How to Build your Own Secure Storage Using iSCSI SAN Storage – Part 1

Secure Storage using iSCSI SAN Storage

iSCSI stands for  Internet Small Computer Systems Interface, an IP-based storage and it is a block level Protocol for managing storage devices over TCP/IP Networks, specially over long distances. iSCSI transports block-level data between an iSCSI initiator on a client machine and an iSCSI target on a storage device.

Outline of iSCSI target server:

Package           : targetcli
Operating System : Red Hat Enterprise Linux 7
Ports Used      : 3260
Usage               : It is a block level Protocol for managing storage devices over TCP/IP Networks.
Daemon          : target

My Setup:
iSCSI target server Details:
IP Address – 192.168.1.1
Hostname : server1
Operting System : RHEL7

iSCSI initiator client Machines:
IP Address: 192.168.1.2
Hostname: ftpserver
Operting System: Window 10

IP Address: 192.168.1.3
Hostname: dbserver
Operting System: Centos 7

IP Address: 192.168.1.4
Hostname: webserver
Operting Server: Ubuntu 15.10

In our demonstration, We will create three LVM disks of 4GB on the target server to use as a shared storage for clients(like Window, Linux), refer below screen shot.

 

iscsi_san_diagram

 

Steps to Configure the iSCSI Target Configuration

1)  Install the package and start and enable the service.

Install the “targetcli” package on the server. If you are not configured yum server, refer the link “Configure the Yum Server in Centos7/RHEL7/Fedora22”

[root@server1 ~]# yum install targetcli

After the installation completes, we will start and enable the service as follows:

[root@server1 ~]# systemctl start target
[root@server1 ~]# systemctl enable target
ln -s '/usr/lib/systemd/system/target.service' '/etc/systemd/system/multi-user.target.wants/target.service'
[root@server1 ~]#

2)  Add the targetcli port to the firewall.

We are using default port of iSCSI server on the firewall as a permanent, as shown below.

[root@server1 ~]# firewall-cmd --permanent --add-port=3260/tcp
success
[root@server1 ~]# firewall-cmd --reload
success
[root@server1 ~]#

3) Create Disk structure to use backing store device.

In our demonstration, we will create three LVM disks with 4GB size on the target servers to use as a shared storage for clients. Let’s list the available disks attached to the target server using below command.

[root@server1 ~]# lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda             8:0    0    8G  0 disk
+-sda1          8:1    0  500M  0 part /boot
+-sda2          8:2    0  7.5G  0 part
  +-rhel-root 253:0    0  6.7G  0 lvm  /
  +-rhel-swap 253:1    0  820M  0 lvm  [SWAP]
sdb             8:16   0    5G  0 disk
+-sdb1          8:17   0    5G  0 part /RHELISO
sdc             8:32   0   20G  0 disk
sr0            11:0    1 1024M  0 rom

Now, We have 20G drive(i.e sdc) on the target servers. Use fdisk to create a new partition for use with LVM.

[root@server1 ~]# fdisk /dev/sdc
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x0d0260be.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): e
Partition number (1-4, default 1): 1
First sector (2048-41943039, default 2048): 2048
Last sector, +sectors or +size{K,M,G} (2048-41943039, default 41943039): 41943039
Partition 1 of type Extended and of size 20 GiB is set

Command (m for help):  p

Disk /dev/sdc: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0d0260be

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            2048    41943039    20970496    5  Extended

Command (m for help): n
Partition type:
   p   primary (0 primary, 1 extended, 3 free)
   l   logical (numbered from 5)
Select (default p): l
Adding logical partition 5
First sector (4096-41943039, default 4096): 4096
Last sector, +sectors or +size{K,M,G} (4096-41943039, default 41943039): 41943039
Partition 5 of type Linux and of size 20 GiB is set

Command (m for help): p

Disk /dev/sdc: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0d0260be

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            2048    41943039    20970496    5  Extended
/dev/sdc5            4096    41943039    20969472   83  Linux

Use “m” for help, “p” to print existing partition table, “n” to create a new partition, “t”  to change the partition type, “w” to write the changes.
Note: Always set the partition type to Linux LVM on LVM partition, using below command.

Command (m for help): t
Partition number (1,5, default 5): 5
Hex code (type L to list all codes): 8e
Changed type of partition 'Linux' to 'Linux LVM'

Command (m for help): p

Disk /dev/sdc: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0d0260be

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            2048    41943039    20970496    5  Extended
/dev/sdc5            4096    41943039    20969472   8e  Linux LVM

Write the change to the partition table.

Command (m for help):w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Use partprobe to register the new partition with the kernel.

