Internet Small Computer System Interface (iSCSI) is an IP-based standard for connecting storage devices. iSCSI uses IP networks to encapsulate SCSI commands, allowing data to be transferred over long distances. iSCSI provides shared storage among a number of client systems. Storage devices are attached to servers (targets). Client systems (initiators) access the remote storage devices over IP networks. To the client systems, the storage devices appear to be locally attached. iSCSI uses the existing IP infrastructure and does not require any additional cabling, as is the case with Fibre Channel (FC) storage area networks.
Configuring an iSCSI Server
RHEL/CentOS 7 uses the Linux-IO (LIO) kernel target subsystem for iSCSI. In addition to iSCSI, LIO supports a number of storage fabrics including Fibre Channel over Ethernet (FCoE), iSCSI access over Mellanox InfiniBand networks (iSER), and SCSI access over Mellanox InfiniBand networks (SRP). In RHEL 7, all storage fabrics are managed with the targetcli
utility.
To configure RHEL system as an iSCSI server, begin by installing the targetcli software package:
# yum install targetcli
Installing the targetcli software package also installs the python-rtslib
package, which provides the /usr/lib/systemd/system/target.service
file. Before using the targetcli utility to create, delete, and view storage targets, use the systemctl command to enable and start the target service on the iSCSI server.
# systemctl enable target Created symlink from /etc/systemd/system/multi-user.target.wants/target.service to /usr/lib/systemd/system/target.service.
# systemctl start target
targetcli Utility
The targetcli utility is the administration shell for creating, editing, and viewing the configuration of the kernel’s target subsystem. Run targetcli to enter the configuration shell.
# targetcli Warning: Could not load preferences file /root/.targetcli/prefs.bin. targetcli shell version 2.1.fb46 Copyright 2011-2013 by Datera, Inc and others. For help on commands, type 'help'. /> help
Run the help command from the targetcli prompt to view the available commands. Following are some of the available targetcli commands:
ls
: View the object hierarchy.
cd
: Traverse the object hierarchy.
create
: Create storage objects, targets, LUNs, network portals, access control lists.
exit
: Exit the targetcli shell and automatically save the configuration.
You can also enter “targetcli [command]”” to run commands without entering the shell.
Backstores
Backstores are the different kinds of local storage resources that the kernel target uses to “back” the SCSI devices it exports to client systems. The mappings to local storage resources that each backstore creates are called storage objects. Use the targetcli ls
command to list the different types of backstores.
# targetcli ls /backstores
The types of backstores are described as follows:
block
: Linux block devices such as /dev/sda
fileio
: Any file on a mounted file system such as /tmp/disk1.img
pscsi
: Any storage object that supports pass-through SCSI commands
ramdisk
: Memory copy RAM disks
To create a block backstore from the targetcli shell:
/> cd /backstores/block /backstores/block> create name=LUN_1 dev=/dev/xvdb
To create a fileio backstore from the targetcli shell:
/> cd /backstores/fileio /backstores/fileio> create name=LUN_3 /root/disk1.img 5G
Creating an iSCSI Target
To create an iSCSI target from the targetcli shell, use the cd command to change to the /iscsi directory.
/> cd /iscsi /iscsi>
Use the create command without any arguments to create an iSCSI target by using a default target name. By default, the target is identified by an “iqn
” identifier. This is an iSCSI Qualified Name (IQN)
, which uniquely identifies a target. IQN format addresses are most commonly used to identify a target. This address consists of the following fields:
- Literal iqn
- Date (in yyyy-mm format) that the naming authority took ownership of the domain
- Reversed domain name of the authority
- Optional “:” that prefixes a storage target name specified by the naming authority
/> cd /iscsi /iscsi> create Created target iqn.2003-01.org.linux-iscsi.user.x8664:sn.b0df6e328beb. Created TPG 1. Global pref auto_add_default_portal=true Created default portal listening on all IPs (0.0.0.0), port 3260. /iscsi>
To list the created targets, use the below command.
# targetcli ls /iscsi
To allow remote systems to access an iSCSI target on port 3260, either disable the firewalld service on the iSCSI server or configure firewalld to trust the 3260/tcp port. The following example uses firewall-cmd to open the 3260/tcp port for the firewalld service.
# firewall-cmd --permanent --add-port=3260/tcp
If you include the –permanent option when adding a port, use the firewall-cmd
command to reload the configuration.
# firewall-cmd –reload
Creating iSCSI LUNs
The kernel target exports SCSI Logical Units to remote systems. Use the targetcli shell to link previously defined storage objects with a target, and to specify which Logical Unit Number (LUN) the device uses. The following example uses the create command to create two new LUNs for a target. From the targetcli shell, begin by using the cd command to change to the luns directory within the [target/TGP] hierarchy.
/iscsi> cd /iscsi/iqn.2003-01.org.linux-iscsi.user.x8664:sn.b0df6e328beb/ /iscsi/iqn.20....b0df6e328beb> cd tpg1/luns
The following commands create a LUN from the previously defined block storage objects.
/iscsi/iqn.20...beb/tpg1/luns> create /backstores/block/LUN_1 lun1 Created LUN 1.
Creating ACLs
Access Control Lists (ACLs) restrict access to LUNs from remote systems. You can create an ACL for each initiator to enforce authentication when the initiator connects to the target. This allows you to give a specific initiator exclusive access to a specific target. The following example uses the create command to create an ACL for an initiator. From the targetcli shell, begin by using the cd command to change to the acls directory within the [target/TGP] hierarchy.
/> cd /iscsi/iqn.2003-01.org.linux-iscsi.user.x8664:sn.b0df6e328beb/tpg1/acls /iscsi/iqn.20...beb/tpg1/acls> create iqn.1994-05.com.redhat:aabb51a64012 Created Node ACL for iqn.1994-05.com.redhat:aabb51a64012 Created mapped LUN 1.
Configuring an iSCSI Initiator
To configure a Linux system as an iSCSI initiator, install the iscsi-initiator-utils software package. This package is the Linux Open-iSCSI Initiator.
# yum install iscsi-initiator-utils
The package installs several files including the following:
/etc/iscsi/iscsid.conf
: The configuration file read by iscsid and iscsiadm. This file is heavily commented with descriptions for each configuration directive.
/sbin/iscsid
: The Open-iSCSI daemon that implements the control path and management facilities
/sbin/iscsiadm
: The Open-iSCSI administration utility used to discover and log in to iSCSI targets
Edit the /etc/iscsi/initiatorname.iscsi
file and replace the InitiatorName parameter with the initiator name that you previously configured as ACL on the target. There is a default iscsi initiator name defined in this file. If you have used the same name while configuring ACL then you will not have to change anything here.
# cat /etc/iscsi/initiatorname.iscsi InitiatorName=iqn.1994-05.com.redhat:aabb51a64012
Use the systemctl command to enable and start the iscsid service.
# systemctl enable iscsid # systemctl start iscsid
iSCSI Discovery
Discovery is the process that makes the targets known to an initiator. The following example uses the SendTargets discovery method to discover targets on IP address 192.168.12.13. This command also starts the iscsid daemon if needed.
# iscsiadm -m discovery --type sendtargets –p 192.168.12.13
After discovery, the nodes table and the send_targets tables in the database are updated:
# ls /var/lib/iscsi/nodes iqn.2011-12.com.example.mypc:tgt1 iqn.2011-12.com.example.mypc:tgt2 iqn.2012-11.com.example.mypc:tgt3
# systemctl enable iscsid # systemctl start iscsid# ls /var/lib/iscsi/send_targets 192.168.12.13,3260
iSCSI Initiator Sessions
A session is a TCP connection between an initiator node port and a target node port. LUNs are not accessible until a session is established. Use the -l (or –login) option to establish a session:
# iscsiadm -m node -l
To log in to a specific target:
# iscsiadm -m node --targetname iqn.2011-12.com.example.mypc:tgt1 –p 192.0.2.102:3260 –l
Use the -u (or –logout) option to close a session. To view session information:
# iscsiadm -m session [-P [printlevel]]
The print levels are 1, 2, and 3. Each shows more detail.