The iSCSI (internet SCSI) technology is researched and developed by IBM. It is a SCSI instruction set for hardware devices that can run on the upper layer of the IP protocol. This set of instructions can implement SCSI on the IP network. Protocol, enabling it to perform routing on, for example, high-speed Gigabit Ethernet. iSCSI technology is a new storage technology that combines the existing SCSI interface and Ethernet technology to enable servers to exchange data with storage devices using IP networks.
iSCSI is divided into server and client. The server needs to install scsi target to share storage devices, and the client needs to install iscsi initiator to connect to the target, and mount the devices shared by the target to the initiator. Locally, it can be partitioned, formatted and other operations.
I. Conditions required for iSCSI to achieve data access:
1. Features of the iSCSI client:
iSCSI The initiator is the initiator that initiates the I/O operation; it needs to request the remote fast device through the discovery process; it can be persistently connected with the target; in the Linux system, the open-iscsi software package can be used to simulate the implementation;
2. Features of the iSCSI server:
iSCSI target is the performer of I/O operations; one or more block devices need to be exported for use by initiators; two target tools can be used in Linux systems, They are tgt and targetcli. Here we first introduce the TGT method. TGT is Fujita Tomonori’s introduction of the SCSI Target Framework (STGT/TGT) into the Linux kernel at the end of 2006. It has a library in the kernel that can assist the kernel to control the target driver. TGT is the iscsi target implemented in user mode, and all target processing is performed in user space. At the end of 2010, the LIO (Linux-IO) project was selected to replace TGT as the iscsi target implemented in kernel mode. When choosing LIO to replace TGT, its implementation has been adjusted to allow TGT user empty modules to continue to run, so the TGT community supports the inclusion of LIO in the kernel. Before Linux kernel 2.6.38, it was TGT.
3. iSCSI naming rules
iSCSI uses a globally unique name to identify an iSCSI device (target or initiator). This name is similar to the World Wide Name (WWN) associated with Fibre Channel devices and can be used as a universal device identification method.
There are two different formats for iSCSI names. The first is through iSCSI qualified names starting with iqn. are usually called “IQN names”. The second method is to use the unique identifier of the enterprise, which starts with eui. is also called “EUI name”. This method is not commonly used.
For more detailed information about iSCSI naming requirements and string configuration files, please refer to RFC 3721 and RFC 3722 on the IETF website.
iSCSI qualified name
The iSCSI qualified name is in the form of iqn.yyyy-mm.naming-authority:unique name, where:
yyyy-mm:
means “year-month” , Is the year and month the company was established. The company here is generally the company that installed the software. Of course, you can choose a time at will.
naming-authority:
Usually it is the reverse format of the company’s Internet domain name . For example, the iSCSI qualified name form of pipci company may be iqn.2018-01.cc.pipci.iscsi. This name means that the pipci.cc domain name was registered in January 2018, and iscsi is a subdomain of pipci.cc, subdomains are optional.
unique name:
is any name you wish to use, such as the host name or sn number.必须确保在冒号后面分配的任何名称都是唯一的,例如:
iqn.2018-01.cc.pipci.iscsi:host1
iqn.2018-01.cc.pipci.iscsi: name1
iqn.2018-01.cc.pipci.iscsi:sn1999
Enterprise unique identifier
Enterprise unique identifier takes the form of eui.<16 hex digits>.
For example, eui.0123456789ABCDEF.
The 16-digit hexadecimal number is a 64-digit text representation in IEEE EUI (Extended Unique Identifier) format. The first 24 bits are the company ID registered by IEEE with a specific company. The last 40 bits are allocated by the entity holding the company ID and must be unique. In many cases, people will choose the IQN format instead of the EUI format, because the IQN format is easy to read and is a more friendly way of assigning names.