[root@server1 ~]# partprobe /dev/sdc5
[root@server1 ~]#

Create a LVM volume group named “volgrp1” using the partition(/dev/sdb5) created in the previous step.

[root@server1 ~]# pvcreate /dev/sdc5
  Physical volume "/dev/sdc5" successfully created
[root@server1 ~]# vgcreate volgrp1 /dev/sdc5
  Volume group "volgrp1" successfully created
[root@server1 ~]#

Create the 4G logical volumes named ftplv, databaseblv, webserverlv in the new volume group.

[root@server1 ~]# lvcreate  -L 4G -n ftplv volgrp1
  Logical volume "ftplv" created
[root@server1 ~]# lvcreate  -L 4G -n databaseblv volgrp1
  Logical volume "databaseblv" created
[root@server1 ~]# lvcreate  -L 4G -n webserverlv volgrp1
  Logical volume "webserverlv" created
[root@server1 ~]#

3) iSCSI target configuration.

tragetcli is both a command-line utility and an interactive shell in which to create, delete and configure iSCSI target component. Run “targetcli” with no option to enter interactive mode.

[root@server1 ~]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> ls
o- / ............................................................................................... [...]
  o- backstores .................................................................................... [...]
  | o- block ........................................................................ [Storage Objects: 0]
  | o- fileio ....................................................................... [Storage Objects: 0]
  | o- pscsi ........................................................................ [Storage Objects: 0]
  | o- ramdisk ...................................................................... [Storage Objects: 0]
  o- iscsi .................................................................................. [Targets: 0]
  o- loopback ............................................................................... [Targets: 0]
/>

ittroubleshooter-in_001

For create backing storage(backstores). Use the an existing logical volume(/dev/volgrp1/ftplv) as a block-type backing store for storage object “ftpblock”.

/> cd backstores/block
/backstores/block> create ftpblock /dev/volgrp1/ftplv
Created block storage object ftpblock using /dev/volgrp1/ftplv.
/backstores/block> ls
o- block ............................................................................ [Storage Objects: 1]
  o- ftpblock ....................................... [/dev/volgrp1/ftplv (4.0GiB) write-thru deactivated]
/backstores/block>

ittroubleshooter-in_002

Similarly creating the back storage for remaining storage objects (databaseblock, webserverblock).

/backstores/block> create databaseblock /dev/volgrp1/databaseblv
Created block storage object databaseblock using /dev/volgrp1/databaseblv.
/backstores/block> create webserverblock /dev/volgrp1/webserverlv
Created block storage object webserverblock using /dev/volgrp1/webserverlv.
/backstores/block> ls
o- block ............................................................................ [Storage Objects: 3]
  o- databaseblock ............................ [/dev/volgrp1/databaseblv (4.0GiB) write-thru deactivated]
  o- ftpblock ....................................... [/dev/volgrp1/ftplv (4.0GiB) write-thru deactivated]
  o- webserverblock ........................... [/dev/volgrp1/webserverlv (4.0GiB) write-thru deactivated]
/backstores/block>

ittroubleshooter-in_003

Now create an IQN for the target.

/backstores/block> cd ../../iscsi
/iscsi> create iqn.2017-01.in.ittroubleshooter:wwn
Created target iqn.2017-01.in.ittroubleshooter:wwn.
Created TPG 1.
/iscsi> ls
o- iscsi ................................................................................................. [Targets: 1]
  o- iqn.2017-01.in.ittroubleshooter:wwn .................................................................... [TPGs: 1]
    o- tpg1 .................................................................................... [no-gen-acls, no-auth]
      o- acls ............................................................................................... [ACLs: 0]
      o- luns ............................................................................................... [LUNs: 0]
      o- portals ......................................................................................... [Portals: 0]

ittroubleshooter-in_004

Note:
IQN is an  iSCSI qualified name (or a worldwide unique name) used to identify both initiators and targets. The mandated naming format:

iqn.YYYY-MM.com.reversed.domain[:optional_string]

Create an ACL for the client node to be used later.

/iscsi> cd iqn.2017-01.in.ittroubleshooter:wwn/tpg1/acls
/iscsi/iqn.20...wwn/tpg1/acls> create  iqn.2017-01.in.ittroubleshooter:allserveracl
Created Node ACL for iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/acls> ls
o- acls ..................................................................................................... [ACLs: 1]
  o- iqn.2017-01.in.ittroubleshooter:allserveracl .................................................... [Mapped LUNs: 0]

ittroubleshooter-in_005_new

Create a LUN for each existing backstores.

