi> 

 

To list the created targets, use the below command.

# targetcli ls /iscsi 

To allow remote systems to access an iSCSI target on port 3260, either disable the firewalld service on the iSCSI server or configure firewalld to trust the 3260/tcp port. The following example uses firewall-cmd to open the 3260/tcp port for the firewalld service.

# firewall-cmd --permanent --add-port=3260/tcp

 

If you include the –permanent option when adding a port, use the firewall-cmd command to reload the configuration.

# firewall-cmd –reload

 

Creating iSCSI LUNs

 

The kernel target exports SCSI Logical Units to remote systems. Use the targetcli shell to link previously defined storage objects with a target, and to specify which Logical Unit Number (LUN) the device uses. The following example uses the create command to create two new LUNs for a target. From the targetcli shell, begin by using the cd command to change to the luns directory within the [target/TGP] hierarchy.

/iscsi> cd /iscsi/iqn.2003-01.org.linux-iscsi.user.x8664:sn.b0df6e328beb/
/iscsi/iqn.20....b0df6e328beb> cd tpg1/luns

 

The following commands create a LUN from the previously defined block storage objects. 

/iscsi/iqn.20...beb/tpg1/luns> create /backstores/block/LUN_1 lun1
Created LUN 1.

 

Creating ACLs

 

Access Control Lists (ACLs) restrict access to LUNs from remote systems. You can create an ACL for each initiator to enforce authentication when the initiator connects to the target. This allows you to give a specific initiator exclusive access to a specific target. The following example uses the create command to create an ACL for an initiator. From the targetcli shell, begin by using the cd command to change to the acls directory within the [target/TGP] hierarchy.

/> cd /iscsi/iqn.2003-01.org.linux-iscsi.user.x8664:sn.b0df6e328beb/tpg1/acls 
/iscsi/iqn.20...beb/tpg1/acls> create iqn.1994-05.com.redhat:aabb51a64012
Created Node ACL for iqn.1994-05.com.redhat:aabb51a64012
Created mapped LUN 1. 

 

Configuring an iSCSI Initiator

 

To configure a Linux system as an iSCSI initiator, install the iscsi-initiator-utils software package. This package is the Linux Open-iSCSI Initiator.

# yum install iscsi-initiator-utils

 

The package installs several files including the following:

/etc/iscsi/iscsid.conf: The configuration file read by iscsid and iscsiadm. This file is heavily commented with descriptions for each configuration directive.

/sbin/iscsid: The Open-iSCSI daemon that implements the control path and management facilities

/sbin/iscsiadm: The Open-iSCSI administration utility used to discover and log in to iSCSI targets

Edit the /etc/iscsi/initiatorname.iscsi file and replace the InitiatorName parameter with the initiator name that you previously configured as ACL on the target. There is a default iscsi initiator name defined in this file. If you have used the same name while configuring ACL then you will not have to change anything here.

# cat /etc/iscsi/initiatorname.iscsi 
InitiatorName=iqn.1994-05.com.redhat:aabb51a64012

 

Use the systemctl command to enable and start the iscsid service.

# systemctl enable iscsid
# systemctl start iscsid

 

iSCSI Discovery

 

Discovery is the process that makes the targets known to an initiator. The following example uses the SendTargets discovery method to discover targets on IP address 192.168.12.13. This command also starts the iscsid daemon if needed.

# iscsiadm -m discovery --type sendtargets –p 192.168.12.13

 

After discovery, the nodes table and the send_targets tables in the database are updated:

# ls /var/lib/iscsi/nodes
iqn.2011-12.com.example.mypc:tgt1 
iqn.2011-12.com.example.mypc:tgt2 
iqn.2012-11.com.example.mypc:tgt3

 

# systemctl enable iscsid
# systemctl start iscsid# ls /var/lib/iscsi/send_targets
192.168.12.13,3260

 

iSCSI Initiator Sessions

 

A session is a TCP connection between an initiator node port and a target node port. LUNs are not accessible until a session is established. Use the -l (or –login) option to establish a session:

# iscsiadm -m node -l 

 

To log in to a specific target:

# iscsiadm -m node --targetname iqn.2011-12.com.example.mypc:tgt1 –p 192.0.2.102:3260 –l 

 

Use the -u (or –logout) option to close a session. To view session information:

# iscsiadm -m session [-P [printlevel]] 

 

The print levels are 1, 2, and 3. Each shows more detail.

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)