2. The process of iSCSI initiator discovering iSCSI target:
ISCSI initiator uses iSCSI discovery mechanism according to the corresponding items configured in the configuration file /etc/iscsi/iscsid.conf Retrieve the target device target in the network
ISCSI target will return a valid iqn name to the iSCSI initiator
ISCSI target accepts the initiator’s login according to the configured verification method and returns the target device target identification
ISCSI initiator makes a query request Request the target to query target related information
The target responds to the initiator’s query request and returns the device related information to the initiator
The initiator creates a list of target devices that can be created
Three, iSCSI device Features:
Support ACL (Access Control List)
Support two Challenge Handshake Authentication Protocol (CHP) authentication methods
Support multipath (multipath)
Support sendtargets discovery mechanism
Support dynamic target discovery
With asynchronous event notification entry
Support real-time data update
Support dynamic device reconfiguration
Support auto-attach iSCSI technology
Support IPV6 technology
4. iSCSI device name
When the iSCSI device is imported at the iSCSI initiator (Initiator), its kernel will assign a local SCSI device name to the iSCSI device according to the current device situation (for example, /dev/sda or /dev /sdb, etc.), if the imported iSCSI device has been partitioned, the corresponding partition device name (such as /dev/sda1, /dev/sda5, etc.) will also be created when importing the iSCSI device to create a local SCSI device, but pay attention The name of this SCSI device is not fixed every time it is imported. For example, your host has no /dev/sda device before, and you imported an iSCSI device, which is named /dev/sda by the kernel; then you cancel it Imported, and reattached a hot-swappable device (such as a U disk or mobile hard disk), the /dev/sda device occupied by this hot-swappable device; you imported the iSCSI device again, which is now allocated by the kernel The device name becomes /dev/sdb.
Fifth, why build iSCSI shared storage, because it is poor! ! ! If you have money, the best way is to buy a real storage, because you don’t have money to do a lot of functions that require shared storage to test, such as Oracle RAC, virtualized HA, etc., all need a shared storage, which will be introduced below. Realize the iscsi target through Linux software, so as to build an iscsi storage and build iscsi
VI. Introduction to Linux-IO
Linux-IO Target is in the Linux kernel (after linux 2.6.38) , Use software to implement various SCSI Targets. All popular storage protocols in the SAN technology supported by it include Fibre Channel (Qlogic, linux3.5), FCoE (linux3.0), iSCSI (linux 3.1), iSER (Mellanox InfiniBand, linux3) .10), SRP (Mellanox InfiniBand, linux3.3), USB, etc. It can also generate simulated SCSI devices for the machine and provide virtio-based SCSI devices for virtual machines. Linux-IO Target enables users to use relatively inexpensive Linux systems to implement various functions of SCSI and SAN without having to purchase expensive professional equipment.
1. Architecture
The figure above shows the various components of Linux-IO Target. LIO simulates common SCSI devices and implements SPC-3 and 4. Then, import the real back-end storage through various backstore objects, and finally connect various front-end Fabric modules to export the simulated SCSI devices. Whether it is Fibre Channel, FCoE, iSCSI or vhost (ie virtio), it is just a Fabric technology, we can understand it as a transmission protocol, and the SCSI commands transmitted in these transmission protocols are always processed by the core SCSI device of. To support the new Fabric technology, there is no need to modify the core SCSI devices and back-end storage modules, but only need to implement the transmission of SCSI commands in accordance with the specifications of the Fabric technology. iSCSI technology is to put SCSI commands in TCP/IP for transmission, and vhost technology is to put SCSI commands in a virtio queue for transmission.
Generic Target Engine: It realizes the function of a SCSI target specified in SAM, mainly the analysis of SCSI protocol. It communicates with the initiator through the Fabric module, and communicates with the specific storage device through the backstore. Fabric modules: Realize the front end of LIO, that is, the module of the SCSI protocol transmission layer. New fabric modules can be added to LIO through Fabric Hardware Abstraction Layer (F-HAL).
Backstores: Implement the back-end of LIO, that is, the way to access disk data. New storage hardware support can be added to LIO through Storage Hardware Abstraction Layer (S-HAL). Usually use BLOCKIO and FILEIO.
2. How to use
Linux-IO Target realizes the simulation of Target in the kernel mode, and the configuration management adopts a more “modern” sysfs-based approach, providing A friendly user state management tool. Starting from version 2.6.38 of the kernel, the Linux kernel includes related modules of Linux-IO Target. In the user mode, targetcli and rtslib are packaged in all major releases. The targetcli program is used for configuration and management, and rtslib provides a Python programming interface.