/iscsi/iqn.20...wwn/tpg1/acls> cd ../luns
/iscsi/iqn.20...wwn/tpg1/luns> create /backstores/block/ftpblock
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/luns> ls
o- luns ..................................................................................................... [LUNs: 1]
  o- lun0 ....................................................................... [block/ftpblock (/dev/volgrp1/ftplv)]

ittroubleshooter-in_007

Similarly, Create a LUN for other remaining backstores. The LUN should use the previously mentioned backing storage object named databaseblock,  webserverblock.

/iscsi/iqn.20...wwn/tpg1/luns> create /backstores/block/databaseblock
Created LUN 1.
Created LUN 1->1 mapping in node ACL iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/luns> create /backstores/block/webserverblock
Created LUN 2.
Created LUN 2->2 mapping in node ACL iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/luns> ls
o- luns ..................................................................................................... [LUNs: 3]
  o- lun0 ....................................................................... [block/ftpblock (/dev/volgrp1/ftplv)]
  o- lun1 ............................................................ [block/databaseblock (/dev/volgrp1/databaseblv)]
  o- lun2 ........................................................... [block/webserverblock (/dev/volgrp1/webserverlv)]

ittroubleshooter-in_007

Create a portal configuration to designate  the listening IP Address and ports.

/iscsi/iqn.20...er1/tpg1/acls> cd ../portals
/iscsi/iqn.20.../tpg1/portals> create 192.168.1.1 ip_port=3260
Using default IP port 3260
Created network portal 192.168.1.1:3260.
/iscsi/iqn.20.../tpg1/portals> ls
o- portals ............................................................................................................ [Portals: 1]
  o- 192.168.1.1:3260 ......................................................................................................... [OK]
/iscsi/iqn.20.../tpg1/portals>

ittroubleshooter-in_009

View the entire configuration of  target server.

/iscsi/iqn.20.../tpg1/portals> cd /
/> ls
o- / ............................................................................................................ [...]
  o- backstores ................................................................................................. [...]
  | o- block ..................................................................................... [Storage Objects: 3]
  | | o- databaseblock ....................................... [/dev/volgrp1/databaseblv (4.0GiB) write-thru activated]
  | | o- ftpblock .................................................. [/dev/volgrp1/ftplv (4.0GiB) write-thru activated]
  | | o- webserverblock ...................................... [/dev/volgrp1/webserverlv (4.0GiB) write-thru activated]
  | o- fileio .................................................................................... [Storage Objects: 0]
  | o- pscsi ..................................................................................... [Storage Objects: 0]
  | o- ramdisk ................................................................................... [Storage Objects: 0]
  o- iscsi ............................................................................................... [Targets: 1]
  | o- iqn.2017-01.in.ittroubleshooter:wwn .................................................................. [TPGs: 1]
  |   o- tpg1 .................................................................................. [no-gen-acls, no-auth]
  |     o- acls ............................................................................................. [ACLs: 1]
  |     | o- iqn.2017-01.in.ittroubleshooter:allserveracl ............................................ [Mapped LUNs: 3]
  |     |   o- mapped_lun0 ................................................................. [lun0 block/ftpblock (rw)]
  |     |   o- mapped_lun1 ............................................................ [lun1 block/databaseblock (rw)]
  |     |   o- mapped_lun2 ........................................................... [lun2 block/webserverblock (rw)]
  |     o- luns ............................................................................................. [LUNs: 3]
  |     | o- lun0 ............................................................... [block/ftpblock (/dev/volgrp1/ftplv)]
  |     | o- lun1 .................................................... [block/databaseblock (/dev/volgrp1/databaseblv)]
  |     | o- lun2 ................................................... [block/webserverblock (/dev/volgrp1/webserverlv)]
  |     o- portals ....................................................................................... [Portals: 1]
  |       o- 192.168.1.1:3260 .................................................................................... [OK]
  o- loopback ............................................................................................ [Targets: 0]

ittroubleshooter-in_010

Now Save and exit from target CLI.

 /> saveconfig
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
[root@server1 ~]#

ittroubleshooter-in_011

After the save configuration. Restart and check the status of target service.

[root@server1 ~]# systemctl restart target
[root@server1 ~]# systemctl status target
target.service - Restore LIO kernel target configuration
   Loaded: loaded (/usr/lib/systemd/system/target.service; enabled)
   Active: active (exited) since Wed 2017-01-11 05:34:16 EST; 5s ago
  Process: 2820 ExecStop=/usr/bin/targetctl clear (code=exited, status=0/SUCCESS)
  Process: 2830 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS)
 Main PID: 2830 (code=exited, status=0/SUCCESS)

Jan 11 05:34:16 server1 systemd[1]: Starting Restore LIO kernel target configuration...
Jan 11 05:34:16 server1 systemd[1]: Started Restore LIO kernel target configuration.
[root@server1 ~]#

ittroubleshooter-in_012

Configure iSCSI Initiator on Centos7 systems

1) Install the Initiator Package.

