Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Server 11 SP4 11 SP4

15 Mass Storage over IP Networks: iSCSI LIO Target Server

LIO (linux-iscsi.org) is the standard open-source multiprotocol SCSI target for Linux. LIO replaced the STGT (SCSI Target) framework as the standard unified storage target in Linux with Linux kernel version 2.6.38 and later. YaST supports the iSCSI LIO Target Server software in SUSE Linux Enterprise Server 11 SP3 and later.

This section describes how to use YaST to configure an iSCSI LIO Target Server and set up iSCSI LIO target devices. You can use any iSCSI initiator software to access the target devices.

15.1 Installing the iSCSI LIO Target Server Software

Use the YaST Software Management tool to install the iSCSI LIO Target Server software on the SUSE Linux Enterprise Server server where you want to create iSCSI LIO target devices.

  1. Launch YaST as the root user.

  2. Select SoftwareSoftware Management.

  3. Select the Search tab, type lio, then click Search.

  4. Select the iSCSI LIO Target Server packages:

    iSCSI LIO Target Server Packages

    Description

    yast2-iscsi-lio-server

    Provides a GUI interface in YaST for the configuration of iSCSI LIO target devices.

    lio-utils

    Provides APIs for configuring and controlling iSCSI LIO target devices that are used by yast2-iscsi-lio-server.

    lio-mibs

    Provides SNMP (Simple Network Management Protocol) monitoring of iSCSI LIO target devices by using the dynamic load module (dlmod) functionality of the Net-SNMP agent. It supports SNMP v1, v2c, and v3. The configuration file is /etc/snmp/snmpd.conf.

    The lio-mibs software uses the perl-SNMP and net-snmp packages.

    For information about Net-SNMP, see the open source Net-SNMP Project.

    lio-utils-debuginfo

    Provides debug information for the lio-utils package. You can use this package when developing or debugging applications for lio-utils.

  5. In the lower right corner of the dialog box, click Accept to install the selected packages.

  6. When you are prompted to approve the automatic changes, click Continue to accept the iSCSI LIO Target Server dependencies for the lio-utils, perl-SNMP, and net-snmp packages.

  7. Close and re-launch YaST, then click Network Services and verify that the iSCSI LIO Target option is available in the menu.

  8. Continue with Section 15.2, “Starting the iSCSI LIO Target Service”.

15.2 Starting the iSCSI LIO Target Service

The iSCSI LIO Target service is by default configured to be started manually. You can configure the service to start automatically on system restart. If you use a firewall on the server and you want the iSCSI LIO targets to be available to other computers, you must open a port in the firewall for each adapter that you want to use for target access. TCP port 3260 is the port number for the iSCSI protocol, as defined by IANA (Internet Assigned Numbers Authority).

15.2.1 Configuring iSCSI LIO Startup Preferences

To configure the iSCSI LIO Target Server service settings:

  1. Log in to the iSCSI LIO target server as the root user, then launch a terminal console.

  2. Ensure that the /etc/init.d/target daemon is running. At the command prompt, enter

    /etc/init.d/target start

    The command returns a message to confirm that the daemon is started, or that the daemon is already running.

  3. Launch YaST as the root user.

  4. In the YaST Control Center, select Network Services, then select iSCSI LIO Target.

    You can also search for lio, then select iSCSI LIO Target.

  5. In the iSCSI LIO Target Overview dialog box, select the Service tab.

  6. Under Service Start, specify how you want the iSCSI LIO target service to be started:

    • When Booting:  The service starts automatically on server restart.

    • Manually:  (Default) You must start the service manually after a server restart. The target devices are not available until you start the service.

  7. If you use a firewall on the server and you want the iSCSI LIO targets to be available to other computers, open a port in the firewall for each adapter interface that you want to use for target access.

    Firewall settings are disabled by default. They are not needed unless you deploy a firewall on the server. The default port number is 3260. If the port is closed for all of the network interfaces, the iSCSI LIO targets are not available to other computers.