Take iSCSI as an example, the configuration structure of Linux-IO Target is shown in Figure 1. At the end are various Linux storage devices. The back-end storage devices supported by Linux-IO Target include Ramdisk, general block devices and files, and it can also directly map local SCSI devices. Linux-IO Target imports these storage devices by creating backstore storage objects. It can use various SAN transmission technologies to export these storage objects. First, create a Target based on a certain SAN technology (such as iSCSI). Next, create a TPG (Target Portal Group) in Target. Multiple TPGs can be created under each Target, and each TPG contains a set of portals. Then create LUNs in TPG and associate specific storage objects with specific LUNs. Finally, create one or more portals in TPG. For iSCSI, each Portal is a combination of IP address and port. In order to more precisely control the access to the LUN, various ACL rules can also be created under the TPG.
targetcli
targetcli is a user-mode management configuration tool for Linux-IO Target. Users can use yum or apt-get to install directly from the official repositories of major distributions. For older linux versions, you need to compile the source code and install it yourself. Targetcli provides a shell-like interface. Various Target, TPG, LUN, and backstore objects are organized into a directory tree. Users can use ls and cd commands to browse the directory tree, and use create and delete commands to create and delete various objects. Object. Browsing the configuration is to browse the directory tree, create and delete various objects, and create new nodes at all levels of the directory tree. At the same time, targetcli also provides common shell command auxiliary editing functions, such as TAB smart completion, up and down keys to switch command history, Ctrl + R to search command history. For any unfamiliar commands, you can use the help command to query the instructions. In fact, for us, configuring LIO is mainly to use targetcli
rtslib
rtslib is a Python library that allows users to programmatically configure various functions of Linux-IO Target. The objects in rtslib are also organized into a tree structure, and are also very similar to the various objects we are familiar with in targetcli. After being familiar with the operation of targetcli, programming with rtslib becomes very easy
Seven, install the configuration tool targetcli
The targetcli toolkit is targetcli in Debian7, and the package in Debian9 is targetcli-fb( “Free branch”) new packages.
——————————————- ——-
[email protected]:~# apt install targetcli-fb
————————- ————————-
After installing targetcli-fb, /etc/rtslib-fb-target/saveconfig.json will be generated for Save the configuration
8. Turn off the firewall or open the TCP port 3260, LIO uses TCP port 3260 to transmit data
9. Use targetcli to create back-end storage objects
targetcli There are two modes of commands, one is interactive mode and the other is command line mode. Enter targetcli and press Enter to enter the interactive mode. To enter the interactive mode, you can use commands such as ls, pwd, cd, etc.
1. Initial prompt of targetcli
———— ————————————–
[email protected]:~# targetcli< br>targetcli shell version 2.1.fb43
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type’help’.
/> #Press here twice You can view all available commands with the TAB key. In each directory, you can view the available commands in this way.
* / @last backstores/ iscsi/ loopback/ vhost/ bookmarks
cd clearconfig exit get help ls pwd refresh
restoreconfig saveconfig sessions set status version
/>
—————————- ———————-
2. List the initial directory tree in interactive mode, enter the ls command, and targetcli will change the current directory Tree output
——————————————— —–
/> ls
o- / …………………………… ……………… […]
o- backstores ………………… ………………. […]
| o- block ………………. ……… [Storage Objects: 0]
| o- fileio ……………………… [ Storage Objects: 0]
| o- pscsi ………………………. [Storage Obj ects: 0]
| o- ramdisk …………………….. [Storage Objects: 0]
o- iscsi. ………………………………. [Targets: 0]
o- loopback .. …………………………… [Targets: 0]
o- vhost …… ………………………….. [Targets: 0]
/>
—– ———————————————
< p>Command line implementation:
—————————————– ———
[email protected]:~# targetcli ls
o- / ………………….. ………………………. […]
o- backstores ……….. ……………………….. […] #User configuration back-end storage directory, there are 4 subdirectories to create different Types of storage resources
| o- block ………………………. [Storage Objects: 0] #Configuration block device directory , It can be a disk drive, partition, logical volume, multipath device, as long as a block device can be
| o-fileio ………………….. …. [Storage Objects: 0] #Configuration file (mirror img) directory, according to a pre-prepared file, provides storage function
| o- pscsi ………….. ………….. [Storage Objects: 0] #Configure the physical scsi device directory, not recommended
| o- ramdisk …………. …………. [Storage Objects: 0] #Configure memory storage directory, use memory as storage.
o- iscsi ……………………………….. [Targets: 0] # Configure iSCSI target
o- loopback …………………………….. [Targets: 0]< br> o- vhost ……………………………….. [Targets: 0]
[email protected]:~#
————————————— ———–
2. Create a physical disk structure as the physical storage of the target backend (a 5G disk has been prepared in advance for backup)
—- ———————————————-
[ email protected]:~# targetcli
targetcli shell version 2.1.fb43
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type’help’.
