Skip to content
Eric Jackson edited this page Apr 24, 2016 · 1 revision

Prerequisites

You must have the following:

  • a working Ceph cluster
  • a host to act as a gateway (iSCSI target)
  • a host to act as a client (iSCSI initiator)
  • lrbd installed on the gateway

For Adding a Gateway and Adding a Target

  • another host to act as a second or redundant gateway

Building a configuration

The lrbd configuration is a global configuration for all gateways and clients. The gateway sections include the Ceph pools, RBD images, portals (i.e. network interfaces), static targets and authentication. Within these sections are specific access definitions and restrictions for initiators.

Imagine the physical layout below with a single client acting as an initiator connecting via a gateway to a Ceph cluster.

Physical Layout

For a first configuration, find the simple.json file located in /usr/share/doc/packages/lrbd/samples. Copy this file to another location such as your home directory. The file contains four sections which are targets, auth, portals and pools. The purpose of the separate sections is to accommodate the myriad of configurations that iSCSI can support.

For your convenience, the contents of simple.json are displayed below.

{
    "targets": [
      {
        "host": "igw1",
        "target": "iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk"
      }
    ],
    "auth": [
        {
            "host": "igw1",
            "authentication": "tpg",
            "tpg": {
                "userid": "common1",
                "password": "pass1"
            }
        }
    ],
    "portals": [
        {
            "name": "portal1",
            "addresses": [ "172.16.1.16" ]
        }
    ],
    "pools": [
        {
            "pool": "rbd",
            "gateways": [
                {
                    "host": "igw1",
                    "tpg": [
                        {
                            "portal": "portal1",
                            "image": "archive"
                        }
                    ]
                }
            ]
        }
    ]
}

An experienced storage administrator may ask "Where's the Lun?". Essentially, the mapped RBD image is the LUN. Lrbd uses the Ceph terminology of pool and image, but uses the iSCSI terms target, initiator and portal. The following diagram shows the relationship.

Abstract Layout

Note that this configuration is one portal within one target on one gateway accessing one image within one pool. Before exploring more complex configurations, follow these instructions for customizing and applying the configuration.

Pools

If you wish to use the default pool and RBD image, verify the following:

  • the rbd pool exists
    # rados lspools
  • the archive image exists
    # rbd -p rbd ls

Otherwise, create your own pool and RBD image. Update the pool and image in the pools section.

Update the host to match the hostname of the gateway.

"pools": [  
    {  
        "pool": "rbd",  
        "gateways": [  
            {  
                "host": igw1,   
                "tpg": [  
                    {  
                        "portal": "portal1",  
                        "image": "archive"
                    }  
                ]  
            }   
        ]   
    }  
]  

Targets

Under the targets section, update the host to match the hostname of the gateway. Replace the target with the output of iscsi-name.

"targets": [
  {
    "host": igw1,
    "target": iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk,
  }
]

Portals

Replace the address with a valid network address of the gateway host.

"portals": [
    {
        "name": "portal1",
        "addresses": [ 172.16.1.16 ]
    }
]

Auth

The authentication is set to tpg+identified. All initiators will use the same credentials to connect to this target. Replace the host with the hostname of the gateway. Set the desired userid and password for CHAP authentication.

"auth": [
    {
        "host": igw1,
        "authentication": "tpg+identified", 
        "tpg": {
            "userid": common1, 
            "password": pass1
        }
    } 
]

Add comments if you wish using a '#'. Any comments will be stripped when importing the configuration.

Back to top

Applying the configuration

Import the configuration and then query the configuration from a gateway host.
# lrbd -f ~/simple.json
# lrbd -o

The output will be similar to the following:

{
    "auth": [
        {
            "host": "igw1", 
            "authentication": "tpg+identified", 
            "tpg": {
                "userid": "common1", 
                "password": "pass1"
            }
        }
    ], 
    "targets": [
        {
            "host": "igw1", 
            "target": "iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk"
        }
    ], 
    "portals": [
        {
            "name": "portal1", 
            "addresses": [
                "172.16.1.16"
            ]
        }
    ], 
    "pools": [
        {
            "pool": "rbd", 
            "gateways": [
                {
                    "host": "igw1", 
                    "tpg": [
                        {
                            "portal": "portal1", 
                            "image": "archive", 
                            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
                        }
                    ]
                }
            ]
        }
    ]
}

Another option to display the configuration is

# lrbd -l

In this case, both outputs will be the same. The -o displays all hosts while -l shows only entries relevant to this host. This is most useful when determining whether a configuration is correct for a gateway.

Inspect the current configuration.
# targetcli ls

The output will show nothing configured.

Loaded vhost_scsi kernel module.
Created '/sys/kernel/config/target/vhost'.
Loaded iscsi_target_mod kernel module.
Created '/sys/kernel/config/target/iscsi'.
Loaded tcm_loop kernel module.
Created '/sys/kernel/config/target/loopback'.
Loaded tcm_fc kernel module.
Created '/sys/kernel/config/target/fc'.
Loaded ib_srpt kernel module.
Created '/sys/kernel/config/target/srpt'.
Loaded tcm_qla2xxx kernel module.
Created '/sys/kernel/config/target/qla2xxx'.
o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- fileio ............................................... [0 Storage Object]
  | o- iblock ............................................... [0 Storage Object]
  | o- pscsi ................................................ [0 Storage Object]
  | o- rbd .................................................. [0 Storage Object]
  | o- rd_mcp ............................................... [0 Storage Object]
  o- ib_srpt ....................................................... [0 Targets]
  o- iscsi ......................................................... [0 Targets]
  o- loopback ...................................................... [0 Targets]
  o- qla2xxx ....................................................... [0 Targets]
  o- tcm_fc ........................................................ [0 Targets]
  o- vhost ......................................................... [0 Targets]

Verify that the hostname matches the configuration. Note the defaults to value for the -H option below.

