How to Build your Own Secure Storage Using iSCSI SAN Storage – Part 1

Secure Storage using iSCSI SAN Storage

iSCSI stands for  Internet Small Computer Systems Interface, an IP-based storage and it is a block level Protocol for managing storage devices over TCP/IP Networks, specially over long distances. iSCSI transports block-level data between an iSCSI initiator on a client machine and an iSCSI target on a storage device.

Outline of iSCSI target server:

Package           : targetcli
Operating System : Red Hat Enterprise Linux 7
Ports Used      : 3260
Usage               : It is a block level Protocol for managing storage devices over TCP/IP Networks.
Daemon          : target

My Setup:
iSCSI target server Details:
IP Address – 192.168.1.1
Hostname : server1
Operting System : RHEL7

iSCSI initiator client Machines:
IP Address: 192.168.1.2
Hostname: ftpserver
Operting System: Window 10

IP Address: 192.168.1.3
Hostname: dbserver
Operting System: Centos 7

IP Address: 192.168.1.4
Hostname: webserver
Operting Server: Ubuntu 15.10

In our demonstration, We will create three LVM disks of 4GB on the target server to use as a shared storage for clients(like Window, Linux), refer below screen shot.

 

iscsi_san_diagram

 

Steps to Configure the iSCSI Target Configuration

1)  Install the package and start and enable the service.

Install the “targetcli” package on the server. If you are not configured yum server, refer the link “Configure the Yum Server in Centos7/RHEL7/Fedora22”

[[email protected] ~]# yum install targetcli

After the installation completes, we will start and enable the service as follows:

[[email protected] ~]# systemctl start target
[[email protected] ~]# systemctl enable target
ln -s '/usr/lib/systemd/system/target.service' '/etc/systemd/system/multi-user.target.wants/target.service'
[[email protected] ~]#

2)  Add the targetcli port to the firewall.

We are using default port of iSCSI server on the firewall as a permanent, as shown below.

[[email protected] ~]# firewall-cmd --permanent --add-port=3260/tcp
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#

3) Create Disk structure to use backing store device.

In our demonstration, we will create three LVM disks with 4GB size on the target servers to use as a shared storage for clients. Let’s list the available disks attached to the target server using below command.

[[email protected] ~]# lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda             8:0    0    8G  0 disk
+-sda1          8:1    0  500M  0 part /boot
+-sda2          8:2    0  7.5G  0 part
  +-rhel-root 253:0    0  6.7G  0 lvm  /
  +-rhel-swap 253:1    0  820M  0 lvm  [SWAP]
sdb             8:16   0    5G  0 disk
+-sdb1          8:17   0    5G  0 part /RHELISO
sdc             8:32   0   20G  0 disk
sr0            11:0    1 1024M  0 rom

Now, We have 20G drive(i.e sdc) on the target servers. Use fdisk to create a new partition for use with LVM.

[[email protected] ~]# fdisk /dev/sdc
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x0d0260be.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): e
Partition number (1-4, default 1): 1
First sector (2048-41943039, default 2048): 2048
Last sector, +sectors or +size{K,M,G} (2048-41943039, default 41943039): 41943039
Partition 1 of type Extended and of size 20 GiB is set

Command (m for help):  p

Disk /dev/sdc: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0d0260be

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            2048    41943039    20970496    5  Extended

Command (m for help): n
Partition type:
   p   primary (0 primary, 1 extended, 3 free)
   l   logical (numbered from 5)
Select (default p): l
Adding logical partition 5
First sector (4096-41943039, default 4096): 4096
Last sector, +sectors or +size{K,M,G} (4096-41943039, default 41943039): 41943039
Partition 5 of type Linux and of size 20 GiB is set

Command (m for help): p

Disk /dev/sdc: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0d0260be

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            2048    41943039    20970496    5  Extended
/dev/sdc5            4096    41943039    20969472   83  Linux

Use “m” for help, “p” to print existing partition table, “n” to create a new partition, “t”  to change the partition type, “w” to write the changes.
Note: Always set the partition type to Linux LVM on LVM partition, using below command.

Command (m for help): t
Partition number (1,5, default 5): 5
Hex code (type L to list all codes): 8e
Changed type of partition 'Linux' to 'Linux LVM'

Command (m for help): p

Disk /dev/sdc: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0d0260be

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            2048    41943039    20970496    5  Extended
/dev/sdc5            4096    41943039    20969472   8e  Linux LVM

Write the change to the partition table.

Command (m for help):w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Use partprobe to register the new partition with the kernel.

[[email protected] ~]# partprobe /dev/sdc5
[[email protected] ~]#

Create a LVM volume group named “volgrp1” using the partition(/dev/sdb5) created in the previous step.