    1. On the Services tab, select the Open Port in Firewall check box to enable the firewall settings.

    2. Click Firewall Details to view or configure the network interfaces to use.

      All available network interfaces are listed, and all are selected by default.

    3. For each interface, specify whether to open or close a port for it:

      • Open:  Select the interface’s check box to open the port. You can also click Select All to open a port on all of the interfaces.

      • Close:  Deselect the interface’s check box to close the port. You can also click Select None to close the port on all of the interfaces.

    4. Click OK to save and apply your changes.

    5. If you are prompted to confirm the settings, click Yes to continue, or click No to return to the dialog box and make the desired changes.

  8. Click Finish to save and apply the iSCSI LIO Target service settings.

15.2.2 Manually Starting iSCSI LIO Target at the Command Line

  1. Log in as the root user, then launch a terminal console.

  2. At the command prompt, enter

    /etc/init.d/target start

    The command returns a message to confirm that the daemon is started, or that the daemon is already running.

15.2.3 Manually Starting iSCSI LIO Target in YaST

  1. Launch YaST as the root user.

  2. In the YaST Control Center, select System, then select System Services (Runlevel).

  3. In the YaST System Services dialog box, select Expert Mode, then select target (TCM/ConfigFS and LIO-Target) in the list of services.

  4. In the lower right, select Start/Stop/RefreshStart Now.

  5. Click OK.

15.3 Configuring Authentication for Discovery of iSCSI LIO Targets and Clients

The iSCSI LIO Target Server software supports the PPP-CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), a three-way authentication method defined in the Internet Engineering Task Force (IETF) RFC 1994. iSCSI LIO Target Server uses this authentication method for the discovery of iSCSI LIO targets and clients, not for accessing files on the targets. If you do not want to restrict the access to the discovery, use No Authentication. The No Authentication option is enabled by default. If authentication for discovery is enabled, its settings apply to all iSCSI LIO target groups.

Important
Important

We recommend that you use authentication for target and client discovery in production environments.

If authentication is needed for a more secure configuration, you can use incoming authentication, outgoing authentication, or both. Incoming Authentication requires an iSCSI initiator to prove that it has the permissions to run a discovery on the iSCSI LIO target. The initiator must provide the incoming user name and password. Outgoing Authentication requires the iSCSI LIO target to prove to the initiator that it is the expected target. The iSCSI LIO target must provide the outgoing user name and password to the iSCSI initiator. The user name and password pair can be different for incoming and outgoing discovery.

To configure authentication preferences for iSCSI LIO targets:

  1. Log in to the iSCSI LIO target server as the root user, then launch a terminal console.

  2. Ensure that the /etc/init.d/target daemon is running. At the command prompt, enter

    /etc/init.d/target start

    The command returns a message to confirm that the daemon is started, or that the daemon is already running.

  3. Launch YaST as the root user.

  4. In the YaST Control Center, select Network Services, then select iSCSI LIO Target.

    You can also search for lio, then select iSCSI LIO Target.

  5. In the iSCSI LIO Target Overview dialog box, select the Global tab to configure the authentication settings. Authentication settings are disabled by default.

  6. Specify whether to require authentication for iSCSI LIO targets:

    • Disable authentication:  (Default) Select the No Authentication check box to disable incoming and outgoing authentication for discovery on this server. All iSCSI LIO targets on this server can be discovered by any iSCSI initiator client on the same network. This server can discover any iSCSI initiator client on the same network that does not require authentication for discovery. Skip Step 7 and continue with Step 8.

    • Enable authentication:  Deselect the No Authentication check box. The check boxes for both Incoming Authentication and Outgoing Authentication are automatically selected. Continue with Step 7.

  7. Configure the authentication credentials needed for incoming discovery, outgoing discovery, or both. The user name and password pair can be different for incoming and outgoing discovery.

    1. Configure incoming authentication by doing one of the following:

      • Disable incoming authentication:  Deselect the Incoming Authentication check box. All iSCSI LIO targets on this server can be discovered by any iSCSI initiator client on the same network.

      • Enable incoming authentication:  Select the Incoming Authentication check box, then specify an existing user name and password pair to use for incoming discovery of iSCSI LIO targets.

    2. Configure outgoing authentication by doing one of the following:

      • Disable outgoing authentication:  Deselect the Outgoing Authentication check box. This server can discover any iSCSI initiator client on the same network that does not require authentication for discovery.

      • Enable outgoing authentication:  Select the Outgoing Authentication check box, then specify an existing user name and password pair to use for outgoing discovery of iSCSI initiator clients.

  8. Click Finish to save and apply the settings.

15.4 Preparing the Storage Space

The iSCSI LIO target configuration exports existing block devices to iSCSI initiators. You must prepare the storage space you want to use in the target devices by setting up unformatted partitions or devices on the server. iSCSI LIO targets can use unformatted partitions with Linux, Linux LVM, or Linux RAID file system IDs.

Important
Important

After you set up a device or partition for use as an iSCSI target, you never access it directly via its local path. Do not specify a mount point for it when you create it.

15.4.1 Partitioning Devices

  1. Launch YaST as the root user.

  2. In YaST, select SystemPartitioner.

  3. Click Yes to continue through the warning about using the Partitioner.

  4. At the bottom of the Partitions page, click Add to create a partition, but do not format it, and do not mount it.

    1. On the Expert Partitioner page, select Hard Disks, then select the leaf node name (such as sdc) of the disk you want to configure.

    2. Select Primary Partition, then click Next.

    3. Specify the amount of space to use, then click Next.

    4. Under Formatting Options, select Do not format, then select the file system ID type from the drop-down list.

      iSCSI LIO targets can use unformatted partitions with Linux (0x83), Linux LVM (0x8E), or Linux RAID (0xFD) file system IDs.

    5. Under Mounting Options, select Do not mount.

    6. Click Finish.

  5. Repeat Step 4 to create an unformatted partition for each area that you want to use later as an iSCSI LIO target.

  6. Click NextFinish to keep your changes, then close YaST.

15.4.2 Partitioning Devices in a Virtual Environment

You can use a virtual machine guest server as a iSCSI LIO Target Server. This section describes how to assign partitions to a Xen virtual machine. You can also use other virtual environments that are supported by SUSE Linux Enterprise Server 11 SP2 or later.

In a Xen virtual environment, you must assign the storage space you want to use for the iSCSI LIO target devices to the guest virtual machine, then access the space as virtual disks within the guest environment. Each virtual disk can be a physical block device, such as an entire disk, partition, or volume, or it can be a file-backed disk image where the virtual disk is a single image file on a larger physical disk on the Xen host server. For the best performance, create each virtual disk from a physical disk or a partition. After you set up the virtual disks for the guest virtual machine, start the guest server, then configure the new blank virtual disks as iSCSI target devices by following the same process as for a physical server.

File-backed disk images are created on the Xen host server, then assigned to the Xen guest server. By default, Xen stores file-backed disk images in the /var/lib/xen/images/vm_name directory, where vm_name is the name of the virtual machine.

For example, if you want to create the disk image /var/lib/xen/images/vm_one/xen-0 with a size of 4 GB, first ensure that the directory is there, then create the image itself.

  1. Log in to the host server as the root user.

  2. At a terminal console prompt, enter the following commands:

    mkdir -p /var/lib/xen/images/vm_one
    dd if=/dev/zero of=/var/lib/xen/images/vm_one/xen-0 seek=1M bs=4096 count=1
  3. Assign the file system image to the guest virtual machine in the Xen configuration file.

  4. Log in as the root user on the guest server, then use YaST to set up the virtual block device by using the process in Section 15.4.1, “Partitioning Devices”.

15.5 Setting Up an iSCSI LIO Target Group

You can use YaST to configure iSCSI LIO target devices. YaST uses APIs provided by the lio-utils software. iSCSI LIO targets can use unformatted partitions with Linux, Linux LVM, or Linux RAID file system IDs.

Important
Important

Before you begin, create the unformatted partitions that you want to use as iSCSI LIO targets as described in Section 15.4, “Preparing the Storage Space”.

  1. Log in to the iSCSI LIO target server as the root user, then launch a terminal console.

  2. Ensure that the /etc/init.d/target daemon is running. At the command prompt, enter

    /etc/init.d/target start

    The command returns a message to confirm that the daemon is started, or that the daemon is already running.

  3. Launch YaST as the root user.

  4. In the YaST Control Center, select Network Services, then select iSCSI LIO Target.

    You can also search for lio, then select iSCSI LIO Target.

  5. In the iSCSI LIO Target Overview dialog box, select the Targets tab to configure the targets.

  6. Click Add, then define a new iSCSI LIO target group and devices:

    The iSCSI LIO Target software automatically completes the Target, Identifier, Portal Group, IP Address, and Port Number fields. Use Authentication is selected by default.

    1. If you have multiple network interfaces, use the IP address drop-down list to select the IP address of the network interface to use for this target group.

    2. Select Use Authentication if you want to require client authentication for this target group.

      Important
      Important

      Requiring authentication is recommended in a production environment.

    3. Click Add, browse to select the device or partition, specify a name, then click OK.

      The LUN number is automatically generated, beginning with 0. A name is automatically generated if you leave the field empty.

    4. (Optional) Repeat Step 6.a through Step 6.c to add more targets to this target group.

    5. After all desired targets have been added to the group, click Next.

  7. On the Modify iSCSI Target Client Setup page, configure information for the clients that are permitted to access LUNs in the target group:

    After you specify at least one client for the target group, the Edit LUN, Edit Auth, Delete, and Copy buttons are enabled. You can use Add or Copy to add more clients for the target group.

    • Add:  Add a new client entry for the selected iSCSI LIO target group.

    • Edit LUN:  Configure which LUNs in the iSCSI LIO target group to map to a selected client. You can map each of the allocated targets to a preferred client LUN.

    • Edit Auth:  Configure the preferred authentication method for a selected client. You can specify no authentication, or you can configure incoming authentication, outgoing authentication, or both.

    • Delete:  Remove a selected client entry from the list of clients allocated to the target group.

    • Copy:  Add a new client entry with the same LUN mappings and authentication settings as a selected client entry. This allows you to easily allocate the same shared LUNs, in turn, to each node in a cluster.

    1. Click Add, specify the client name, select or deselect the Import LUNs from TPG check box, then click OK to save the settings.

    2. Select a client entry, click Edit LUN, modify the LUN mappings to specify which LUNs in the iSCSI LIO target group to allocate to the selected client, then click OK to save the changes.

      If the iSCSI LIO target group consists of multiple LUNs, you can allocate one or multiple LUNs to the selected client. By default, each of the available LUNs in the group are assigned to a Client LUN.

      To modify the LUN allocation, perform one or more of the following actions:

      • Add:  Click Add to create an new Client LUN entry, then use the Change drop-down list to map a Target LUN to it.

      • Delete:  Select the Client LUN entry, then click Delete to remove a Target LUN mapping.

      • Change:  Select the Client LUN entry, then use the Change drop-down list to select which Target LUN to map to it.

      Typical allocation plans include the following:

      • A single server is listed as a client. All of the LUNs in the target group are allocated to it.

        You can use this grouping strategy to logically group the iSCSI SAN storage for a given server.

      • Multiple independent servers are listed as clients. One or multiple target LUNs are allocated to each server. Each LUN is allocated to only one server.

        You can use this grouping strategy to logically group the iSCSI SAN storage for a given department or service category in the data center.

      • Each node of a cluster is listed as a client. All of the shared target LUNs are allocated to each node. All nodes are attached to the devices, but for most file systems, the cluster software locks a device for access and mounts it on only one node at a time. Shared file systems (such as OCFS2) make it possible for multiple nodes to concurrently mount the same file structure and to open the same files with read and write access.

        You can use this grouping strategy to logically group the iSCSI SAN storage for a given server cluster.

    3. Select a client entry, click Edit Auth, specify the authentication settings for the client, then click OK to save the settings.

      You can require No Authentication, or you can configure Incoming Authentication, Outgoing Authentication, or both. You can specify only one user name and password pair for each client. The credentials can be different for incoming and outgoing authentication for a client. The credentials can be different for each client.

    4. Repeat Step 7.a through Step 7.c for each iSCSI client that can access this target group.

    5. After the client assignments are configured, click Next.

  8. Click Finish to save and apply the settings.

15.6 Modifying an iSCSI LIO Target Group

You can modify an existing iSCSI LIO target group as follows:

  • Add or remove target LUN devices from a target group

  • Add or remove clients for a target group

  • Modify the client LUN-to-target LUN mappings for a client of a target group

  • Modify the user name and password credentials for a client authentication (incoming, outgoing, or both)

To view or modify the settings for an iSCSI LIO target group:

  1. Log in to the iSCSI LIO target server as the root user, then launch a terminal console.

  2. Ensure that the /etc/init.d/target daemon is running. At the command prompt, enter

    /etc/init.d/target start

    The command returns a message to confirm that the daemon is started, or that the daemon is already running.

  3. Launch YaST as the root user.

  4. In the YaST Control Center, select Network Services, then select iSCSI LIO Target.

    You can also search for lio, then select iSCSI LIO Target.

  5. In the iSCSI LIO Target Overview dialog box, select the Targets tab to view a list of target groups.

  6. Select the iSCSI LIO target group to be modified, then click Edit.

  7. On the Modify iSCSI Target LUN Setup page, add LUNs to the target group, edit the LUN assignments, or remove target LUNs from the group. After all desired changes have been made to the group, click Next.

    For option information, see Step 6 in Section 15.5, “Setting Up an iSCSI LIO Target Group”.

  8. On the Modify iSCSI Target Client Setup page, configure information for the clients that are permitted to access LUNs in the target group. After all desired changes have been made to the group, click Next.

    For option information, see Step 7 in Section 15.5, “Setting Up an iSCSI LIO Target Group”.

  9. Click Finish to save and apply the settings.

15.7 Deleting an iSCSI LIO Target Group

Deleting an iSCSI LIO target group removes the definition of the group, and the related setup for clients, including LUN mappings and authentication credentials. It does not destroy the data on the partitions. To give clients access again, you can allocate the target LUNs to a different or new target group, and configure the client access for them.

  1. Log in to the iSCSI LIO target server as the root user, then launch a terminal console.

  2. Ensure that the /etc/init.d/target daemon is running. At the command prompt, enter

    /etc/init.d/target start

    The command returns a message to confirm that the daemon is started, or that the daemon is already running.

  3. Launch YaST as the root user.

  4. In the YaST Control Center, select Network Services, then select iSCSI LIO Target.

    You can also search for lio, then select iSCSI LIO Target.

  5. In the iSCSI LIO Target Overview dialog box, select the Targets tab to view a list of configured target groups.

  6. Select the iSCSI LIO target group to be deleted, then click Delete.

  7. When you are prompted, click Continue to confirm the deletion, or click Cancel to cancel it.

  8. Click Finish to save and apply the settings.

15.8 Troubleshooting iSCSI LIO Target Server

This section describes some known issues and possible solutions for iSCSI LIO Target Server.

15.8.1 Portal Error When Setting Up Target LUNs

When adding or editing an iSCSI LIO target group, you get an error:

Problem setting network portal <ip_address>:3260

The /var/log/YasT2/y2log log file contains the following error:

find: `/sys/kernel/config/target/iscsi': No such file or directory

This problem occurs if the iSCSI LIO Target Server software is not currently running. To resolve this issue, exit YaST, manually start iSCSI LIO at the command line, then try again.

  1. Open a terminal console as the root user.

  2. At the command prompt, enter

    /etc/init.d/target start

You can also enter the following to check if configfs, iscsi_target_mod, and target_core_mod are loaded. A sample response is shown.

lsmod | grep iscsi

  iscsi_target_mod      295015  0
  target_core_mod       346745  4
  iscsi_target_mod,target_core_pscsi,target_core_iblock,target_core_file
  configfs               35817  3 iscsi_target_mod,target_core_mod
  scsi_mod              231620  16
  iscsi_target_mod,target_core_pscsi,target_core_mod,sg,sr_mod,mptctl,sd_mod,
  scsi_dh_rdac,scsi_dh_emc,scsi_dh_alua,scsi_dh_hp_sw,scsi_dh,libata,mptspi,
  mptscsih,scsi_transport_spi

15.8.2 iSCSI LIO Targets Are Not Visible from Other Computers

If you use a firewall on the target server, you must open the iSCSI port that you are using to allow other computers to see the iSCSI LIO targets. For information, see Step 7 in Section 15.2.1, “Configuring iSCSI LIO Startup Preferences”.

15.9 iSCSI LIO Target Terminology

backstore

A physical storage object that provides the actual storage underlying an iSCSI endpoint.

CDB (command descriptor block

The standard format for SCSI commands. CDBs are commonly 6, 10, or 12 bytes long, though they can be 16 bytes or of variable length.

CHAP (Challenge Handshake Authentication Protocol)

A point-to-point protocol (PPP) authentication method used to confirm the identity of one computer to another. After the Link Control Protocol (LCP) connects the two computers, and the CHAP method is negotiated, the authenticator sends a random Challenge to the peer. The peer issues a cryptographically hashed Response that depends upon the Challenge and a secret key. The authenticator verifies the hashed Response against its own calculation of the expected hash value, and either acknowledges the authentication or terminates the connection. CHAP is defined in the Internet Engineering Task Force (IETF) RFC 1994.

CID (connection identifier)

A 16‐bit number, generated by the initiator, that uniquely identifies a connection between two iSCSI devices. This number is presented during the login phase.

endpoint

The combination of an iSCSI Target Name with an iSCSI TPG (IQN + Tag).

EUI (extended unique identifier)

A 64‐bit number that uniquely identifies every device in the world. The format consists of 24 bits that are unique to a given company, and 40 bits assigned by the company to each device it builds.

initiator

The originating end of a SCSI session. Typically a controlling device such as a computer.

IPS (Internet Protocol storage)

The class of protocols or devices that use the IP protocol to move data in a storage network. FCIP (Fibre Channel over Internet Protocol), iFCP (Internet Fibre Channel Protocol), and iSCSI (Internet SCSI) are all examples of IPS protocols.

IQN (iSCSI qualified name)

A name format for iSCSI that uniquely identifies every device in the world (for example: iqn.5886.com.acme.tapedrive.sn‐a12345678).

ISID (initiator session identifier)

A 48‐bit number, generated by the initiator, that uniquely identifies a session between the initiator and the Target. This value is created during the login process, and is sent to the target with a Login PDU.

MCS (multiple connections per session)

A part of the iSCSI specification that allows multiple TCP/IP connections between an initiator and a target.

MPIO (multipath I/O)

A method by which data can take multiple redundant paths between a server and storage.

network portal

The combination of an iSCSI Endpoint with an IP address plus a TCP (Transmission Control Protocol) port. TCP port 3260 is the port number for the iSCSI protocol, as defined by IANA (Internet Assigned Numbers Authority).

SAM (SCSI architectural model)

A document that describes the behavior of SCSI in general terms, allowing for different types of devices communicating over various media.

target

The receiving end of a SCSI session, typically a device such as a disk drive, tape drive, or scanner.

target group (TG)

A list of SCSI target ports that are all treated the same when creating views. Creating a view can help facilitate LUN (logical unit number) mapping. Each view entry specifies a target group, host group, and a LUN.

target port

The combination of an iSCSI endpoint with one or more LUNs.

target port group (TPG)

A list of IP addresses and TCP port numbers that determines which interfaces a specific iSCSI target will listen to.

target session identifier (TSID)

A 16‐bit number, generated by the target, that uniquely identifies a session between the initiator and the target. This value is created during the login process, and is sent to the initiator with a Login Response PDU (protocol data units).