# lrbd -h

usage: lrbd [-h] [-e] [-E editor] [-c name] [--ceph ceph] [-H host] [-o] [-l]
            [-f file] [-a file] [-u] [-v] [-d] [-I] [-R] [-W] [-C]

optional arguments:
  -h, --help            show this help message and exit
  -e, --edit            edit the rbd configuration for iSCSI
  -E editor, --editor editor
                        use editor to edit the rbd configuration for iSCSI
  -c name, --config name
                        use name for object, defaults to "lrbd.conf"
  --ceph ceph           specify the ceph configuration file
  -H host, --host host  specify the hostname, defaults to "igw1"
  -o, --output          display the configuration
  -l, --local           display the host configuration                          
  -f file, --file file  import the configuration from file                      
  -a file, --add file   add the configuration from file                         
  -u, --unmap           unmap the rbd images                                    
  -v, --verbose         print INFO messages                                     
  -d, --debug           print DEBUG messages                                    
  -I, --iblock          set the backstore to iblock, defaults to rbd            
  -R, --rbd             set the backstore to rbd                                
  -W, --wipe            wipe the configuration objects from all pools           
  -C, --clear           clear the targetcli configuration    

Run the lrbd command to apply the saved configuration.
# lrbd

If the hostname in the configuration does not match the hostname in the help message, run the following command to apply the configuration instead.
# lrbd -H configured_hostname

The lrbd command outputs each rbd and targetcli command with its output.

targetcli /backstores/rbd create name=archive dev=/dev/rbd/rbd/archive
Loaded vhost_scsi kernel module.
Created '/sys/kernel/config/target/vhost'.
Loaded iscsi_target_mod kernel module.
Created '/sys/kernel/config/target/iscsi'.
Loaded tcm_loop kernel module.
Created '/sys/kernel/config/target/loopback'.
Loaded tcm_fc kernel module.
Created '/sys/kernel/config/target/fc'.
Loaded ib_srpt kernel module.
Created '/sys/kernel/config/target/srpt'.
Loaded tcm_qla2xxx kernel module.
Created '/sys/kernel/config/target/qla2xxx'.
Created RBD storage object archive using /dev/rbd/rbd/archive.
targetcli /iscsi create iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk
Created target iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk.
Selected TPG Tag 1.
Created TPG 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk/tpg1/luns create /backstores/rbd/archive
Selected LUN 0.
Created LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk/tpg1/portals create 172.16.1.16
Using default IP port 3260
Created network portal 172.16.1.16:3260.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk/tpg1/acls create iqn.1996-04.de.suse:01:e6ca28cc9f20
Created Node ACL for iqn.1996-04.de.suse:01:e6ca28cc9f20
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 create 0 0
Created Mapped LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 set auth userid=common1 password=pass1
Parameter password is now 'pass1'.
Parameter userid is now 'common1'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk/tpg1 set attribute authentication=1 demo_mode_write_protect=0 generate_node_acls=0
Parameter authentication is now '1'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '0'.

Inspect the current configuration again.
# targetcli ls

The output will look similar to the following:

o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- fileio ............................................... [0 Storage Object]
  | o- iblock ............................................... [0 Storage Object]
  | o- pscsi ................................................ [0 Storage Object]
  | o- rbd .................................................. [1 Storage Object]
  | | o- archive .............................. [/dev/rbd/rbd/archive activated]
  | o- rd_mcp ............................................... [0 Storage Object]
  o- ib_srpt ....................................................... [0 Targets]
  o- iscsi .......................................................... [1 Target]
  | o- iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk .......... [1 TPG]
  |   o- tpg1 ........................................................ [enabled]
  |     o- acls ........................................................ [1 ACL]
  |     | o- iqn.1996-04.de.suse:01:e6ca28cc9f20 ................ [1 Mapped LUN]
  |     |   o- mapped_lun0 ......................................... [lun0 (rw)]
  |     o- luns ........................................................ [1 LUN]
  |     | o- lun0 ......................... [rbd/archive (/dev/rbd/rbd/archive)]
  |     o- portals .................................................. [1 Portal]
  |       o- 172.16.1.16:3260 .............................. [OK, iser disabled]
  o- loopback ...................................................... [0 Targets]
  o- qla2xxx ....................................................... [0 Targets]
  o- tcm_fc ........................................................ [0 Targets]
  o- vhost ......................................................... [0 Targets]

The import, editing or querying can be done on any Ceph client with lrbd installed. Applying the configuration will only make changes to the current host.

Host specific configurations can be queried from another host. For example, running the following from host igw1

# lrbd -H igw2 -l

will display the configuration of host igw2. Applying the configuration of another host is similar. From a host test1, running

# lrbd -H igw2

applies the configuration from host igw2. This allows investigation from separate hardware or temporary replacement of failed hardware without modifying the configuration.

Back to top

Expanding the configuration

Growing the configuration to match your requirements is straightforward. Add the necessary entries often by copying an existing entry and making simple changes. Be aware that a valid JSON structure needs a comma between elements but not after the last element in a list.

The following examples reference the simple.json in the previous section.php

Adding an image

Create an image within the same pool.
# rbd -p rbd create data --size=2048

Copy the tpg entry containing image, portal and initiator. Change the image in the new entry, save your changes and apply. An initiator can access two RBD images from the same pool on the same gateway over the same network path.

{
    "portal": "portal1",
    "image": "archive",
    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
},
{
    "portal": "portal1",
    "image": data,
    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
}

Adding an initiator

Nearly identical to the adding an image, but change the initiator in the new entry. Two different initiators can access the same RBD image on the same gateway over the same network path.

{
    "portal": "portal1",
    "image": "archive",
    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
},
{
    "portal": "portal1",
    "image": "archive",
    "initiator": iqn.1991-05.com.microsoft:client.example.com
}

Adding a portal

In the portals section, duplicate the portal entry and change the name and address.

{
    "name": "portal1",
    "addresses": [ "172.16.1.16" ]
},
{
    "name": portal2,
    "addresses": [ 172.16.2.16 ]
}

Use the new portal name. In this example, each initiator will use a dedicated network interface.

{
    "portal": "portal1",
    "image": "archive",
    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
},
{
    "portal": portal2,
    "image": "archive",
    "initiator": "iqn.1991-05.com.microsoft:client.example.com"
}

Adding an address

In the portals section, provide a second address to an existing portal. Any entry using this portal will provide redundancy across two network paths.

{
    "name": "portal1",
    "addresses": [ "172.16.1.16", 172.16.2.16 ]
}

Adding a tpg

Copy an existing gateway entry. Maintain the same host and change any or all of portal, image and initiator. This allows isolated paths from initiator to image.

{
    "host": "igw1", 
    "tpg": [
        {
            "portal": "portal1",
            "image": "archive",
            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
        }
    ]
},
{
    "host": "igw1", 
    "tpg": [
        {
            "portal": portal2,
            "image": data,
            "initiator": iqn.1991-05.com.microsoft:client.example.com
        }
    ]
} 

Adding a gateway

Similar to adding a tpg, copy an existing gateway entry. Change the host of the new entry to the hostname of your second gateway. Do not use this for redundancy. This configuration is for two gateways with independent images.

{
    "host": "igw1", 
    "tpg": [
        {
            "portal": "portal1",
            "image": "archive",
            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
        }
    ]
},
{
    "host": igw2, 
    "tpg": [
        {
            "portal": portal3,
            "image": data,
            "initiator": iqn.1991-05.com.microsoft:client.example.com
        }
    ]
} 

Add another portal entry for the address of the second gateway.

{
    "name": "portal1",
    "addresses": [ "172.16.1.16" ]
},
{
    "name": portal3,
    "addresses": [ 172.16.1.17 ]
}

Adding a pool

Duplicate a pool entry. Update the pool and image. Each image is accessed via the same network path.

{
    "pool": "rbd",
    "gateways": [
        {
            "host": "igw1", 
            "tpg": [
                {
                    "portal": "portal1",
                    "image": "archive",
                    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
                }
            ]
        } 
    ] 
},
{
    "pool": car,
    "gateways": [
        {
            "host": "igw1", 
            "tpg": [
                {
                    "portal": "portal1",
                    "image": cement,
                    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
                }
            ]
        } 
    ] 
}

Adding a target

More than one gateway can advertise the same target providing redundancy. This configuration requires a kernel that supports the tpg_enabled_sendtargets (formerly discoverable_while_disabled) and a targetcli that allows portal creation with non-existent addresses.

Copy an existing gateway entry. Change the host keyword to target. Update the hostname to an iqn value. Consider using iscsi-name as a template. Change the embedded hostname (e.g. igw1 to any). Remove the portal.

{
    "host": "igw1", 
    "tpg": [
        {
            "portal": "portal1",
            "image": "archive",
            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
        }
    ]
},
{
    target: iqn.2003-01.org.linux-iscsi.any.x86:sn.db7fc86c644, 
    "tpg": [
        {
            "image": "data",
            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
        }
    ]
} 

Update the targets section. Add the new target with a list of hosts and portals.

{
  "host": "igw1",
  "target": "iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk"
},
{
  hosts: [ 
      { "host": igw1, "portal": portal1 },
      { "host": igw2, "portal": portal4 }
  ],
  "target": "iqn.2003-01.org.linux-iscsi.any.x86:sn.db7fc86c644"
}

Update the portals section. Add the new portal with the address list from both gateways.

{
    "name": "portal1",
    "addresses": [ "172.16.1.16" ]
}
{
    "name": portal4,
    "addresses": [ 172.16.4.16 ]
}

When applied, each gateway will have two TPGs for the common target. Note that a TPG is disabled on each gateway and contains the portal of the other gateway.

Back to top

Authentication

Iscsi authentication is flexible resulting in many possibilities. The four possible top level settings are no authentication, tpg, acls and tpg+identified.

No authentication

No authentication means no initiator will require a username and password to access any luns for a specified host or target. No authentication can be set explicitly or implicitly. Specify a value of none for authentication to be set explicitly. For example,

{
    "host": "igw1",
    "authentication": none
}

Removing the entire auth section from the configuration will use no authentication implicitly.

TPG authentication

For common credentials or a shared username/password, set authentication to tpg. This setting will apply to all initiators for the associated host or target. In this example, the same username and password are used for the redundant target and a target local to igw1.

{
  "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant",
  "authentication": tpg,
  "tpg": {
      "userid": "common1",
      "password": "pass1"
  }
},
{
    "host": "igw1",
    "authentication": tpg,
    "tpg": {
        "userid": "common1",
        "password": "pass1"
    }
}

Redundant configurations will have the same credentials across gateways but are independent of other configurations. In other words, luns configured specifically for a host and multiple redundant configurations can have a unique username and password for each.

One caveat to note is that any initiator setting will be ignored when using tpg authentication. Using common credentials does not restrict which initiators may connect. This configuration may be suitable in isolated network environments.

ACL authentication

For unique credentials for each initiator, set authentication to acls. Additionally, only defined initiators are allowed to connect.

{
    "host": "igw1",
    "authentication": acls,
    "acls": [
        {
            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20",
            "userid": "initiator1",
            "password": "pass1",
        }
    ]
},

TPG+identified authentication

The previous two authentication settings each have a use, but pair two independent features. TPG pairs common credentials with unidentified initiators. Acls pair unique credentials with identified initiators.

The last authentication setting pairs common credentials with identified initiators. This can be imitated by choosing acls and repeating the same credentials with each initiator, but the configuration would grow unnecessarily and annoy the maintainers. For this configuration, set authentication to tpg+identified.

This configuration uses the tpg configuration with only the authentication keyword changing.

{
  "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant",
  "authentication": tpg+identified,
  "tpg": {
      "userid": "common1",
      "password": "pass1"
  }
},
{
    "host": "igw1",
    "authentication": tpg+identified,
    "tpg": {
        "userid": "common1",
        "password": "pass1"
    }
}

The list of initiators is gathered from those defined in the pools for the given hosts and targets in the authentication section.

Discovery and Mutual authentication

Independent of these four authentication settings is discovery authentication. Discovery authentication requires credentials for browsing.

Authentication for tpg, tpg+identified, acls and discovery support mutual authentication. Specifiying the mutual settings requires that the target authenticates against the initiator.

Discovery and mutual authentication are optional. These options can be present, but disabled allowing experimentation with a particular configuration. Once decided, disabled entries can be removed without harming the configuration.

For several possibilities, please see the examples in /usr/share/doc/packages/lrbd/samples. Excerpts from one file can be combined with others to create unique configurations.

Back to top

Systemd service

The lrbd utility includes a service file. Systemd will run lrbd on boot when the service is enabled. To enable and start the service, run

# systemctl enable lrbd
# systemctl start lrbd

The service is a one-shot service. Any changes to the lrbd configuration do not propogate automatically. To apply the changes without clearing the current configuration, run

# systemctl reload lrbd

The rationale for this behavior allows administrators to control when the configuration is applied to each gateway.

Back to top

Managing configurations

The configuration may be updated directly with lrbd -e. The entire configuration can be output with lrbd -o > filename and maintained under your choice of version control.

Alternatively, the global configuration can be re-imported after making changes. Running lrbd -f filename will replace any configuration stored within Ceph. The advantage of this method is the input file may contain comments for complex configurations.

Lastly, configurations may be added cumulatively. For instance, if two groups within an organization each have independent gateways and clients but wish to share the same Ceph cluster, multiple configurations can be maintained independently. Each configuration must be valid by itself, but could be divided into separate files by pool or gateway. One file could contain gateways A, B and C while another contains D and E.

The first configuration is imported as normal with lrbd -f ABC.config. The second configuration is added with lrbd -a DE.config. The pools and authentication sections will be merged. The targets and portals sections are replaced. Depending on the configuration, either remove the targets and portals section from the DE.config or duplicate these sections in both files.

The above example could also be executed with lrbd -W which wipes the configuration from Ceph and then executes lrbd -a for each file.

Back to top

Examples

The following examples are located in /usr/share/doc/packages/lrbd/samples. Some are admittedly contrived, but show combinations that may more closely match your requirements.

Redundant gateways

The requirement is to provide a highly available solution for an application accessing Ceph storage. In this example, the image city is advertised from two gateways. Each gateway has a single nic for iSCSI access. The physical hardware could be the following:

Physical Redundant Layout

The expected configuration would look like the following:

Abstract Redundant Layout

The sample is called 2gateways+no_authentication.json, which is shown below:

{
  "auth": [
    {
      "authentication": "none",
      "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant"
    }
  ],
  "targets": [
    {
      "hosts": [
          { "host": "igw1", "portal": "portal1" },
          { "host": "igw2", "portal": "portal2" }
      ],
      "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant"
    }
  ],
  "portals": [
      {
          "name": "portal1",
          "addresses": [ "172.16.1.16"]
      },
      {
          "name": "portal2",
          "addresses": [ "172.16.1.17" ]
      }
  ],
  "pools": [
    {
      "pool": "rbd",
      "gateways": [
        {
          "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant",
          "tpg": [
            {
              "image": "city"
            }
          ]
        }
      ]
    }
  ]
}

Running lrbd on the first gateway, igw1, will output the commands and respective outputs:

modprobe vhost_scsi
modprobe iscsi_target_mod
modprobe tcm_loop
modprobe tcm_fc
modprobe ib_srpt
modprobe tcm_qla2xxx
modprobe target_core_rbd
targetcli /backstores/rbd create name=city dev=/dev/rbd/rbd/city
Created '/sys/kernel/config/target/vhost'.
Created '/sys/kernel/config/target/iscsi'.
Created '/sys/kernel/config/target/loopback'.
Created '/sys/kernel/config/target/fc'.
Created '/sys/kernel/config/target/srpt'.
Created '/sys/kernel/config/target/qla2xxx'.
Created RBD storage object city using /dev/rbd/rbd/city.
targetcli /iscsi create iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant
Created target iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant.
Selected TPG Tag 1.
Created TPG 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant create 2
Created TPG 2.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant/tpg2 disable
The TPG has been disabled.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant/tpg1/luns create /backstores/rbd/city
Selected LUN 0.
Created LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant/tpg2/luns create /backstores/rbd/city
Selected LUN 0.
Created LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant/tpg1/portals create 172.16.1.16
Using default IP port 3260
Created network portal 172.16.1.16:3260.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant/tpg2/portals create 172.16.1.17
Using default IP port 3260
IP address 172.16.1.17 does not exist on this host.
Created network portal 172.16.1.17:3260.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant/tpg1 set attribute authentication=0 demo_mode_write_protect=0 generate_node_acls=1
Parameter authentication is now '0'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '1'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant/tpg2 set attribute authentication=0 demo_mode_write_protect=0 generate_node_acls=1
Parameter authentication is now '0'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '1'.

To inspect the configuration, run

# targetcli ls

The output will be

o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- fileio ............................................... [0 Storage Object]
  | o- iblock ............................................... [0 Storage Object]
  | o- pscsi ................................................ [0 Storage Object]
  | o- rbd .................................................. [1 Storage Object]
  | | o- city .................................... [/dev/rbd/rbd/city activated]
  | o- rd_mcp ............................................... [0 Storage Object]
  o- ib_srpt ....................................................... [0 Targets]
  o- iscsi .......................................................... [1 Target]
  | o- iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant ............... [2 TPGs]
  |   o- tpg1 ........................................................ [enabled]
  |   | o- acls ....................................................... [0 ACLs]
  |   | o- luns ........................................................ [1 LUN]
  |   | | o- lun0 ............................... [rbd/city (/dev/rbd/rbd/city)]
  |   | o- portals .................................................. [1 Portal]
  |   |   o- 172.16.1.16:3260 .............................. [OK, iser disabled]
  |   o- tpg2 ....................................................... [disabled]
  |     o- acls ....................................................... [0 ACLs]
  |     o- luns ........................................................ [1 LUN]
  |     | o- lun0 ............................... [rbd/city (/dev/rbd/rbd/city)]
  |     o- portals .................................................. [1 Portal]
  |       o- 172.16.1.17:3260 .............................. [OK, iser disabled]
  o- loopback ...................................................... [0 Targets]
  o- qla2xxx ....................................................... [0 Targets]
  o- tcm_fc ........................................................ [0 Targets]
  o- vhost ......................................................... [0 Targets]

Note that tpg2 is disabled since this portal does not exist on gateway igw1. Applying the same configuration on igw2 will result in the reverse. Tpg1 will be disabled and tpg2 will be enabled.

From the initiator, a discovery of igw1 will output the following:

# iscsiadm -m discovery -t st -p 172.16.1.16
172.16.1.16:3260,1 iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant
172.16.1.17:3260,2 iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant

A discovery of igw2 will give the same results.

Once discovered, both gateways can be logged into simultaneously with

# iscsiadm -m node -L all

And multipath will list both paths as separate devices.

# multipath -ll
3600140569accc1f6b1f3853bb38f8deb dm-0 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 8:0:0:0 sdb 8:16 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 9:0:0:0 sda 8:0  active ready running

Access control

Rather than see a trivial example of iSCSI access controls, this example shows access lists on two independent gateways each accessing different images within Ceph and restricting access to two clients. Additionally, each gateway has redundant network interfaces.

Physical Acls Layout

Ceph is configured for five images across three pools. The pool rbd contains city, writers and wood, car contains cement and whirl contains cheese. The rationale is to simply demonstrate that multiple images per pool and multiple pools work. A typical configuration would be a subset.

Each client has an initiator iqn. Each gateway has a target iqn with a single portal of two network interfaces.

Abstract Acls Layout

The sample is acls.json and is shown below:

{
    "targets": [
      {
        "host": "igw1",
        "target": "iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141"
      },
      {
        "host": "igw2",
        "target": "iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579"
      }
    ],
    "auth": [
        {
            "host": "igw1", 
            "authentication": "acls", 
            "acls": [
                {
                    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20",
                    "userid": "initiator1", 
                    "password": "pass1"
                }
            ]
        }, 
        {
            "host": "igw2", 
            "authentication": "acls", 
            "acls": [
                {
                    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20",
                    "userid": "initiator1", 
                    "password": "pass1"
                },
                {
                    "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f24", 
                    "userid": "initiator2", 
                    "password": "pass5"
                } 
            ] 
        }
    ], 
    "portals": [
        {
            "name": "portal1",
            "addresses": [ "172.16.1.16", "172.16.2.16" ]
        },
        {
            "name": "portal2",
            "addresses": [ "172.16.1.17", "172.16.2.17" ]
        }
    ],
    "pools": [
        {
            "pool": "rbd",
            "gateways": [
                {
                    "host": "igw1", 
                    "tpg": [
                        {
                            "portal": "portal1",
                            "image": "city",
                            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20"
                        }
                    ]
                }, 
                {
                    "host": "igw2", 
                    "tpg": [
                        {
                            "portal": "portal2",
                            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20", 
                            "image": "writers"
                        }, 
                        {
                            "portal": "portal2",
                            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f24", 
                            "image": "writers"
                        }, 
                        {
                            "portal": "portal2",
                            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f24", 
                            "image": "wood"
                        }
                    ] 
                }
            ] 
        },
        {
            "pool": "car",
            "gateways": [
                {
                    "host": "igw1", 
                    "tpg": [
                        {
                            "portal": "portal1",
                            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20",
                            "image": "cement"
                        }
                    ]
                } 
            ] 
        },
        {
            "pool": "whirl",
            "gateways": [
                {
                    "host": "igw2",
                    "tpg": [
                        {
                            "portal": "portal2",
                            "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20",
                            "image": "cheese"
                        }
                    ]
                }
            ]
        }
    ]
}

Unlike the previous example where both gateways are configured essentially identically, these gateways are independent. Running lrbd on igw1 results in the following

modprobe vhost_scsi
modprobe iscsi_target_mod
modprobe tcm_loop
modprobe tcm_fc
modprobe ib_srpt
modprobe tcm_qla2xxx
modprobe target_core_rbd
targetcli /backstores/rbd create name=city dev=/dev/rbd/rbd/city
Created '/sys/kernel/config/target/vhost'.
Created '/sys/kernel/config/target/iscsi'.
Created '/sys/kernel/config/target/loopback'.
Created '/sys/kernel/config/target/fc'.
Created '/sys/kernel/config/target/srpt'.
Created '/sys/kernel/config/target/qla2xxx'.
Created RBD storage object city using /dev/rbd/rbd/city.
targetcli /backstores/rbd create name=cement dev=/dev/rbd/car/cement
Created RBD storage object cement using /dev/rbd/car/cement.
targetcli /iscsi create iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141
Created target iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141.
Selected TPG Tag 1.
Created TPG 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/luns create /backstores/rbd/cement
Selected LUN 0.
Created LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/luns create /backstores/rbd/city
Selected LUN 1.
Created LUN 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/portals create 172.16.1.16
Using default IP port 3260
Created network portal 172.16.1.16:3260.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/portals create 172.16.2.16
Using default IP port 3260
Created network portal 172.16.2.16:3260.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/portals create 172.16.1.16
Using default IP port 3260
This NetworkPortal already exists in configFS.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/portals create 172.16.2.16
Using default IP port 3260
This NetworkPortal already exists in configFS.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/acls create iqn.1996-04.de.suse:01:e6ca28cc9f20
Created Node ACL for iqn.1996-04.de.suse:01:e6ca28cc9f20
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 create 1 1
Created Mapped LUN 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 create 0 0
Created Mapped LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 set auth userid=initiator1 password=pass1
Parameter password is now 'pass1'.
Parameter userid is now 'initiator1'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1 set attribute authentication=1 demo_mode_write_protect=0 generate_node_acls=0
Parameter authentication is now '1'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '0'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 set auth userid=initiator1 password=pass1
Parameter password is now 'pass1'.
Parameter userid is now 'initiator1'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141/tpg1 set attribute authentication=1 demo_mode_write_protect=0 generate_node_acls=0
Parameter authentication is now '1'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '0'.

While running lrbd on igw2 outputs

modprobe vhost_scsi
modprobe iscsi_target_mod
modprobe tcm_loop
modprobe tcm_fc
modprobe ib_srpt
modprobe tcm_qla2xxx
modprobe target_core_rbd
targetcli /backstores/rbd create name=mental dev=/dev/rbd/whirl/mental
Created '/sys/kernel/config/target/vhost'.
Created '/sys/kernel/config/target/iscsi'.
Created '/sys/kernel/config/target/loopback'.
Created '/sys/kernel/config/target/fc'.
Created '/sys/kernel/config/target/srpt'.
Created '/sys/kernel/config/target/qla2xxx'.
Created RBD storage object mental using /dev/rbd/whirl/mental.
targetcli /backstores/rbd create name=writers dev=/dev/rbd/rbd/writers
Created RBD storage object writers using /dev/rbd/rbd/writers.
targetcli /backstores/rbd create name=wood dev=/dev/rbd/rbd/wood
Created RBD storage object wood using /dev/rbd/rbd/wood.
targetcli /iscsi create iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579
Created target iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579.
Selected TPG Tag 1.
Created TPG 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/luns create /backstores/rbd/wood
Selected LUN 0.
Created LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/luns create /backstores/rbd/writers
Selected LUN 1.
Created LUN 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/luns create /backstores/rbd/mental
Selected LUN 2.
Created LUN 2.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/portals create 172.16.1.17
Using default IP port 3260
Created network portal 172.16.1.17:3260.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/portals create 172.16.2.17
Using default IP port 3260
Created network portal 172.16.2.17:3260.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/portals create 172.16.1.17
Using default IP port 3260
This NetworkPortal already exists in configFS.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/portals create 172.16.2.17
Using default IP port 3260
This NetworkPortal already exists in configFS.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/portals create 172.16.1.17
Using default IP port 3260
This NetworkPortal already exists in configFS.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/portals create 172.16.2.17
Using default IP port 3260
This NetworkPortal already exists in configFS.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls create iqn.1996-04.de.suse:01:e6ca28cc9f24
Created Node ACL for iqn.1996-04.de.suse:01:e6ca28cc9f24
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls create iqn.1996-04.de.suse:01:e6ca28cc9f20
Created Node ACL for iqn.1996-04.de.suse:01:e6ca28cc9f20
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 create 1 1
Created Mapped LUN 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f24 create 1 1
Created Mapped LUN 1.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f24 create 0 0
Created Mapped LUN 0.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 create 2 2
Created Mapped LUN 2.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 set auth userid=initiator1 password=pass1
Parameter password is now 'pass1'.
Parameter userid is now 'initiator1'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f24 set auth userid=initiator2 password=pass5
Parameter password is now 'pass5'.
Parameter userid is now 'initiator2'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1 set attribute authentication=1 demo_mode_write_protect=0 generate_node_acls=0
Parameter authentication is now '1'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '0'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 set auth userid=initiator1 password=pass1
Parameter password is now 'pass1'.
Parameter userid is now 'initiator1'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f24 set auth userid=initiator2 password=pass5
Parameter password is now 'pass5'.
Parameter userid is now 'initiator2'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1 set attribute authentication=1 demo_mode_write_protect=0 generate_node_acls=0
Parameter authentication is now '1'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '0'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f20 set auth userid=initiator1 password=pass1
Parameter password is now 'pass1'.
Parameter userid is now 'initiator1'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1/acls/iqn.1996-04.de.suse:01:e6ca28cc9f24 set auth userid=initiator2 password=pass5
Parameter password is now 'pass5'.
Parameter userid is now 'initiator2'.
targetcli /iscsi/iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579/tpg1 set attribute authentication=1 demo_mode_write_protect=0 generate_node_acls=0
Parameter authentication is now '1'.
Parameter demo_mode_write_protect is now '0'.
Parameter generate_node_acls is now '0'.

The first gateway will share the two images, cement and city with only one initiator. This initiator can connect to either image over either interface, but must login with the credentials specified.

o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- fileio ............................................... [0 Storage Object]
  | o- iblock ............................................... [0 Storage Object]
  | o- pscsi ................................................ [0 Storage Object]
  | o- rbd ................................................. [2 Storage Objects]
  | | o- cement ................................ [/dev/rbd/car/cement activated]
  | | o- city .................................... [/dev/rbd/rbd/city activated]
  | o- rd_mcp ............................................... [0 Storage Object]
  o- ib_srpt ....................................................... [0 Targets]
  o- iscsi .......................................................... [1 Target]
  | o- iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141 ............ [1 TPG]
  |   o- tpg1 ........................................................ [enabled]
  |     o- acls ........................................................ [1 ACL]
  |     | o- iqn.1996-04.de.suse:01:e6ca28cc9f20 ............... [2 Mapped LUNs]
  |     |   o- mapped_lun0 ......................................... [lun0 (rw)]
  |     |   o- mapped_lun1 ......................................... [lun1 (rw)]
  |     o- luns ....................................................... [2 LUNs]
  |     | o- lun0 ........................... [rbd/cement (/dev/rbd/car/cement)]
  |     | o- lun1 ............................... [rbd/city (/dev/rbd/rbd/city)]
  |     o- portals ................................................. [2 Portals]
  |       o- 172.16.1.16:3260 .............................. [OK, iser disabled]
  |       o- 172.16.2.16:3260 .............................. [OK, iser disabled]
  o- loopback ...................................................... [0 Targets]
  o- qla2xxx ....................................................... [0 Targets]
  o- tcm_fc ........................................................ [0 Targets]
  o- vhost ......................................................... [0 Targets]

The second gateway shares three images - cheese, wood and writers. The first initiator can access writers and cheese, but not wood. The second initiator can access wood and writers, but not cheese.

Note that although writers is accessible by both initiators, two independently acting applications can still corrupt the data. Consider the example of mounting a filesystem (e.g. ext4, xfs) to two different servers and writing both simultaneously. Corruption will ensue.

However, an administrator may have an application requiring a cold spare where this solution may be suitable.

o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- fileio ............................................... [0 Storage Object]
  | o- iblock ............................................... [0 Storage Object]
  | o- pscsi ................................................ [0 Storage Object]
  | o- rbd ................................................. [3 Storage Objects]
  | | o- cheese .............................. [/dev/rbd/whirl/cheese activated]
  | | o- wood .................................... [/dev/rbd/rbd/wood activated]
  | | o- writers .............................. [/dev/rbd/rbd/writers activated]
  | o- rd_mcp ............................................... [0 Storage Object]
  o- ib_srpt ....................................................... [0 Targets]
  o- iscsi .......................................................... [1 Target]
  | o- iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579 ............ [1 TPG]
  |   o- tpg1 ........................................................ [enabled]
  |     o- acls ....................................................... [2 ACLs]
  |     | o- iqn.1996-04.de.suse:01:e6ca28cc9f20 ............... [2 Mapped LUNs]
  |     | | o- mapped_lun1 ......................................... [lun1 (rw)]
  |     | | o- mapped_lun2 ......................................... [lun2 (rw)]
  |     | o- iqn.1996-04.de.suse:01:e6ca28cc9f24 ............... [2 Mapped LUNs]
  |     |   o- mapped_lun0 ......................................... [lun0 (rw)]
  |     |   o- mapped_lun1 ......................................... [lun1 (rw)]
  |     o- luns ....................................................... [3 LUNs]
  |     | o- lun0 ............................... [rbd/wood (/dev/rbd/rbd/wood)]
  |     | o- lun1 ......................... [rbd/writers (/dev/rbd/rbd/writers)]
  |     | o- lun2 ......................... [rbd/cheese (/dev/rbd/whirl/cheese)]
  |     o- portals ................................................. [2 Portals]
  |       o- 172.16.1.17:3260 .............................. [OK, iser disabled]
  |       o- 172.16.2.17:3260 .............................. [OK, iser disabled]
  o- loopback ...................................................... [0 Targets]
  o- qla2xxx ....................................................... [0 Targets]
  o- tcm_fc ........................................................ [0 Targets]
  o- vhost ......................................................... [0 Targets]

From the first initiator, a discovery of igw1 will output the following:

# iscsiadm -m discovery -t st -p 172.16.1.16
172.16.1.16:3260,1 iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141
172.16.2.16:3260,1 iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141

Before logging in, the credentials must be configured.

# iscsiadm -m node -o update --name=node.session.auth.username --value=initiator1
# iscsiadm -m node -o update --name=node.session.auth.password --value=pass1
# iscsiadm -m node -o update --name=node.session.auth.authmethod --value=CHAP
# iscsiadm -m node -L all

These values can be verified with

# iscsiadm -m node -o show

Next, login from the first initiator to the igw1 with

# iscsiadm -m node -L all

If the login fails, consider running journalctl -f on igw1 to help diagnose the issue.

Once the login is successful, four devices will be available.

# multipath -ll
360014052d4012252b4e4f69849df36eb dm-1 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 7:0:0:0 sdb 8:16 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 6:0:0:0 sda 8:0  active ready running
360014050c2b99be7c3c421f8ef1d34df dm-0 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 6:0:0:1 sdc 8:32 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 7:0:0:1 sdd 8:48 active ready running

Now the first initiator can log into igw2 as well. After running a discovery,

# iscsiadm -m discovery -t st -p 172.16.1.17

both paths for each gateway will be displayed from

# iscsiadm -m node
172.16.1.16:3260,1 iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141
172.16.2.16:3260,1 iqn.2003-01.org.linux-iscsi.igw1.x86:sn.1a2b6ae09141
172.16.2.17:3260,1 iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579
172.16.1.17:3260,1 iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579

Initialize the credentials if necessary and login.

# iscsiadm -m node -o update --name=node.session.auth.username --value=initiator1
# iscsiadm -m node -o update --name=node.session.auth.password --value=pass1
# iscsiadm -m node -o update --name=node.session.auth.authmethod --value=CHAP
# iscsiadm -m node -L all

The last command will complain that two sessions are already active. The devices for igw2 have been added. Verify with

# multipath -ll
360014052d4012252b4e4f69849df36eb dm-1 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 7:0:0:0  sdb 8:16  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 6:0:0:0  sda 8:0   active ready running
360014050c2b99be7c3c421f8ef1d34df dm-0 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 6:0:0:1  sdc 8:32  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 7:0:0:1  sdd 8:48  active ready running
360014054267d0d72a5447d3bc42c50f9 dm-2 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 10:0:0:1 sde 8:64  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 11:0:0:1 sdg 8:96  active ready running
36001405f2fc087d51114b909e0cfcfd7 dm-3 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 10:0:0:2 sdf 8:80  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 11:0:0:2 sdh 8:112 active ready running

The second initiator can log into igw2 following the same steps as the first initiator.

# iscsiadm -m discovery -t st -p 172.16.1.17
172.16.1.17:3260,1 iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579
172.16.2.17:3260,1 iqn.2003-01.org.linux-iscsi.igw2.x86:sn.b611a553e579

Note the different username and password.

# iscsiadm -m node -o update --name=node.session.auth.username --value=initiator2
# iscsiadm -m node -o update --name=node.session.auth.password --value=pass5
# iscsiadm -m node -o update --name=node.session.auth.authmethod --value=CHAP
# iscsiadm -m node -L all

The devices added on the second initiator are

# multipath -ll
3600140576c55e60dd7d4ae2982bce328 dm-1 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 13:0:0:0 sdb 8:16 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 12:0:0:0 sda 8:0  active ready running
36001405f39addb925d44472951de78da dm-0 SUSE,RBD
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 12:0:0:1 sdc 8:32 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 13:0:0:1 sdd 8:48 active ready running

Redundant gateways with isolated paths

A potentially useful configuration concerns different requirements for images. Imagine customizing network buffers or having greater bandwidth for one network interface but not another.

The requirement is to dedicate one network interface for the image city and the other network interface to wood. The administrator wishes to have the image archive accessible from one gateway for experimentation. Additionally, the images city and wood must be restricted to their respective initiators, but archive is not.

The physical layout is identical to the previous example.

Physical Isolated Layout

The organization is different. Gateway igw1 has three targets and gateway igw2 has two. Each network interface is associated with a portal.

Abstract Isolated Layout

The configuration sample is plain+2gateways+2portals+2images+isolated+combined.json and shown here.

{
  "auth": [
        {
          "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant",
          "authentication": "acls", 
          "acls": [ 
            {
              "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20",
              "userid": "common1", 
              "password": "pass1"
            }
          ]
        },
        {
          "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant-too",
          "authentication": "acls", 
          "acls": [ 
            {
              "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f24",
              "userid": "common2", 
              "password": "pass2"
            }
          ]
        },
        {
            "host": "igw1", 
            "authentication": "tpg", 
            "tpg": {
                "userid": "common1", 
                "password": "pass1"
            }
        } 
  ], 
  "targets": [
      {
        "hosts": [
            { "host": "igw1", "portal": "portal1" },
            { "host": "igw2", "portal": "portal2" }
        ],
        "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant"
      },
      {
        "hosts": [
            { "host": "igw1", "portal": "portal3" },
            { "host": "igw2", "portal": "portal4" }
        ],
        "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant-too"
      },
      {
        "host": "igw1",
        "target": "iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk"
      }
  ], 
  "portals": [
      {
          "name": "portal1",
          "addresses": [ "172.16.1.16" ]
      },
      {
          "name": "portal2",
          "addresses": [ "172.16.1.17"  ]
      },
      {
          "name": "portal3",
          "addresses": [ "172.16.2.16" ]
      },
      {
          "name": "portal4",
          "addresses": [ "172.16.2.17" ]
      }
  ],
  "pools": [
    {
      "pool": "rbd",
      "gateways": [
        {
          "host": "igw1", 
          "tpg": [
            {
              "image": "archive",
              "portal": "portal1"
            }
          ]
        }, 
        {
          "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant",
          "tpg": [
            {
              "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f20",
              "image": "city"
            }
          ] 
        }, 
        {
          "target": "iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant-too",
          "tpg": [
            {
              "initiator": "iqn.1996-04.de.suse:01:e6ca28cc9f24",
              "image": "wood"
            }
          ] 
        } 
      ] 
    } 
  ]
}

The output of the lrbd commands is similar on both gateways. Since neither demonstrates anything unique from the previous examples, these are omitted. Inspecting both gateways will show the differences from the first example.

On igw1, run # targetcli ls

o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- fileio ............................................... [0 Storage Object]
  | o- iblock ............................................... [0 Storage Object]
  | o- pscsi ................................................ [0 Storage Object]
  | o- rbd ................................................. [3 Storage Objects]
  | | o- archive .............................. [/dev/rbd/rbd/archive activated]
  | | o- city .................................... [/dev/rbd/rbd/city activated]
  | | o- wood .................................... [/dev/rbd/rbd/wood activated]
  | o- rd_mcp ............................................... [0 Storage Object]
  o- ib_srpt ....................................................... [0 Targets]
  o- iscsi ......................................................... [3 Targets]
  | o- iqn.2003-01.org.linux-iscsi.generic.x86:sn.abcdefghijk .......... [1 TPG]
  | | o- tpg1 ........................................................ [enabled]
  | |   o- acls ....................................................... [0 ACLs]
  | |   o- luns ........................................................ [1 LUN]
  | |   | o- lun0 ......................... [rbd/archive (/dev/rbd/rbd/archive)]
  | |   o- portals .................................................. [1 Portal]
  | |     o- 172.16.1.16:3260 .............................. [OK, iser disabled]
  | o- iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant ............... [2 TPGs]
  | | o- tpg1 ........................................................ [enabled]
  | | | o- acls ........................................................ [1 ACL]
  | | | | o- iqn.1996-04.de.suse:01:e6ca28cc9f20 ................ [1 Mapped LUN]
  | | | |   o- mapped_lun0 ......................................... [lun0 (rw)]
  | | | o- luns ........................................................ [1 LUN]
  | | | | o- lun0 ............................... [rbd/city (/dev/rbd/rbd/city)]
  | | | o- portals .................................................. [1 Portal]
  | | |   o- 172.16.1.16:3260 .............................. [OK, iser disabled]
  | | o- tpg2 ....................................................... [disabled]
  | |   o- acls ........................................................ [1 ACL]
  | |   | o- iqn.1996-04.de.suse:01:e6ca28cc9f20 ................ [1 Mapped LUN]
  | |   |   o- mapped_lun0 ......................................... [lun0 (rw)]
  | |   o- luns ........................................................ [1 LUN]
  | |   | o- lun0 ............................... [rbd/city (/dev/rbd/rbd/city)]
  | |   o- portals .................................................. [1 Portal]
  | |     o- 172.16.1.17:3260 .............................. [OK, iser disabled]
  | o- iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant-too ........... [2 TPGs]
  |   o- tpg1 ........................................................ [enabled]
  |   | o- acls ........................................................ [1 ACL]
  |   | | o- iqn.1996-04.de.suse:01:e6ca28cc9f24 ................ [1 Mapped LUN]
  |   | |   o- mapped_lun0 ......................................... [lun0 (rw)]
  |   | o- luns ........................................................ [1 LUN]
  |   | | o- lun0 ............................... [rbd/wood (/dev/rbd/rbd/wood)]
  |   | o- portals .................................................. [1 Portal]
  |   |   o- 172.16.2.16:3260 .............................. [OK, iser disabled]
  |   o- tpg2 ....................................................... [disabled]
  |     o- acls ........................................................ [1 ACL]
  |     | o- iqn.1996-04.de.suse:01:e6ca28cc9f24 ................ [1 Mapped LUN]
  |     |   o- mapped_lun0 ......................................... [lun0 (rw)]
  |     o- luns ........................................................ [1 LUN]
  |     | o- lun0 ............................... [rbd/wood (/dev/rbd/rbd/wood)]
  |     o- portals .................................................. [1 Portal]
  |       o- 172.16.2.17:3260 .............................. [OK, iser disabled]
  o- loopback ...................................................... [0 Targets]
  o- qla2xxx ....................................................... [0 Targets]
  o- tcm_fc ........................................................ [0 Targets]
  o- vhost ......................................................... [0 Targets]

Note the nonredundant target shares the archive image. Both redundant targets have two TPGs each. The first is enabled and the second disabled.

The configuration for igw2 shows

o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- fileio ............................................... [0 Storage Object]
  | o- iblock ............................................... [0 Storage Object]
  | o- pscsi ................................................ [0 Storage Object]
  | o- rbd ................................................. [2 Storage Objects]
  | | o- city .................................... [/dev/rbd/rbd/city activated]
  | | o- wood .................................... [/dev/rbd/rbd/wood activated]
  | o- rd_mcp ............................................... [0 Storage Object]
  o- ib_srpt ....................................................... [0 Targets]
  o- iscsi ......................................................... [2 Targets]
  | o- iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant ............... [2 TPGs]
  | | o- tpg1 ....................................................... [disabled]
  | | | o- acls ........................................................ [1 ACL]
  | | | | o- iqn.1996-04.de.suse:01:e6ca28cc9f20 ................ [1 Mapped LUN]
  | | | |   o- mapped_lun0 ......................................... [lun0 (rw)]
  | | | o- luns ........................................................ [1 LUN]
  | | | | o- lun0 ............................... [rbd/city (/dev/rbd/rbd/city)]
  | | | o- portals .................................................. [1 Portal]
  | | |   o- 172.16.1.16:3260 .............................. [OK, iser disabled]
  | | o- tpg2 ........................................................ [enabled]
  | |   o- acls ........................................................ [1 ACL]
  | |   | o- iqn.1996-04.de.suse:01:e6ca28cc9f20 ................ [1 Mapped LUN]
  | |   |   o- mapped_lun0 ......................................... [lun0 (rw)]
  | |   o- luns ........................................................ [1 LUN]
  | |   | o- lun0 ............................... [rbd/city (/dev/rbd/rbd/city)]
  | |   o- portals .................................................. [1 Portal]
  | |     o- 172.16.1.17:3260 .............................. [OK, iser disabled]
  | o- iqn.2003-01.org.linux-iscsi.igw.x86:sn.redundant-too ........... [2 TPGs]
  |   o- tpg1 ....................................................... [disabled]
  |   | o- acls ........................................................ [1 ACL]
  |   | | o- iqn.1996-04.de.suse:01:e6ca28cc9f24 ................ [1 Mapped LUN]
  |   | |   o- mapped_lun0 ......................................... [lun0 (rw)]
  |   | o- luns ........................................................ [1 LUN]
  |   | | o- lun0 ............................... [rbd/wood (/dev/rbd/rbd/wood)]
  |   | o- portals .................................................. [1 Portal]
  |   |   o- 172.16.2.16:3260 .............................. [OK, iser disabled]
  |   o- tpg2 ........................................................ [enabled]
  |     o- acls ........................................................ [1 ACL]
  |     | o- iqn.1996-04.de.suse:01:e6ca28cc9f24 ................ [1 Mapped LUN]
  |     |   o- mapped_lun0 ......................................... [lun0 (rw)]
  |     o- luns ........................................................ [1 LUN]
  |     | o- lun0 ............................... [rbd/wood (/dev/rbd/rbd/wood)]
  |     o- portals .................................................. [1 Portal]
  |       o- 172.16.2.17:3260 .............................. [OK, iser disabled]
  o- loopback ...................................................... [0 Targets]
  o- qla2xxx ....................................................... [0 Targets]
  o- tcm_fc ........................................................ [0 Targets]
  o- vhost ......................................................... [0 Targets]

Only the redundant targets are present. For each target, tpg1 is disabled and tpg2 is enabled. Essentially, the reverse of the first gateway.

Discovery and authentication is the same as the previous example. Both redundant targets are restricted to their respective initiators. The exception is the archive image may be accessed by any initiator with the correct credentials.

Back to top