iSCSI Initiators and Targets

It is possible to configure a RHEL or CentOS server as an iSCSI initiator (a.k.a. client), or as an iSCSI target (a.k.a. server). Typically, a server will be configured as a client to a NAS or SAN device however it is absolutely possible to share a logical volume, partition, or entire disk via iSCSI. Configuring an iSCSI target, or an iSCSI initiator which persistently mounts a target is an RHCE objective and the steps to do both will be detailed below.

1. Setting up an iSCSI Target

The utility used to configure an iSCSI Target is called, targetcli. If it is not already installed on your system, install it from the base repository with:

        yum install targetcli

The service which drives iSCSI target functionality is named target.service. Start and enable it with:

        systemctl enable target.service
        systemctl start target.service

Next select the device you will be making available to clients via iSCSI. As mentioned earlier, this can be an LV, partition, or entire disk. For this demo, I’ll be using a logical volume named san1 that I created in a dedicated volume group named san therefore its full /dev path will be /dev/san/san1, or /dev/mapper/san-san1 if you prefer the /dev/mapper format.

Start the targetcli utility. You’ll notice it’s configuration options are arranged hierarchically and viewing them and moving around between them can be accomplished with familiar linux commands. Targetcli also offers excellent tab completion when you’re stuck. We’ll need to make four configuration changes in here to get an iSCSI target up and running.

1. Create the backstore

Use the cd command to change into the /backstores/block configuration branch to create your backstore. This will address the physical device you’ve chosen to make available via iSCSI. Two arguments are required, dev and name.

    cd /backstores/block
    create dev=/dev/san/san1 name=san1

2. Create the IQN

An IQN, or iSCSI qualified name will be the name used to access your iSCSI block device over Ethernet. An IQN follows the following format:

iqn.yyyy-mm.naming-authority:unique name

That is, iqn dot YYYY-MM dot naming authority in reverse-syntax of the host’s domain name : unique_name. For instance an IQN for a iSCSI target named san1 on a server named san.linuxhistory.com created today would look like iqn.2019-07.com.linuxhistory.san:san1. Use the create keyword to create this IQN:

cd /iscsi
create wwn=iqn.2019-07.com.linuxhistory.san:san1

Now, go back up to the the root of your targetcli configuration tree by issuing the command cd / and view the configurations already in place. You should see a block device under /backstores named san1 and a target under /iscsi with an iqn and associated Target Portal Group, or tpg with associated luns and acls. The luns and acls are blank for now, but we’re about to populate them.

3. Create the LUN

ISCSI devices need a Logical Unit Number, or LUN and we’ll create that next.

cd /iscsi/iqn.2019-07.com.linuxhistory.san:san1/tpg1/luns

now type create and press tab twice to see what devices you have available. Among the list of possibles you should see the physical device you’ve chosen to make available via iSCSI. For me it’s: /backstores/block/san1. I’ll finish this command by creating a LUN on that device:

create /backstores/block/san1

You can specify a LUN number here with lun= or just press enter with what we have above and the lowest LUN will be chosen by default. You know you’ve been successful if targetcli responds with:

Created LUN 0.

4. Create an ACL

Lastly, we’ll need to create an ACL that tells target.service who will be allowed to access our iSCSI device. This is done by putting a sequence of characters known as an Initiator Name into the acl branch or our config tree. To get this sequence we’ll need to go over to our initiator machine and looking it up. So, ssh to or otherwise open a console on your client/initiator machine. First, check to see if the iscsi-initiator-utils package is installed. If it’s not, install it:

yum install iscsi-initiator-utils

Next, look in /etc/iscsi for a file named, initiatorname.iscsi. It should be a one-liner containing something that looks like:

InitiatorName=iqn.1994-05.com.redhat:2d18e5f483e7

You’ll want to copy everything after the = sign for our ACL back on the target machine. While we’re here, lets start and enable the iscsid.service:

systemctl enable iscsid.service
systemctl start iscsid.service

Now, head back to the target which should still be open to the luns branch in targetcli. cd up one branch and down the the acls branch and create your acl:

cd ../acls
create wwn=iqn.1994-05.com.redhat:2d18e5f483e7

cd back to the / of the targetcli config tree and review your creation. We should now see a populated lun and acl branch in addition to everything we saw before. You’ll notice on the portals branch near the bottom of the listing that target.service will be listening on 0.0.0.0:3260, that is any interface, port 3260, so we’ll need to modify the firewall before proceeding.