[[email protected] ~]# pvcreate /dev/sdc5
  Physical volume "/dev/sdc5" successfully created
[[email protected] ~]# vgcreate volgrp1 /dev/sdc5
  Volume group "volgrp1" successfully created
[[email protected] ~]#

Create the 4G logical volumes named ftplv, databaseblv, webserverlv in the new volume group.

[[email protected] ~]# lvcreate  -L 4G -n ftplv volgrp1
  Logical volume "ftplv" created
[[email protected] ~]# lvcreate  -L 4G -n databaseblv volgrp1
  Logical volume "databaseblv" created
[[email protected] ~]# lvcreate  -L 4G -n webserverlv volgrp1
  Logical volume "webserverlv" created
[[email protected] ~]#

3) iSCSI target configuration.

tragetcli is both a command-line utility and an interactive shell in which to create, delete and configure iSCSI target component. Run “targetcli” with no option to enter interactive mode.

[[email protected] ~]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> ls
o- / ............................................................................................... [...]
  o- backstores .................................................................................... [...]
  | o- block ........................................................................ [Storage Objects: 0]
  | o- fileio ....................................................................... [Storage Objects: 0]
  | o- pscsi ........................................................................ [Storage Objects: 0]
  | o- ramdisk ...................................................................... [Storage Objects: 0]
  o- iscsi .................................................................................. [Targets: 0]
  o- loopback ............................................................................... [Targets: 0]
/>

ittroubleshooter-in_001

For create backing storage(backstores). Use the an existing logical volume(/dev/volgrp1/ftplv) as a block-type backing store for storage object “ftpblock”.

/> cd backstores/block
/backstores/block> create ftpblock /dev/volgrp1/ftplv
Created block storage object ftpblock using /dev/volgrp1/ftplv.
/backstores/block> ls
o- block ............................................................................ [Storage Objects: 1]
  o- ftpblock ....................................... [/dev/volgrp1/ftplv (4.0GiB) write-thru deactivated]
/backstores/block>

ittroubleshooter-in_002

Similarly creating the back storage for remaining storage objects (databaseblock, webserverblock).

/backstores/block> create databaseblock /dev/volgrp1/databaseblv
Created block storage object databaseblock using /dev/volgrp1/databaseblv.
/backstores/block> create webserverblock /dev/volgrp1/webserverlv
Created block storage object webserverblock using /dev/volgrp1/webserverlv.
/backstores/block> ls
o- block ............................................................................ [Storage Objects: 3]
  o- databaseblock ............................ [/dev/volgrp1/databaseblv (4.0GiB) write-thru deactivated]
  o- ftpblock ....................................... [/dev/volgrp1/ftplv (4.0GiB) write-thru deactivated]
  o- webserverblock ........................... [/dev/volgrp1/webserverlv (4.0GiB) write-thru deactivated]
/backstores/block>

ittroubleshooter-in_003

Now create an IQN for the target.

/backstores/block> cd ../../iscsi
/iscsi> create iqn.2017-01.in.ittroubleshooter:wwn
Created target iqn.2017-01.in.ittroubleshooter:wwn.
Created TPG 1.
/iscsi> ls
o- iscsi ................................................................................................. [Targets: 1]
  o- iqn.2017-01.in.ittroubleshooter:wwn .................................................................... [TPGs: 1]
    o- tpg1 .................................................................................... [no-gen-acls, no-auth]
      o- acls ............................................................................................... [ACLs: 0]
      o- luns ............................................................................................... [LUNs: 0]
      o- portals ......................................................................................... [Portals: 0]

ittroubleshooter-in_004

Note:
IQN is an  iSCSI qualified name (or a worldwide unique name) used to identify both initiators and targets. The mandated naming format:

iqn.YYYY-MM.com.reversed.domain[:optional_string]

Create an ACL for the client node to be used later.

/iscsi> cd iqn.2017-01.in.ittroubleshooter:wwn/tpg1/acls
/iscsi/iqn.20...wwn/tpg1/acls> create  iqn.2017-01.in.ittroubleshooter:allserveracl
Created Node ACL for iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/acls> ls
o- acls ..................................................................................................... [ACLs: 1]
  o- iqn.2017-01.in.ittroubleshooter:allserveracl .................................................... [Mapped LUNs: 0]

ittroubleshooter-in_005_new

Create a LUN for each existing backstores.

/iscsi/iqn.20...wwn/tpg1/acls> cd ../luns
/iscsi/iqn.20...wwn/tpg1/luns> create /backstores/block/ftpblock
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/luns> ls
o- luns ..................................................................................................... [LUNs: 1]
  o- lun0 ....................................................................... [block/ftpblock (/dev/volgrp1/ftplv)]

ittroubleshooter-in_007

Similarly, Create a LUN for other remaining backstores. The LUN should use the previously mentioned backing storage object named databaseblock,  webserverblock.