/> cd backstores/block #Enter the block subdirectory to create target back-end storage resources through block devices
/backstores/block> create lun1 /dev/sdb #Create a storage resource named lun1 through the create command
Created block storage object lun1 using /dev/sdb.
/backstores/block> ls #View the created storage resource
o- block …………… …………….. [Storage Objects: 1]
o- lun1 ……… [/dev/sdb (5.0GiB) write-thru deactivated] #Newly created
————————————- ————-
The realization of the command line:
[email pro tected]:~# targetcli /backstores/block create name=lun1 dev=/dev/sdb
3. Create files and memory as physical storage for the target backend
—– ———————————————
/backstores > cd fileio/ #Enter the fileio subdirectory to create target back-end storage resources from files
/backstores/fileio> create lun1 /tmp/lun1.img #/tmp/lun1.img The size of the file is the resource you want to use Size, you can create an empty file through the dd command
Created fileio lun1 with size 1073741824 #The size of this file is 1G
/backstores/fileio> cd ../ramdisk #Enter the ramdisk subdirectory to pass the memory Create target back-end storage resource
/backstores/ramdisk> create rd0 10MB #Use 10MB of memory space to create a storage resource named rd0
Created ramdisk rd0 with size 10MB.
/backstores/ramdisk>
————————————————- –
The realization of the command line:
[emailprotected]:~# targetcli /backstores/fileio create name=lun1 file_or_dev=/tmp/lun1.img
[emailprotected]:~# targetcli /backstores/ramdisk create name=rd0 size=10MB
4. View the created storage resources
—————— ——————————–
/backstores> ls
o- backstores ….. ………………………………. […]
o- block .. …….. ……………….. [Storage Objects: 1]
| o- lun1 ……. [/dev/sdb (5.0GiB) write -thru deactivated] #Block-based
o- fileio ……………………….. [Storage Objects: 1]< br> | o- lun1 .. [/tmp/lun1.img (1.0GiB) write-back deactivated] #File-based
o- pscsi ……………. ………….. [Storage Objects: 0]
o- ramdisk …………………… …. [Storage Objects: 1]
o- rd0 ……………………… [(10.0MiB) deactivated] #Memory-based
/backstores>
————————————- ————-
5. Delete the storage resource just created. Take block/ as an example, the other directories are the same.
—— ——————————————–
/backstores> cd block/ #Enter the created subdirectory to delete
/backstores/block> delete #Enter the delete command delete and press the TAB key twice to view the operation prompts
lun1 name= #delete command can be followed by parameters
/backstores/block> delete lun1 # After the delete command, enter the resource name and press Enter to delete
Deleted storage object lun1.
/backstores/block> ls
o- block ……… ………………….. [Storage Objects: 0] #Delete successfully
/backstores/block>
——- ————————————– —–
Implementation of the command line:
[email protected]:~# targetcli /backstores/block delete name=lun1
You can create fileio and ramdisk types Backstore object, you can also create block and pscsi objects. The block object can be used to import general block devices, such as /dev/hdaX, /dev/sdX, /dev/vgX/lvX, etc. The pscsi object can be used to import existing SCSI devices in the system (ie, the devices listed by lsscsi), and all SCSI commands received by the front end of the SAN will be transparently transmitted to the devices imported by pscsi. It should be noted that the SCSI devices simulated by Linux-IO Target implement the SPC-2, SCP-3 and SPC-4 specifications, which means that Persistent Reservations (PRs), Asymmetric Logical Unit Assignment (ALUA) and vStorage APIs for Array Integration ( VAAI) and other high-end SCSI features have been implemented. However, the existing SCSI devices on the host may not implement SPC-4. Therefore, when high-end SCSI features are required, it is best to import devices such as /dev/sdX through block objects instead of pscsi.
10. Use targetcli to create an iSCSI target
1. Create an iSCSI target
——————— —————————–
/iscsi> create #create command will automatically create a target if no parameters are added after it At the same time, the iqn number is also random.
Created target iqn.2003-01.org.linux-iscsi.debian.x8664:sn.aea77a8eef23.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/iscsi> delete iqn.2003-01.org.linux-iscsi.debian.x8664:sn.aea77a8eef23 #Delete this random iqn
Deleted Target iqn.2003-01.org.linux-iscsi.debian.x8664:sn.aea77a8eef23.
/iscsi> create iqn.2019-10.cc.pipci.iscsi:debian .tgt1 #Create a memorable iqn, but to ensure uniqueness
Created target iqn.2019-10.cc.pipci.iscsi:debian.tgt1.
Created TPG 1.
Global pref auto_add_default_portal= true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/iscsi> ls
o- iscsi …………. ……………………… [Targets: 1]
o- iqn.2019-10.cc.pipci.iscsi:debian .tgt1 …….. [TPGs: 1] #The created target exists as a directory named iqn
o- tpg1 ……………………… [no-gen-acls, no-auth] #Create a subdirectory TPG at the same time
o- acls ………………………. [ACLs: 0] #ACL (Access Control List) Control subdirectories
o-luns ……………………………….. [LUNs: 0] #Used to associate storage resource subdirectory
o- portals ………………………….. [Portals : 1] #Listening port resource
o- 0.0.0.0:3260 ………………………….. . [OK]
/iscsi>
————————————- ————-
Command line implementation:
[email protected]:~# targetcli /iscsi create iqn.2019-10.cc.pipci.iscsi: debian.tgt1 #Create
[email protected]:~# targetcli /iscsi delete iqn.2019-10.cc.pipci.iscsi:debian.tgt1 #Delete
———– —————————————
2, after association End storage resources
——————————————– ——
/iscsi> cd iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1/luns #Enter the associated subdirectory
/iscsi/iqn.20… gt1/tpg1/luns> create /backstores/block/lun1 #Use the create command to associate /backstores/block/lun1 is the storage resource created above, pay attention to the path
Created LUN 0. #default create lUN0
/ iscsi/iqn.20…gt1/tpg1/luns> ls #View associated storage resources< br>o-luns …………………………………….. [ LUNs: 1]
o- lun0 ………………………. [block/lun1 (/dev/sdb)] #已经关联的存储资源
/iscsi/iqn.20…gt1/tpg1/luns> delete 0 #解除关联,在delete后面直接输入LUN号就可以
Deleted LUN 0.
/iscsi/iqn.20…gt1/tpg1/luns>
——————————- ——————-
Command implementation:
association
[email protected]:~# targetcli /iscsi/iqn.2019 -10.cc.pipci.iscsi:debian.tgt1/tpg1/luns create /backstores/block/lun1
Unlink
[emailprotected]:~# targetcli /iscsi/iqn.2019-10.cc. pipci.iscsi:debian.tgt1/tpg1/luns delete 0
3. Configure ACL (you can use it without configuration). Its function is to allow those initiators to access initiators identified by iqn. Therefore, the initiator allowed to access must be consistent with the iqn name in /etc/iscsi/initiatorname.iscsi on the initiator side. Otherwise, access is denied. ACL is turned off by default and needs to be turned on manually. By setting generate_node_acls={0|1}, here 0 means off, 1 means on
Open ACL
——————- ——————————-
/iscsi> ls
o- iscsi …… ……………………………. [Targets: 1]
o- iqn.2019-10. cc.pipci.iscsi:debian.tgt1 …….. [TPGs: 1]
o- tpg1 ………… ….. [no-gen-acls, no-auth] #no-gen-acls means that acl is disabled by default
o- acls ……………. …………………. [ACLs: 0]
o- luns …………….. ………………… [LUNs: 1]
| o- lun0 …………….. ….. [block/lun1 (/dev/sdb)]
o- portals ………………………. …. [Portals: 1]
o- 0.0.0.0:3260 …………………………. .. [OK]
/iscsi>
/iscsi> cd iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1/ #You must enter the TPG directory to change
/iscsi /iqn.20…ian.tgt1/tpg1> set attribute generate_node_acls=1 #Open ACL
Parameter generate_node_acls is now ‘1’.
/iscsi/iqn.20…ian.tgt1/tpg1> ls
o- tpg1 ……………………………. [gen-acls, no-auth] #Modified successfully
o- acls ………………….. ………………. [ACLs: 0]
o- luns ……………….. ………… [LUNs: 1]
| o- lun0 …… ………. [block/lun1 (/dev/sdb)]
o- portals ………………….. …………. [Portals: 1]
o- 0.0.0.0:3260 …………………. …………… [OK]
/iscsi/iqn.20…ian.tgt1/tpg1>
———– —————————————
Add allowed access initiator
———————————————- —-
/iscsi/iqn.20…ian.tgt1/tpg1> cd acls #Enter the ACL configuration directory
/iscsi/iqn.20…gt1/tpg1/acls> create iqn. 2019-10.cc.pipci.iscsi:clinet.sn8888 #Add the allowed iqn number
Created Node ACL for iqn.2019-10.cc.pipci.iscsi:clinet.sn8888
Created mapped LUN 0.
/iscsi/iqn.20…gt1/tpg1/acls> ls #View
o- acls ………………….. ………………… [ACLs: 1]
o- iqn.2019-10.cc.pipci.iscsi:clinet.sn8888 [Mapped LUNs: 1] # i i o o o … … …] <]1 ]1]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] /iqn.20...gt1/tpg1/acls> delete iqn.2019-10.cc.p ipci.iscsi:clinet.sn8888 #Delete iqn
Deleted Node ACL iqn.2019-10.cc.pipci.iscsi:clinet.sn8888.
————— ———————————–
Command implementation:
Open ACL
[ email protected]:~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1 set attribute generate_node_acls=1
Add iqn:
[emailprotected]:~# targetcli / iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1/acls create iqn.2019-10.cc.pipci.iscsi:clinet.sn8888
Delete iqn
[email Protected]: ~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1/acls delete iqn.2019-10.cc.pipci.iscsi:clinet.sn8888
4. Set the listening IP address and port number of the target to discover that some servers of the target may have multiple network cards. So which network card or IP address provides shared resources to the outside world, we can manually enter the portals parameter directory Set the IP address and port to listen in. The default is to listen to all addresses.
It is not safe to delete the default 0.0.0.0 first
—————————– ———————
/iscsi/iqn.20…ian.tgt1/tpg1> ls
o- tpg1 …. ………………………… [gen-acls, no-auth]
o- acls ….. ………………………………. [ACLs: 0]
o- luns .. …………………………………. [LUNs: 1]
| o -lun0 …………………….. [block/lun1 (/dev/sdb)]
o- portals ….. …………………………. [Portals: 1]
o- 0.0.0.0:3260 …. …………………………… [OK] #Default listening 0.0.0.0 is all IP addresses and ports 3260
/iscsi/iqn.20…ian.tgt1/tpg1> cd portals/ #Enter portals directory configuration
/iscsi/iqn.20…/tpg1/portals> delete 0.0 .0.0 3260 #First delete the 0.0.0.0 address, there must be a port number after the address
Deleted network portal 0.0.0.0:3260
/iscsi/iqn.20…/tpg1/portals>
— ————————————————
Create a default listening port
————————————- ————-
/iscsi/iqn.20…/tpg1/portals> create 192.168.1.16
Using default IP port 3260 # If the above IP address does not follow Adding the port number will add the default 3260, if you add the port Enter the port number after the IP address and you can
Created network portal 192.168.1.16:3260.
/iscsi/iqn.20…/tpg1/portals> ls
o- portals ….. …………………………… [Portals: 1]
o- 192.168.1.16:3260 .. ………………………….. [OK] # Successfully changed
/iscsi/iqn.20… /tpg1/portals>
—————————————— ——–
Command implementation:
Delete monitored IP
[email protected]:~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi :debian.tgt1/tpg1/portals delete 0.0.0.0 3260
Add the listening IP and port number, use the default 3260 without adding the port number
[emailprotected]:~# targetcli /iscsi/iqn.2019- 10.cc.pipci.iscsi:debian.tgt1/tpg1/portals create 192.168.1.16 3260
11. Configure server targetcli CHAP authentication
Authentication is divided into global configuration and local configuration
Under /iscsi, it is global configuration.
Under iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1/, it is the configuration of a single Target. The configuration only takes effect for a single IQN as a local configuration
Under the global configuration Only discovery authentication can be set, and local configuration can only set login authentication. Each type of authentication is divided into one-way authentication and two-way authentication.
The meaning of discovery authentication and login authentication is the same as the name
< p>One-way authentication means that when the initiator discovers the target, it must provide correct authentication to discover the iSCSI service on the target.
Two-way authentication means that the target needs to be correct on the basis of one-way authentication. Only the authentication set by the initiator can be discovered by the initiator
No matter which kind of authentication is configured on the target side
12. Discover authentication under global configuration
p>
1. One-way authentication (target server authentication initiator)
View the default configuration
——————— —————————–
/> cd iscsi/ #Enter the iscsi/ directory for global configuration
/ iscsi> get discovery_auth #View discovery authentication status
DISCOVERY_AUTH CONFIG GROUP
==========================
enable= False #Not open
———–
The enable discovery_auth parameter.
mutual_password= #Two-way earnest password
——- ———
The mutual_password discovery_auth parameter.
mutual_userid= #Two-way earnest username
————–< br>The mutual_userid discovery_auth parameter.
password= #one-way serious password
—————
The password discovery_auth parameter.
p>
userid= #One-way serious user name
————
The userid discovery_auth parameter.
————————————– ————
Command implementation:
[email protected]:~# targetcli /iscsi/ get discovery_auth #View discovery authentication status
Configure username and password
—————————————- ———-
/iscsi> set discovery_auth enable=1 #The number 1 means on and 0 means off
Parameter enable is now’True’.
/iscsi> set discovery_auth userid= laopi #Add user laopi
Parameter userid is now’laopi’.
/iscsi> set discovery_auth password=pi1234 #Set authentication password pi1234
Parameter password is now’pi1234′.
/iscsi> get discovery_auth enable userid password
enable=True
userid=laopi
password=pi1234
/iscsi>
——————- ——————————-
Command implementation:
[emailprotected]:~ # targetcli /iscsi/ set discovery_auth enable=1 #The number 1 means open and 0 means closed
[emailprotected]:~# targetcli /iscsi/ set discovery_auth userid=laopi #add user laopi
[emailprotected]:~ # targetcli /iscsi/ set discovery_auth password=pi1234 #Set the authentication password pi1234
2, set up two-way authentication (must be established in On the basis of one-way authentication, because single authentication is required when the initiator logs in)
Configure mutual username and password
—————- ———————————-
/iscsi> set discovery_auth mutual_userid=laopimal #Add mutual username
Parameter mutual_userid is now’laopimal’.
/iscsi> set discovery_auth mutual_password=pi123456 #Set mutual username and password
Parameter mutual_password is now’pi123456′.
/iscsi> get discovery_auth #View discovery authentication status
DISCOVERY_AUTH CONFIG GROUP
=========================
enable=True
———–
The enable discovery_auth parameter.
mutual_password=pi123456
—————– ——-
The mutual_password discovery_auth parameter.
mutual_userid=laopimal #Added successfully
——————- —
The mutual_userid discovery_auth parameter.
password=pi1234
—————
The password discovery_auth parameter.
userid=laopi #Two-way authentication single authentication user must already exist
————
The userid discovery_auth parameter.
——– ——————————————
Command Implementation:
[email Protected] :~# targetcli /iscsi/ set discovery_auth mutual_userid=laopimal #Add a mutual username
[emailprotected]:~# targetcli /iscsi/ set discovery_auth mutual_password=pi123456 #Set a mutual username and password
[emailprotected]: ~# targetcli /iscsi/ get auth #查看发现认证状态
十三、局部配置下的登录认证
——————- ——————————-
1. One-way authentication (target server authentication initiator)
< p>/iscsi> cd iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1/ #局部认证要在target对应的iqn下配置
/iscsi/iqn.20.. .ian.tgt1/tpg1> set attribute generate_node_acls=1
Parameter generate_node_acls is now ‘1’.
/iscsi/iqn.20…ian.tgt1/tpg1> set auth userid=laopi #添加用户laopi
Parameter userid is now ‘laopi’.
/iscsi/iqn.20…ian.tgt1/tpg1> set auth password=pi1234 #设置认证密码pi1234
Parameter password is now ‘pi1234’.
/iscsi/iqn.20…ian.tgt1/tpg1> get auth #查看登录证状态
AUTH CONFIG GROUP
============ =====
mutual_password=
—————-
The mutual_password auth parameter.
mutual_userid=
– ————-
The mutual_use rid auth parameter.
password=pi1234
—————
The password auth parameter.
userid=laopi
————
The userid auth parameter.
————————————————–
命令实现:
添加用户laopi
[email protected]:~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1 set auth userid=laopi
设置认证密码pi1234
[email protected]:~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1 set auth password=pi1234
查看登录认证状态
[email protected]:~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1 get auth
2、设置双向认证(必须建立在单向认证的基础上,因为在initiator登录的时候要先进行单项认证)
配置mutual用户名密码
————————————————–
/iscsi/iqn.20…ian.tgt1/tpg1> set auth mutual_userid=laopimal #添加mutual用户名
Parameter mutual_userid is now ‘laopimal‘.
/iscsi/iqn.20…ian.tgt1/tpg1> set auth mutual_password=pi123456 #设置mutual用户名密码
Parameter mutual_password is now ‘pi123456‘.
/iscsi/iqn.20…ian.tgt1/t pg1> get auth
AUTH CONFIG GROUP
=================
mutual_password=pi123456
————————
The mutual_password auth parameter.
mutual_userid=laopimal
———————-
The mutual_userid auth parameter.
password=pi1234
—————–
The password auth parameter.
userid=laopi #双向认证单项认证用户必须已经存在
————–
The userid auth parameter.
————————————————–
命令实现:
添加用户laopimal
[email protected]:~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1 set auth mutual_userid=laopimal
设置认证密码pi123456
[email protected]:~# targetcli /iscsi/iqn.2019-10.cc.pipci.iscsi:debian.tgt1/tpg1 set auth mutual_password=pi123456
十四、保持配置,重启生效
在交互模式下默认创建完配置exit退出时会主动将配置保存到配置文件/etc/rtslib-fb-target/saveconfig.json中,重启后生效
————————————————–
/> ls
o- / …………………………………………… […]
o- backstores …. ……………………………… […]
| o- block ………………………. [Storage Objects: 1]
| | o- lun1 ……. [/dev/sdb (5.0GiB) write-thru activated]
| o- fileio ……………………… [Storage Objects: 0]
| o- pscsi ………………………. [Storage Objects: 0]
| o- ramdisk …………………….. [Storage Objects: 0]
o- iscsi ……………………………….. [Targets: 1]
| o- iqn.2019-10.cc.pipci.iscsi:debian.tgt1 …… [TPGs: 1]
| o- tpg1 ……………………. [no-gen-acls, no-auth]
| o- acls ……………………………… [ACLs: 0]
| o- luns ……………………………… [LUNs: 1]
| | o- lun0 ……………….. [block/lun1 (/dev/sdb)]
| o- portals ………………………… [Portals: 1]
| o- 0.0.0.0:3260 …………………………. [OK]
o- loopback …………………………….. [Targets: 0]
o- vhost ……………………………….. [Targets: 0]
/> exit
Global pref auto_save_on_exit=true #提示全局配置下是推出自动保持配置。
Last 10 configs saved in /etc/rtslib-fb-target/backup.
Configuration saved to /etc/rtslib-fb-target/saveconfig.json #提示已经保持配置
[email protected]:~#
————————————————–
交互模式下手动保持配置和清楚配置
————————————————–
/> saveconfig #在交互模式的根目录下通过这个命令直接回车保持配置到默认配置文件
Last 10 configs saved in /etc/rtslib-fb-target/backup.
Configuration saved to /etc/rtslib-fb-target/saveconfig.json
/> saveconfig savefile=/tmp/lio.conf #我们也可以指定保存到其他文件,用于备份,这个文件不需要提前创建
Configuration saved to /tmp/lio.conf
/>
/> clearconfig confirm=true #当我们想清楚所以配置可以通过这个命令完成
All configuration cleared
/>
————————————————–
命令实现:
[email protected]:~# targetcli saveconfig #保存到默认文件
[email protected]:~# targetcli saveconfig savefile=/tmp/lio.conf #保存到制定文件
[email protected]:~# targetcli clearconfig confirm=true