14.1.5 Lab: Configure An Iscsi Target

Let's dive into configuring an iSCSI target, a critical skill for any system administrator dealing with networked storage solutions. iSCSI, or Internet Small Computer Systems Interface, allows you to use your existing IP network to transport SCSI commands, essentially turning a server into a networked storage device accessible by other machines. This lab will guide you through the process, providing a solid understanding of how to set up and manage an iSCSI target.

Introduction to iSCSI

iSCSI (Internet Small Computer Systems Interface) is an IP-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI enables location-independent data access. In simpler terms, it allows a server to act as a hard drive for another server, even if they are physically located in different places. This makes it a powerful tool for creating centralized storage solutions, virtual machine environments, and disaster recovery setups. iSCSI leverages the existing TCP/IP infrastructure, meaning you don't need specialized hardware like Fibre Channel, making it a cost-effective solution. It’s a key component in many modern data centers and enterprise storage strategies.

Why Use iSCSI?

• Cost-Effectiveness: Leverages existing IP infrastructure, reducing hardware costs.
• Flexibility: Allows centralized storage management, improving data availability and utilization.
• Scalability: Easily expand storage capacity without significant infrastructure changes.
• Disaster Recovery: Facilitates remote replication and backup for business continuity.
• Virtualization: Ideal for virtual machine storage, offering shared and scalable storage pools.

Key iSCSI Components

Before configuring an iSCSI target, it's essential to understand the key components:

• iSCSI Target: The server or storage device that provides the storage resources. Think of it as the "hard drive" being shared over the network.
• iSCSI Initiator: The client machine that wants to access the storage provided by the target. This is the server that will "mount" the shared storage.
• iSCSI Qualified Name (IQN): A unique identifier for both the target and the initiator. It's like an address for the iSCSI devices.
• Logical Unit Number (LUN): A unique identifier for a specific storage volume on the target. The initiator uses the LUN to access the correct storage space.

Lab Environment Setup

For this lab, you'll need two servers:

• iSCSI Target Server: This server will host the iSCSI target and share its storage. A Linux distribution like CentOS, Ubuntu, or Debian is ideal.
• iSCSI Initiator Server: This server will connect to the iSCSI target and use the shared storage. Again, a Linux distribution is recommended.

Both servers should be on the same network to ensure connectivity. You'll also need root access to both servers to install and configure the necessary software.

Software Requirements

• Target Server: targetcli (or tgtadm depending on your distribution), lio-utils (or equivalent)
• Initiator Server: iscsiadm

These packages can usually be installed using your distribution's package manager. For example, on Debian/Ubuntu:

sudo apt update
sudo apt install targetcli open-iscsi

And on CentOS/RHEL:

sudo yum install targetcli iscsi-initiator-utils

Basic Network Configuration

Ensure both servers have static IP addresses within the same subnet and can ping each other. This is crucial for establishing a reliable iSCSI connection. For example:

• Target Server: 192.168.1.10
• Initiator Server: 192.168.1.20

Use the ifconfig or ip addr command to verify network configuration and ping to test connectivity.

Configuring the iSCSI Target (Step-by-Step)

Now, let's configure the iSCSI target server. We'll use targetcli, a powerful command-line tool for managing LIO (Linux I/O) targets.

1. Install and Start the Target Service

If you haven't already, install targetcli and its dependencies. Then, start the target service and ensure it's enabled to start on boot:

sudo systemctl start target
sudo systemctl enable target

2. Launch targetcli

Run the targetcli command to enter the interactive configuration shell:

sudo targetcli

You'll see a prompt that looks like this: />.

3. Create a Backing Store

The backing store is the actual storage that will be shared. This can be a file, a block device (like a partition), or even a logical volume. For this example, we'll create a file:

cd /backstores/fileio
create my_iscsi_image /path/to/your/iscsi_image.img 10G

• Replace /path/to/your/iscsi_image.img with the desired path and filename for the image file.
• 10G specifies the size of the image (10 gigabytes in this case). Adjust this to your needs.