/iscsi/iqn.20...wwn/tpg1/luns> create /backstores/block/databaseblock
Created LUN 1.
Created LUN 1->1 mapping in node ACL iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/luns> create /backstores/block/webserverblock
Created LUN 2.
Created LUN 2->2 mapping in node ACL iqn.2017-01.in.ittroubleshooter:allserveracl
/iscsi/iqn.20...wwn/tpg1/luns> ls
o- luns ..................................................................................................... [LUNs: 3]
  o- lun0 ....................................................................... [block/ftpblock (/dev/volgrp1/ftplv)]
  o- lun1 ............................................................ [block/databaseblock (/dev/volgrp1/databaseblv)]
  o- lun2 ........................................................... [block/webserverblock (/dev/volgrp1/webserverlv)]

ittroubleshooter-in_007

Create a portal configuration to designate  the listening IP Address and ports.

/iscsi/iqn.20...er1/tpg1/acls> cd ../portals
/iscsi/iqn.20.../tpg1/portals> create 192.168.1.1 ip_port=3260
Using default IP port 3260
Created network portal 192.168.1.1:3260.
/iscsi/iqn.20.../tpg1/portals> ls
o- portals ............................................................................................................ [Portals: 1]
  o- 192.168.1.1:3260 ......................................................................................................... [OK]
/iscsi/iqn.20.../tpg1/portals>

ittroubleshooter-in_009

View the entire configuration of  target server.

/iscsi/iqn.20.../tpg1/portals> cd /
/> ls
o- / ............................................................................................................ [...]
  o- backstores ................................................................................................. [...]
  | o- block ..................................................................................... [Storage Objects: 3]
  | | o- databaseblock ....................................... [/dev/volgrp1/databaseblv (4.0GiB) write-thru activated]
  | | o- ftpblock .................................................. [/dev/volgrp1/ftplv (4.0GiB) write-thru activated]
  | | o- webserverblock ...................................... [/dev/volgrp1/webserverlv (4.0GiB) write-thru activated]
  | o- fileio .................................................................................... [Storage Objects: 0]
  | o- pscsi ..................................................................................... [Storage Objects: 0]
  | o- ramdisk ................................................................................... [Storage Objects: 0]
  o- iscsi ............................................................................................... [Targets: 1]
  | o- iqn.2017-01.in.ittroubleshooter:wwn .................................................................. [TPGs: 1]
  |   o- tpg1 .................................................................................. [no-gen-acls, no-auth]
  |     o- acls ............................................................................................. [ACLs: 1]
  |     | o- iqn.2017-01.in.ittroubleshooter:allserveracl ............................................ [Mapped LUNs: 3]
  |     |   o- mapped_lun0 ................................................................. [lun0 block/ftpblock (rw)]
  |     |   o- mapped_lun1 ............................................................ [lun1 block/databaseblock (rw)]
  |     |   o- mapped_lun2 ........................................................... [lun2 block/webserverblock (rw)]
  |     o- luns ............................................................................................. [LUNs: 3]
  |     | o- lun0 ............................................................... [block/ftpblock (/dev/volgrp1/ftplv)]
  |     | o- lun1 .................................................... [block/databaseblock (/dev/volgrp1/databaseblv)]
  |     | o- lun2 ................................................... [block/webserverblock (/dev/volgrp1/webserverlv)]
  |     o- portals ....................................................................................... [Portals: 1]
  |       o- 192.168.1.1:3260 .................................................................................... [OK]
  o- loopback ............................................................................................ [Targets: 0]

ittroubleshooter-in_010

Now Save and exit from target CLI.

 /> saveconfig
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
[[email protected] ~]#

ittroubleshooter-in_011

After the save configuration. Restart and check the status of target service.

[[email protected] ~]# systemctl restart target
[[email protected] ~]# systemctl status target
target.service - Restore LIO kernel target configuration
   Loaded: loaded (/usr/lib/systemd/system/target.service; enabled)
   Active: active (exited) since Wed 2017-01-11 05:34:16 EST; 5s ago
  Process: 2820 ExecStop=/usr/bin/targetctl clear (code=exited, status=0/SUCCESS)
  Process: 2830 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS)
 Main PID: 2830 (code=exited, status=0/SUCCESS)

Jan 11 05:34:16 server1 systemd[1]: Starting Restore LIO kernel target configuration...
Jan 11 05:34:16 server1 systemd[1]: Started Restore LIO kernel target configuration.
[[email protected] ~]#

ittroubleshooter-in_012

Configure iSCSI Initiator on Centos7 systems

1) Install the Initiator Package.

