To be honest, I never worked with iSCSI. After some questions, I had a closer look about the protocol. If you don’t have anything to do during a evening, you can read RFC 3720 and RFC 3721.

iSCSI Naming RFC 3721

The first thing you will need if you want to have some hands-on with the protocol is to have some storage which supports iSCSI protocol. If you have a server with VMs running on it, you can easily have some basic Ubuntu images and create your own iSCSI Target. At the end of this blog you can find the iSCSI Terminology

iSCSI Linux Target and Initiator Config

For my own convieniance, I post not only the screenshots with results, but also the commands, so it is easier to copy-paste. (Yes, I am lazy).

I used two Ubuntu images and installed the following packages on it :

On the Target Image :

sudo apt install targetcli-fb

sudo apt install lvm2

 

On the Initiator Image :

sudo apt install open-iscsi

On the target I created already a Logical Volume. You don’t have to do it, but I was curious about the configuration.

Create a Physical Volume
Create a Volume Group.
Create a Logical Volume

sudo pvcreate /dev/sdb2
sudo vgcreate vgiscsi /dev/sdb2
sudo lvcreate -n lviscsi -l 50%VG vgiscsi

 

With the command :

lsblk

you are seeing all blockdevices of the OS.

 

Let’s start :

sudo targetcli

so that we can configure a Target on this image.

 

Within Targetcli we can do also some commands. With the TargetCLI command :

ls

we are seeing that nothing is configured yet.

If you have a config, you can clear it with :

cd /

clearconfig

 

 

 

There are several options to create a backstore. First we are creating a block storage object.

With <tab> you don’t have to fill in the commands completely.

/backstores/block create lvm1 /dev/vgiscsi/lviscsi

 

If you do ls you can verify the command everytime.

 

 

Now we have a block storage object. Create a target with a iqn name. IQN stands for iSCSI Qualified Name.

/iscsi create iqn.2020-02.com.localnet:blocklvm1

 

Before we going to configure the rest, I will have a closer look at the IQN. The IQN always start with iqn followed with a dot (.) and the year and month of when a company had the domain name. In this case you can have unique IQNs.

After the year, you see the domain name, but in reversed order followed by : and a name, serial number or whatever.

Example IQN:

iqn.2020-02.com.localnet:blocklvm1

2020-02 is feb 2020.

com.localnet is the domain localnet.com

and blocklvm1 is in this case the name of the storage. Could be anything what you think is easy.

No we have a iqn name, we have to attach a lun.

cd /iscsi/iqn<tab>/tp<tab>

luns/ create /backstore/block/lvm1

 

 

Every initiator also has a unique iqn. It can have default values or you can change it. In this case I will just fill in some names and later I will change the initiator names.

acls/ create iqn.2020-02.com.localnet:initiator1

ls

 

To have a overview what we configured you can do :

cd /

ls

 

Here are some examples of creating backstores with RAM, File or Partition.

/backstores/ramdisk create name=ram1 size=100MB

 

/backstores/fileiocreate fileio1 /file.img 50M

If the file already exists it will use that size. If it isn’t there yet, it will create a file with the size you configured.

 

 

 

/backstores/block create sd /dev/sdb1

ls

Here you see all the backstores configured.

 

If you don’t configure the portal, it will default listen on all interfaces at port 3260.

 

You can change this, to first delete the default portal and then create a new one

portals/ delete 0.0.0.0 3260

portals/ create 10.1.15.43

ls

 

The config has changed a bit and now this is the result :

 

On the Initiator I can do a discovery of the Target :

sudo iscsiadm –mode discovery –type sendtargets –portal 10.1.15.43

It is possible to have authentication on the discovery. Let’s enable it.

with get discovery_auth you can see all the parameters.

 

 

At the /iscsi level you can setup discovery authentication by :

set discovery_auth password=Cisco123Cisco

set discovery_auth userid=iqn.2020-02.com.localnet:discovery

set discovery_auth enable=1

 

Note : For Linux you can use weak passwords and a non iqn username. Windows don’t like it, thats why this password and username is chosen.

You can see that 1-way discovery authentication is enabled.

 

If you want to do a discovery at the Initiator, you will see a login failure:

 

At the Initiator you must change the file :

sudo vi /etc/iscsi/iscs<tab>

 

Restart the iscsi service at the Initiator

sudo systemctl restart iscsid.service

And now you can discover the Target on the Initiator.

 

Let’s put authentication on the Target :

At the IQN level you see there is nothing configured yet :

 

Let’s configure

set auth userid=user1

set auth password=password

at the TPG level :

set attributre authentication=1

 

 

Because I just created an Initiator name at the Target, the Initiator name must be changed at the Initiator :

sudo vi /etc/iscsi/initiatorname.iscsi

 

 

Change the iscsi config file again and restart the service.

sudo vi /etc/iscsi/iscs<tab>

sudo systemctl restart iscsid.service

 

We can login at the Target via :

sudo iscsiadm –mode node –targetname iqn.2020-02.com.localhost:block1 –portal 10.1.15.43 –login

 

iSCSI Windows Initiator

When connecting a Windows Initiator to a Linux Target, you must remember a few things :

Usernames must be in IQN format.

Windows don’t like easy passwords. (RFC 3720 Recommendation)

You cannot have the same password for discovery and normal CHAP authentication. (RFC 3720)

 

For my Windows Machine I created a new IQN.

 

Open the iSCSI Initiator app on your windows machine. If the service isn’t running, you can get a warning and an opportunity to start the service.

 

And I configured the Target to use Mutual CHAP Secret. It is not necessary, but I thought : Well, let’s give it a try.

Open the Discovery and click on Discover Portal.

Here you fill in the ip address of the Target and click on Advanced.

 

Here you can fill in the CHAP credentials for the discover process.

 

You will discover some backstores of the Target.

 

Click on the right one which we configured. (IQN of the windows machine.)

Fill in the CHAP credentials.

 

And now the Windows Machine and the Target are connected.

 

If you go to Disk Management of the windows machine, you will see new disks (In this case the first one is the 50M. The seconds was the 8Gb)

 

 

Hooray ! We configured a Linux Target, Linux Initiator, Windows Initiator, Discovery Authentication, one-way Target authentication and mutual Target Authentication.

 

Final TargetCLI configuration

Here are some screenshot of my final TargetCLI configuration.

 

 

With the get and set command you can see of set parameters.

Enable the IQN authentication at TPG level.

 

Set the Auth at the IQN level.

 

 

 

iSCSI Terminology.

LUN

Logical Unit Number represents a single addressable iSCSI disk

Target

Server that emulates a backstore to presents it as a LUN to initiators

Target LUN is logical unit itself exported by the target server

ACL

Access control list

IQN

iSCSI Qualified Name is a unique name to identify the iSCSI target server

Iqn:2018-03.com.localnet:maillun

Alias

Optional string up to 255 char describing the target

iSCSI Authentication

Authentication is handled by challenge-handshake protocol CHAP

Modes

CHAP initiator authentication

Mutual CHAP authentication

Demo Mode (Authentication is disabled. Default)

Backstore

Storage resource that backs the LUN

This resource may be :

Entire physical device

Partition

RAID Device

LVM Logical volume

File

Initiator

A client that accesses the LUNs on a target iSCSI server

iSNS

iSCSI Storage Name Service used by an initiator to discover shared LUNs

Node

Single discoverable object on a iSCSI SAN

Portal

Combination of an IP address and port

Default iSCSI listen on port 3260

 

More storage related links :

MDS

HyperFlex

Please follow and like us:
onpost_follow
Tweet
Share