Important: Ensure you have enough free space on the filesystem where you're creating the image file.

4. Create an iSCSI Target

Now, create the iSCSI target. This is where you'll define the IQN.

cd /iscsi
create iqn.2024-10.com.example:mytarget

• iqn.2024-10.com.example:mytarget is the IQN for your target.
  • iqn indicates that it's an iSCSI Qualified Name.
  • 2024-10 is the year and month of the organization's domain registration (reverse order).
  • com.example is the reverse domain name of the organization.
  • mytarget is a unique name for this specific target.

Best Practice: Use a meaningful and unique IQN to avoid conflicts.

5. Create a LUN (Logical Unit Number)

Associate the backing store (the image file we created earlier) with the target as a LUN:

cd iqn.2024-10.com.example:mytarget/tpg1/luns
create /backstores/fileio/my_iscsi_image

This command creates a LUN and links it to the my_iscsi_image backing store.

6. Configure Access Control (ACL)

You need to allow the initiator server to access the target. This is done by creating an ACL based on the initiator's IQN.

First, determine the IQN of the initiator server (we'll configure this later). Let's assume it's iqn.2024-10.com.example:myinitiator.

cd /iscsi/iqn.2024-10.com.example:mytarget/tpg1/acls
create iqn.2024-10.com.example:myinitiator

This command creates an ACL for the initiator, allowing it to connect to the target.

7. Configure Network Portal (Optional, but Recommended)

By default, the target listens on all network interfaces. To restrict access to a specific interface, configure a network portal.

cd /iscsi/iqn.2024-10.com.example:mytarget/tpg1/portals
create 192.168.1.10

• 192.168.1.10 is the IP address of the target server.
• If you omit the IP address, the target will listen on all interfaces.

8. Save the Configuration and Exit

Save the configuration to disk so that it's loaded automatically on reboot:

cd /
saveconfig
exit

The iSCSI target is now configured and ready to accept connections.

Configuring the iSCSI Initiator (Step-by-Step)

Now, let's configure the iSCSI initiator server to connect to the target.

1. Install and Start the Initiator Service

If you haven't already, install the iscsiadm package. Then, start the iSCSI initiator service and ensure it's enabled to start on boot:

sudo systemctl start iscsid
sudo systemctl enable iscsid

2. Discover the iSCSI Target

Use the iscsiadm command to discover the iSCSI target:

sudo iscsiadm -m discovery -t st -p 192.168.1.10

• -m discovery specifies the discovery mode.
• -t st specifies the send targets discovery method.
• -p 192.168.1.10 specifies the IP address of the iSCSI target.

This command will scan the target server for available iSCSI targets and display their IQNs. You should see the IQN we configured earlier: iqn.2024-10.com.example:mytarget.

3. Configure Initiator Name (Important!)

Before connecting, you need to ensure the initiator has a unique IQN. This is usually automatically generated, but it's good practice to verify it.

Check the contents of the /etc/iscsi/initiatorname.iscsi file:

cat /etc/iscsi/initiatorname.iscsi

It should contain a line like this:

InitiatorName=iqn.2024-10.com.example:myinitiator

• If the IQN is different from what you expected (e.g., if it doesn't match the ACL you created on the target), edit the file to set the correct IQN.
• After making changes, restart the iscsid service:

sudo systemctl restart iscsid

4. Login to the iSCSI Target

Use the iscsiadm command to log in to the iSCSI target:

sudo iscsiadm -m node -T iqn.2024-10.com.example:mytarget -l

• -m node specifies the node mode.
• -T iqn.2024-10.com.example:mytarget specifies the IQN of the target.
• -l specifies the login action.

This command will establish a connection to the iSCSI target and make the storage available as a block device.

5. Verify the Connection

Check the system logs for any errors. You can also use the dmesg command to view kernel messages related to the iSCSI connection:

dmesg | grep iscsi

You should see messages indicating a successful connection to the target.

6. Find the Block Device

The iSCSI target will appear as a new block device on the initiator server. Use the lsblk command to list available block devices:

lsblk

You should see a new device, typically named something like /dev/sdb or /dev/sdc. This is the iSCSI target.

7. Format the Block Device (Optional)

If this is a new storage volume, you'll need to format it with a filesystem before you can use it.

Warning: Formatting will erase any existing data on the device.

sudo mkfs.ext4 /dev/sdb

• Replace /dev/sdb with the actual device name.
• mkfs.ext4 formats the device with the ext4 filesystem. You can use other filesystems like XFS or Btrfs if you prefer.

8. Mount the Block Device

Create a mount point and mount the block device:

sudo mkdir /mnt/iscsi
sudo mount /dev/sdb /mnt/iscsi

• /mnt/iscsi is the mount point. You can choose any directory you like.
• /dev/sdb is the block device.

9. Verify the Mount

Use the df -h command to verify that the iSCSI target is mounted:

df -h

You should see an entry for the mounted device, showing its size and available space.

10. Configure Persistent Mount (Important!)

To ensure the iSCSI target is automatically mounted on boot, add an entry to the /etc/fstab file.

First, get the UUID of the block device:

sudo blkid /dev/sdb

You'll see output like this:

/dev/sdb: UUID="a1b2c3d4-e5f6-7890-1234-567890abcdef" TYPE="ext4"

Copy the UUID. Then, edit the /etc/fstab file:

sudo nano /etc/fstab

Add a line like this to the end of the file:

UUID=a1b2c3d4-e5f6-7890-1234-567890abcdef /mnt/iscsi ext4 defaults,_netdev 0 0

• UUID=... specifies the UUID of the block device.
• /mnt/iscsi is the mount point.
• ext4 is the filesystem type.
• defaults,_netdev are the mount options. _netdev is crucial; it tells the system to wait for the network to be up before mounting the device.
• 0 0 are dump and fsck options (usually set to 0 for network filesystems).

Save the file and exit.

Now, the iSCSI target will be automatically mounted on boot.

Troubleshooting Tips

• Connectivity Issues: Ensure both servers can ping each other. Check firewall rules that might be blocking iSCSI traffic (port 3260).
• IQN Mismatch: Double-check the IQNs on both the target and initiator. They must match the ACL configuration.
• Target Not Discovered: Verify that the target service is running on the target server. Check network connectivity.
• Login Failures: Check the system logs for authentication errors. Ensure the initiator's IQN is allowed access on the target.
• Mounting Issues: Verify that the block device exists (lsblk) and is formatted with a filesystem. Check the /etc/fstab entry for errors.

Security Considerations

iSCSI traffic is not encrypted by default, which makes it vulnerable to eavesdropping. Consider these security measures:

• CHAP Authentication: Use CHAP (Challenge Handshake Authentication Protocol) to authenticate the initiator to the target. This requires configuring a username and password on both sides.
• IPsec: Encrypt iSCSI traffic using IPsec (Internet Protocol Security). This provides strong encryption but can be more complex to configure.
• VLANs: Isolate iSCSI traffic on a separate VLAN to limit exposure.
• Firewall Rules: Restrict access to the iSCSI target to only authorized initiators.

Advanced Configuration

• Multiple LUNs: You can create multiple LUNs on a single target to provide different storage volumes.
• Multipathing: Use multipathing to create redundant connections to the target, improving availability and performance.
• Thin Provisioning: Use thin provisioning to allocate storage space on demand, saving space and improving utilization.
• Snapshotting: Use snapshotting to create point-in-time copies of the data, facilitating backups and disaster recovery.

Conclusion

Configuring an iSCSI target is a fundamental skill for system administrators managing networked storage. By following these steps, you can create a flexible, scalable, and cost-effective storage solution for your environment. Remember to pay attention to security considerations and explore the advanced configuration options to optimize your iSCSI setup. This lab provides a solid foundation for further exploration and experimentation with iSCSI technology. Remember to test thoroughly and document your configuration for future reference.