To Configure a client machine(Centos7) to use this target as a storage, install below package on the client machine(dbserver).

[[email protected] ~]# yum install iscsi-initiator-utils -y

2) Edit the initiatorname.iscsi conf. file and enable & start the iSCSI client service.

Edit below file and add iscsi initiator name.

[[email protected] ~]# vim /etc/iscsi/initiatorname.iscsi

#vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2017-01.in.ittroubleshooter:allserveracl
~ 
~
:wq

Restart and enable the initiator service.

[[email protected] ~]# systemctl enable iscsid; systemctl restart iscsid
ln -s '/usr/lib/systemd/system/iscsid.service' '/etc/systemd/system/multi-user.target.wants/iscsid.service'
[[email protected] ~]#

You can find out more example’s of iscsiadm command, refer below link;

Examples of iscsiadm Command on Linux.

3) Log into the configuration target from the iSCSI target server.

Log into the presented iSCSI target, using below command.

[[email protected] ~]# iscsiadm -m node -T  iqn.2017-01.in.ittroubleshooter:wwn -p 192.168.1.1 -l
Logging in to [iface: default, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260] (multiple)
Login to [iface: default, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260] successful.
[[email protected] ~]#

ittroubleshooter-in_013

Identify the newly available block device created by the iSCSI target login.

[[email protected] ~]# lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda             8:0    0    8G  0 disk
+-sda1          8:1    0  500M  0 part /boot
+-sda2          8:2    0  7.5G  0 part
  +-rhel-root 253:0    0  6.7G  0 lvm  /
  +-rhel-swap 253:1    0  820M  0 lvm  [SWAP]
sdb             8:16   0    4G  0 disk
sdc             8:32   0    4G  0 disk
sdd             8:48   0    4G  0 disk
sr0            11:0    1 1024M  0 rom
[[email protected] ~]#

Note: You can use the “iscsiadm -m session -P 3” command to browse the connection information about the target portal, connection and parameters used by connected device.

4) Prepare the Physical device.

Use fdisk to create a new partition for use with LVM.

[[email protected] ~]# fdisk /dev/sdc
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x41a30a48.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (8192-8388607, default 8192): 8192
Last sector, +sectors or +size{K,M,G} (8192-8388607, default 8388607): 8388607
Partition 1 of type Linux and of size 4 GiB is set

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
[[email protected] ~]# partprobe /dev/sdc1
[[email protected] ~]#

Format the new disk.

[[email protected] ~]# mkfs.xfs /dev/sdc1
meta-data=/dev/sdc1              isize=256    agcount=8, agsize=130944 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=0
data     =                       bsize=4096   blocks=1047552, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=0
log      =internal log           bsize=4096   blocks=2560, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[[email protected] ~]#

Use “mkdir” command to create the directory and mount the disk on temporarily basis.

[[email protected] ~]# mkdir /mnt/iscsi
[[email protected] ~]# mount /dev/sdc1 /mnt/iscsi/
[[email protected] ~]# df -h /mnt/iscsi/
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdc1       4.0G   33M  4.0G   1% /mnt/iscsi
[[email protected] ~]#

To Permanently we add an entry on fstab file.

[[email protected] ~]# blkid /dev/sdc1
/dev/sdc1: UUID="40a63112-d85e-49be-be7e-5e40e531800d" TYPE="xfs"
[[email protected] ~]#

#vim /etc/fstab

# /etc/fstab
# Created by anaconda on Wed Jan 11 10:48:37 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/rhel-root   /                       xfs     defaults        1 1
UUID=0b8a3240-9231-4940-89b5-a7b970355776 /boot                   xfs     defaults        1 2
/dev/mapper/rhel-swap   swap                    swap    defaults        0 0
UUID="40a63112-d85e-49be-be7e-5e40e531800d" /mnt/iscsi  xfs     defaults,_netdev        0     0

~
~
:wq

5) Logout the configuration target from the iSCSI target server.

[[email protected] ~]# iscsiadm -m node -T  iqn.2017-01.in.ittroubleshooter:wwn -p 192.168.1.1 -u
Logging out of session [sid: 1, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260]
Logout of [sid: 1, target: iqn.2017-01.in.ittroubleshooter:wwn, portal: 192.168.1.1,3260] successful.
[[email protected] ~]#

ittroubleshooter-in_015

Hope this post will help Linux/Unix beginners. Please share you feedback and Comments and Stay tune for more updates with ittroubleshooter.in ..!!!

Read Also:

Configure iSCSI Initiator on Window 10 System..

Configure iSCSI Initiator on Ubuntu 15.10 Server..

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of