It is possible to configure a RHEL or CentOS server as an iSCSI initiator (a.k.a. client), or as an iSCSI target (a.k.a. server). Typically, a server will be configured as a client to a NAS or SAN device however it is absolutely possible to share a logical volume, partition, or entire disk via iSCSI. Configuring an iSCSI target, or an iSCSI initiator which persistently mounts a target is an RHCE objective and the steps to do both will be detailed below.
1. Setting up an iSCSI Target
The utility used to configure an iSCSI Target is called, targetcli. If it is not already installed on your system, install it from the base repository with:
yum install targetcli
The service which drives iSCSI target functionality is named target.service. Start and enable it with:
systemctl enable target.service systemctl start target.service
Next select the device you will be making available to clients via iSCSI. As mentioned earlier, this can be an LV, partition, or entire disk. For this demo, I’ll be using a logical volume named san1 that I created in a dedicated volume group named san therefore its full /dev path will be /dev/san/san1, or /dev/mapper/san-san1 if you prefer the /dev/mapper format.
Start the targetcli utility. You’ll notice it’s configuration options are arranged hierarchically and viewing them and moving around between them can be accomplished with familiar linux commands. Targetcli also offers excellent tab completion when you’re stuck. We’ll need to make four configuration changes in here to get an iSCSI target up and running.
1. Create the backstore
Use the cd command to change into the /backstores/block configuration branch to create your backstore. This will address the physical device you’ve chosen to make available via iSCSI. Two arguments are required, dev and name.
cd /backstores/block create dev=/dev/san/san1 name=san1
2. Create the IQN
An IQN, or iSCSI qualified name will be the name used to access your iSCSI block device over Ethernet. An IQN follows the following format:
That is, iqn dot YYYY-MM dot naming authority in reverse-syntax of the host’s domain name : unique_name. For instance an IQN for a iSCSI target named san1 on a server named san.linuxhistory.com created today would look like iqn.2019-07.com.linuxhistory.san:san1. Use the create keyword to create this IQN:
cd /iscsi create wwn=iqn.2019-07.com.linuxhistory.san:san1
Now, go back up to the the root of your targetcli configuration tree by issuing the command cd / and view the configurations already in place. You should see a block device under /backstores named san1 and a target under /iscsi with an iqn and associated Target Portal Group, or tpg with associated luns and acls. The luns and acls are blank for now, but we’re about to populate them.
3. Create the LUN
ISCSI devices need a Logical Unit Number, or LUN and we’ll create that next.
now type create and press tab twice to see what devices you have available. Among the list of possibles you should see the physical device you’ve chosen to make available via iSCSI. For me it’s: /backstores/block/san1. I’ll finish this command by creating a LUN on that device:
You can specify a LUN number here with lun= or just press enter with what we have above and the lowest LUN will be chosen by default. You know you’ve been successful if targetcli responds with:
Created LUN 0.
4. Create an ACL
Lastly, we’ll need to create an ACL that tells target.service who will be allowed to access our iSCSI device. This is done by putting a sequence of characters known as an Initiator Name into the acl branch or our config tree. To get this sequence we’ll need to go over to our initiator machine and looking it up. So, ssh to or otherwise open a console on your client/initiator machine. First, check to see if the iscsi-initiator-utils package is installed. If it’s not, install it:
yum install iscsi-initiator-utils
Next, look in /etc/iscsi for a file named, initiatorname.iscsi. It should be a one-liner containing something that looks like:
You’ll want to copy everything after the = sign for our ACL back on the target machine. While we’re here, lets start and enable the iscsid.service:
systemctl enable iscsid.service systemctl start iscsid.service
Now, head back to the target which should still be open to the luns branch in targetcli. cd up one branch and down the the acls branch and create your acl:
cd ../acls create wwn=iqn.1994-05.com.redhat:2d18e5f483e7
cd back to the / of the targetcli config tree and review your creation. We should now see a populated lun and acl branch in addition to everything we saw before. You’ll notice on the portals branch near the bottom of the listing that target.service will be listening on 0.0.0.0:3260, that is any interface, port 3260, so we’ll need to modify the firewall before proceeding.
Modify the firewall
There is a prebuilt service named iscsi-target that may be used or 3260/tcp may be opened explicitally:
firewall-cmd --permanent --add-service=iscsi-target firewall-cmd --reload
Restart the target service
The last thing to do on the target is to restart the service:
systemctl restart target.service
Now, back to the client.
2. Setting up an iSCSI Initiator
We installed the iscsiadm utility earlier when we installed the iscsi-initiator-utils package. This utility comes with an excellent manpage with detailed examples for discovering and logging into iSCSI devices.
In order to connect to an iSCSI device from an initiator, it is necessary to first run the iscsiadm utility in discovery mode:
iscsiadm --mode discoverydb --type sendtargets --portal 192.168.122.50 --discover
NOTE: Change the IP addresss following the –portal directive to your target’s IP address.
Running this command should net you a string that looks like this:
Now we can connect to that discovered device with the command:
iscsiadm --mode node --targetname iqn.2019-07.com.linuxhistory.san:san1 --portal 192.168.122.50:3260 --login
NOTE: This time you’ll need to change the –targetname to the iqn from the output of your last command AND the –portal to your target’s IP address.
If successful, iscsiadm should report something like the following:
Login to [iface: default, target: iqn.2019-07.com.linuxhistory.san:san1, portal: 192.168.122.50,3260] successful.
We can now verify that we have a new device available for our use on the initator machine with the lsscsi command. If you don’t have the lsscsi command available, you can install it from the base repo.
yum install lsscsi lsscsi
What we’re looking for in the output of the lsscsi command is a disk type device with the LIO-ORG descriptor in the vendor field (field #3). Mine looks like this:
[2:0:0:0] disk LIO-ORG san1 4.0 /dev/sda
This means that a disk exposed to our initator as /dev/sda is all ours to do with as we please. To meet the requirements of the RHCE objective, we’ll need to have it mount persistently.
To do this we’ll:
1. Use the fdisk utility to create a partition on /dev/sda
2. Create a mountpoint such as /san1
3. Format the new partition with mkfs
mkfs.ext4 -L san1 /dev/sda1
4. Edit the /etc/fstab to mount /dev/sda1 on /san1 and boot time
echo "/dev/sda1 /san1 ext4 _netdev 0 0" >> /etc/fstab
5. Test the mount prior to boot with mount -a and confirming success with the lsblk command
mount -a lsblk
My output looks like this:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 1.1G 0 disk └─sda1 8:1 0 1.1G 0 part /san1
6. Reboot and check persistence of mounting with lsblk
That’s it! It looks like a lot but if you practice this you’ll have the muscle memory down to repeat it in the exam as well as in real-life after about 3 attempts. To revert to a state before configuration follow these steps:
On the Initiator
1. Unmount the iSCSI disk and remove the line from /etc/fstab that mounts it at boot time
2. Logout of the iSCSI device and delete it from the iscsid database with the following two commands
iscsiadm --mode node --targetname iqn.2019-07.com.linuxhistory.san:san1 --portal 192.168.122.50:3260 --logout iscsiadm --mode node --targetname iqn.2019-07.com.linuxhistory.san:san1 --portal 192.168.122.50:3260 -o delete
On the Target
3. Open the targetcli utility and remove the configuration with the following
cd /iscsi delete iqn.2019-07.com.linuxhistory.san:san1 cd /backstores/block delete san1
4. cd / and ensure there are no configured branches
5. You may optionally remove the disk, partition, or LV that you configured before to start completely from scratch