Modify the firewall

There is a prebuilt service named iscsi-target that may be used or 3260/tcp may be opened explicitally:

firewall-cmd --permanent --add-service=iscsi-target
firewall-cmd --reload

Restart the target service

The last thing to do on the target is to restart the service:

systemctl restart target.service

Now, back to the client.

2. Setting up an iSCSI Initiator

We installed the iscsiadm utility earlier when we installed the iscsi-initiator-utils package. This utility comes with an excellent manpage with detailed examples for discovering and logging into iSCSI devices.

In order to connect to an iSCSI device from an initiator, it is necessary to first run the iscsiadm utility in discovery mode:

iscsiadm --mode discoverydb --type sendtargets --portal 192.168.122.50 --discover

NOTE: Change the IP addresss following the –portal directive to your target’s IP address.

Running this command should net you a string that looks like this:

192.168.122.50:3260,1 iqn.2019-07.com.linuxhistory.san:san1

Now we can connect to that discovered device with the command:

iscsiadm --mode node --targetname iqn.2019-07.com.linuxhistory.san:san1 --portal 192.168.122.50:3260 --login

NOTE: This time you’ll need to change the –targetname to the iqn from the output of your last command AND the –portal to your target’s IP address.

If successful, iscsiadm should report something like the following:

Login to [iface: default, target: iqn.2019-07.com.linuxhistory.san:san1, portal: 192.168.122.50,3260] successful.

We can now verify that we have a new device available for our use on the initator machine with the lsscsi command. If you don’t have the lsscsi command available, you can install it from the base repo.

yum install lsscsi
lsscsi

What we’re looking for in the output of the lsscsi command is a disk type device with the LIO-ORG descriptor in the vendor field (field #3). Mine looks like this:

[2:0:0:0]    disk    LIO-ORG  san1             4.0   /dev/sda 

This means that a disk exposed to our initator as /dev/sda is all ours to do with as we please. To meet the requirements of the RHCE objective, we’ll need to have it mount persistently.

To do this we’ll:

1. Use the fdisk utility to create a partition on /dev/sda

2. Create a mountpoint such as /san1

mkdir /san1

3. Format the new partition with mkfs

mkfs.ext4 -L san1 /dev/sda1

4. Edit the /etc/fstab to mount /dev/sda1 on /san1 and boot time

echo "/dev/sda1       /san1   ext4    _netdev 0 0" >> /etc/fstab

5. Test the mount prior to boot with mount -a and confirming success with the lsblk command

mount -a
lsblk

My output looks like this:

NAME            MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                      8:0      0      1.1G  0   disk 
└─sda1               8:1      0      1.1G  0   part    /san1

6. Reboot and check persistence of mounting with lsblk

That’s it! It looks like a lot but if you practice this you’ll have the muscle memory down to repeat it in the exam as well as in real-life after about 3 attempts. To revert to a state before configuration follow these steps:

On the Initiator

1. Unmount the iSCSI disk and remove the line from /etc/fstab that mounts it at boot time

2. Logout of the iSCSI device and delete it from the iscsid database with the following two commands

iscsiadm --mode node --targetname iqn.2019-07.com.linuxhistory.san:san1 --portal 192.168.122.50:3260 --logout
iscsiadm --mode node --targetname iqn.2019-07.com.linuxhistory.san:san1 --portal 192.168.122.50:3260 -o delete

On the Target

3. Open the targetcli utility and remove the configuration with the following

cd /iscsi
delete iqn.2019-07.com.linuxhistory.san:san1
cd /backstores/block
delete san1

4. cd / and ensure there are no configured branches

5. You may optionally remove the disk, partition, or LV that you configured before to start completely from scratch

dcd

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.