To Configure a client machine(Centos7) to use this target as a storage, install below package on the client machine(dbserver).

[root@dbserver ~]# yum install iscsi-initiator-utils -y

2) Edit the initiatorname.iscsi conf. file and enable & start the iSCSI client service.

Edit below file and add iscsi initiator name.

[root@dbserver ~]# vim /etc/iscsi/initiatorname.iscsi

#vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2017-01.in.ittroubleshooter:allserveracl
~ 
~
:wq

Restart and enable the initiator service.

[root@dbserver ~]# systemctl enable iscsid; systemctl restart iscsid
ln -s '/usr/lib/systemd/system/iscsid.service' '/etc/systemd/system/multi-user.target.wants/iscsid.service'
[root@dbserver ~]#

You can find out more example’s of iscsiadm command, refer below link;

Examples of iscsiadm Command on Linux.

3) Log into the configuration target from the iSCSI target server.

Log into the presented iSCSI target, using below command.

[root@dbserver ~]# iscsiadm -m node -T  iqn.2017-01.in.ittroubleshooter:wwn -p 192.168.1.1 -l
Logging in to [iface: default, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260] (multiple)
Login to [iface: default, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260] successful.
[root@dbserver ~]#

ittroubleshooter-in_013

Identify the newly available block device created by the iSCSI target login.

[root@dbserver ~]# lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda             8:0    0    8G  0 disk
+-sda1          8:1    0  500M  0 part /boot
+-sda2          8:2    0  7.5G  0 part
  +-rhel-root 253:0    0  6.7G  0 lvm  /
  +-rhel-swap 253:1    0  820M  0 lvm  [SWAP]
sdb             8:16   0    4G  0 disk
sdc             8:32   0    4G  0 disk
sdd             8:48   0    4G  0 disk
sr0            11:0    1 1024M  0 rom
[root@dbserver ~]#

Note: You can use the “iscsiadm -m session -P 3” command to browse the connection information about the target portal, connection and parameters used by connected device.

4) Prepare the Physical device.

Use fdisk to create a new partition for use with LVM.

[root@dbserver ~]# fdisk /dev/sdc
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x41a30a48.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (8192-8388607, default 8192): 8192
Last sector, +sectors or +size{K,M,G} (8192-8388607, default 8388607): 8388607
Partition 1 of type Linux and of size 4 GiB is set

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
[root@dbserver ~]# partprobe /dev/sdc1
[root@dbserver ~]#

Format the new disk.

[root@dbserver ~]# mkfs.xfs /dev/sdc1
meta-data=/dev/sdc1              isize=256    agcount=8, agsize=130944 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0
data     =                       bsize=4096   blocks=1047552, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=2560, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@dbserver ~]#

Use “mkdir” command to create the directory and mount the disk on temporarily basis.

[root@dbserver ~]# mkdir /mnt/iscsi
[root@dbserver ~]# mount /dev/sdc1 /mnt/iscsi/
[root@dbserver ~]# df -h /mnt/iscsi/
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdc1       4.0G   33M  4.0G   1% /mnt/iscsi
[root@dbserver ~]#

To Permanently we add an entry on fstab file.

[root@dbserver ~]# blkid /dev/sdc1
/dev/sdc1: UUID="40a63112-d85e-49be-be7e-5e40e531800d" TYPE="xfs"
[root@dbserver ~]#

#vim /etc/fstab

# /etc/fstab
# Created by anaconda on Wed Jan 11 10:48:37 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/rhel-root   /                       xfs     defaults        1 1
UUID=0b8a3240-9231-4940-89b5-a7b970355776 /boot                   xfs     defaults        1 2
/dev/mapper/rhel-swap   swap                    swap    defaults        0 0
UUID="40a63112-d85e-49be-be7e-5e40e531800d" /mnt/iscsi  xfs     defaults,_netdev        0     0

~
~
:wq

5) Logout the configuration target from the iSCSI target server.

[root@dbserver ~]# iscsiadm -m node -T  iqn.2017-01.in.ittroubleshooter:wwn -p 192.168.1.1 -u
Logging out of session [sid: 1, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260]
Logout of [sid: 1, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260] successful.
[root@dbserver ~]#

ittroubleshooter-in_015

Hope this post will help Linux/Unix beginners. Please share you feedback and Comments and Stay tune for more updates with ittroubleshooter.in ..!!!

Read Also:

Configure iSCSI Initiator on Window 10 System..

Configure iSCSI Initiator on Ubuntu 15.10 Server..

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz