For some reason or another finding instructions on how to actually configure iSCSI for a rather simple and common use case (one target on Solaris, one initiator on Fedora, CHAP authentication) seems to be pretty hard.
Either my google-fu is seriously broken today, or everyone except for me considers this to be so easy and obvious that it does not warrant documentation. Which, having done this for the last three hours, I seriously doubt. The Solaris side is actually documented quite well (I primarily used this blog entry by alasdair), the Linux side is lacking. It does not help matters that both sides use identically named tools that work in completely different ways.
So, the deal is as follows:
One OpenSolaris system, acting as iSCSI target (that is the system presenting the storage space).
One Fedora Linux system, acting as iSCSI initiator (that is the system that wants to use the storage space)
Create 100GB storage space on the target and let the initiator connect to this storage space and create a filesystem on in. The connection has to be authenticated one way (the initiator presents credentials to the target).
h3. The Solaris side
The system is running Nevada, the configuration here was done with build snv_110.
First, the iSCSI target software needs to be installed and enabled:
# gkp.pl -d /mnt/Solaris_11/Product SUNWiscsitgtu
# svcadm enable iscsitgt:default
#
The backing store for the iSCSI volumes shall be provided by ZFS:
# zfs create -o canmount=off tank/iscsi
# zfs create -V 100G -o shareiscsi=on tank/iscsi/vol001
# iscsitadm list target -v
Target: tank/iscsi/vol001
iSCSI Name: iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8
Alias: tank/iscsi/vol001
[...]
#
The iSCSI Name
will be different for each created volume. Per default this target will be available via all interfaces and IPs of the machine. Since this is not what I want in this special case the target is bound to a fixed IP by a construct called a Target Port Group Tag. The TPGT used here has the number 1.
# iscsitadm create tpgt 1
# iscsitadm modify tpgt -i 212.51.12.90 1
# iscsitadm list tpgt -v 1
TPGT: 1
IP Address: 212.51.12.90
# iscsitadm modify target -p 1 tank/iscsi/vol001
# iscsitadm list target -v
Target: tank/iscsi/vol001
[...]
TPGT list:
TPGT: 1
[...]
#
In order to secure access to this volume some more the initiator is required to authenticate itself using CHAP before access is granted. To do this three pieces of information are needed:
- The iqn (basically a unique name) of the initiator
- A username
- A password
The initiator used here has an iqn of iqn.2005-03.com.max:01.cb5c4c
(see below for the source of this information). The username is lain
and the password is iscsipassword
for the purpose of this demonstration. The password has to be between 12 and 16 charcters in length and should definitely be something stronger for production purposes.
# iscsitadm create initiator -n iqn.2005-03.com.max:01.cb5c4c lain
# iscsitadm modify initiator --chap-name lain lain
# iscsitadm modify initiator --chap-secret lain
[...]
# iscsitadm list initiator -v
Initiator: lain
iSCSI Name: iqn.2005-03.com.max:01.cb5c4c
CHAP Name: lain
CHAP Secret: Set
# iscsitadm modify target --acl lain tank/iscsi/vol001
# iscsitadm list target -v
Target: tank/iscsi/vol001
[...]
ACL list:
Initiator: lain
[...]
#
This concludes the Solaris side of things.
h3. The Fedora side
The system is running Fedora Rawhide, close to the Fedora 11 Beta release at the time of this writing.
On the Linux side iSCSI is handled by the open-iscsi toolchain, packaged as iscsi-initiator-utils
in Fedora. To install it:
# yum install iscsi-initiator-utils
[...]
#
Since the system in question is a notebook, and the iSCSI target may not be available at all times, the iSCSI service must be instructed not to connect to configured devices automatically:
# perl -pi -e 's/node.startup.*/node.startup = manual/' /etc/iscsi/iscsid.conf
#
The initiator name mentioned in the Solaris section above can be configured freely on the system. A random value is created during package installation and saved in /etc/iscsi/initiatorname.iscsi
:
# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2005-03.com.max:01.cb5c4c
#
Be sure the name configured there matches the name defined in the initiator on the Solaris side. Even though a username/password pair was defined on the target credentials are not needed for target discovery (the process by which an initiator asks a target which iSCSI volumes are available):
# iscsiadm -m discovery -t st -p 212.51.12.90
212.51.12.90:3260,1 iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8
# iscsiadm -m node
212.51.12.90:3260,1 iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8
#
The discovery process has found a single volume exported by the target and added it to the local node list. The iqn matches the value shown above in the Solaris section. Now the CHAP credentials have to be added to the node so the initiator can actually connect to the volume:
# iscsiadm -m node --target 'iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8' \
--name 'node.session.auth.authmethod' -v 'CHAP'
# iscsiadm -m node --target 'iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8' \
--name 'node.session.auth.username' -v 'lain'
# iscsiadm -m node --target 'iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8' \
--name 'node.session.auth.password' -v 'iscsipassword'
# iscsiadm -m node --target 'iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8'
node.name = iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8
node.tpgt = 1
node.startup = manual
[...]
node.session.auth.authmethod = CHAP
node.session.auth.username = lain
node.session.auth.password = ********
[...]
#
Now the volume can finally be accessed:
# iscsiadm -m node --target 'iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8' --login
Logging in to [iface: default, target: iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8,
portal: 212.51.12.90,3260]
Login to [iface: default, target: iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8,
portal: 212.51.12.90,3260]: successful
#
After some seconds a device node for this volume should appear in /dev/disk/by-path
:
# ls /dev/disk/by-path/
ip-212.51.12.90:3260-iscsi-iqn.1986-03.com.sun:02:218c35e0-0881-cb4f-d6bd-80e08bdc98d8-lun-0
[...]
#
The disk is ready to be used.