1 1.1 agc iSCSI Frequently Asked Questions 2 1.1 agc ================================ 3 1.1 agc 4 1.1 agc Q1. What is iSCSI? 5 1.1 agc ================== 6 1.1 agc 7 1.1 agc A1. It's an IETF standard (RFC 3720) for remote access to block-level 8 1.1 agc storage. It can be thought of as similar to NFS, except that an NFS 9 1.1 agc server exports files; the iSCSI target exports blocks to the iSCSI 10 1.1 agc initiators, which are the clients. 11 1.1 agc 12 1.1 agc 13 1.1 agc Q2. What's the difference between an initiator and a target? 14 1.1 agc ============================================================ 15 1.1 agc 16 1.1 agc A2. The target is the iSCSI server - it serves up blocks to the 17 1.1 agc clients, which are called initiators. Typically, initiators are part 18 1.1 agc of the operating system, since the operating system manages block 19 1.1 agc storage, presenting it to the user as file systems sitting on top of 20 1.1 agc the storage. 21 1.1 agc 22 1.1 agc Targets do not generally need to be part of the operating system, 23 1.1 agc indeed there is some flexibility to be gained by having targets as 24 1.1 agc part of the user-level daemons that are run. This means that 25 1.1 agc security credentials need not be buried in the kernel. 26 1.1 agc 27 1.1 agc 28 1.1 agc Q3. So how do I use it? 29 1.1 agc ======================= 30 1.1 agc 31 1.1 agc A3. Firstly, you need to set up the iSCSI target. The target is 32 1.1 agc simply sitting there, waiting for requests for blocks. So we need to 33 1.1 agc configure the target with an area of storage for it to present to the 34 1.1 agc initiators. 35 1.1 agc 36 1.1 agc To set up the target, you need to edit the /etc/iscsi/targets file. 37 1.1 agc It has a certain layout, to provide a means of (a) mirroring and (b) 38 1.1 agc combining multiple areas to present one large contiguous area of 39 1.1 agc storage. This can be multiply-layered. 40 1.1 agc 41 1.1 agc The basic unit of storage is an extent. This can be either a file 42 1.1 agc or a device. The offset of the start of the extent to be presented 43 1.1 agc must be given, and also the length of the extent. 44 1.1 agc 45 1.1 agc A device is made up of one or more extents, and/or one or more 46 1.1 agc other devices. 47 1.1 agc 48 1.1 agc At the highest level, a target is what is presented to the initiator, 49 1.1 agc and is made up of one or more devices, and/or one or more extents. 50 1.1 agc 51 1.1 agc The simple example is as follows, consisting of one piece of storage 52 1.1 agc presented by one target: 53 1.1 agc 54 1.1 agc # extent file or device start length 55 1.1 agc extent0 /tmp/iscsi-target0 0 100MB 56 1.1 agc 57 1.1 agc will produce an extent of storage which is based on one file, 58 1.1 agc /tmp/iscsi-target0, which starts 0 bytes into the file, and is 100 MB 59 1.1 agc in length. The file will be created if it does not already exist. 60 1.1 agc 61 1.1 agc # target storage netmask 62 1.1 agc target0 extent0 0.0.0.0/0 63 1.1 agc 64 1.1 agc That extent is then used in target0, and will be presented to an 65 1.1 agc initiator running on any host. 66 1.1 agc 67 1.1 agc Extents must be defined before they can be used, and extents cannot 68 1.1 agc be used more than once. 69 1.1 agc 70 1.1 agc Devices are used to combine extents or other devices. Device 71 1.1 agc definitions have the following format: 72 1.1 agc 73 1.1 agc # devices 74 1.1 agc device0 RAID1 extent0 extent1 75 1.1 agc 76 1.1 agc A "RAID1" device behaves in much the same way that RAID1 devices work 77 1.1 agc in the storage arena - they mirror the original storage. There can be 78 1.1 agc any number of devices or extents in a RAID1 device, not just 2, but 79 1.1 agc each device or extent must be of the same size. 80 1.1 agc 81 1.1 agc A "RAID0" device combines the storage, to produce a larger area of 82 1.1 agc (virtually) "contiguous" storage. 83 1.1 agc 84 1.1 agc Devices must be defined before they can be used, and devices may not 85 1.1 agc be used more than once. 86 1.1 agc 87 1.1 agc A more detailed example would be as follows: 88 1.1 agc 89 1.1 agc # Complex file showing 3-way RAID1 (with RAID1 components), 90 1.1 agc # also using local and (NFS) remote components 91 1.1 agc 92 1.1 agc # extents 93 1.1 agc extent0 /iscsi/extents/0 0 100MB 94 1.1 agc extent1 /imports/remote1/iscsi/extents/0 0 100MB 95 1.1 agc extent2 /iscsi/extents/1 0 100MB 96 1.1 agc extent3 /imports/remote1/iscsi/extents/1 0 100MB 97 1.1 agc extent4 /iscsi/extents/2 0 100MB 98 1.1 agc extent5 /imports/remote1/iscsi/extents/2 0 100MB 99 1.1 agc extent6 /iscsi/extents/3 0 100GB 100 1.1 agc 101 1.1 agc # devices 102 1.1 agc device0 RAID1 extent0 extent1 103 1.1 agc device1 RAID1 extent2 extent3 104 1.1 agc device2 RAID1 extent4 extent5 105 1.1 agc device3 RAID1 device0 device1 device2 106 1.1 agc 107 1.1 agc # targets 108 1.1 agc target0 device3 10.4.0.0/16 109 1.1 agc 110 1.1 agc # a target can be made from just an extent 111 1.1 agc target1 extent6 127.0.0.0/8 112 1.1 agc 113 1.1 agc which will make 7 extents, 3 of them 100 MB in length and remote (via 114 1.1 agc NFS), and 3 of them 100 MB in length and local, and one of them large 115 1.1 agc (100 GB) and local. Three separate occurrences of a local and remote 116 1.1 agc 100 MB extent are combined to make three RAID1 devices, and then those 117 1.1 agc three RAID1 devices are combined into another RAID1 device, and 118 1.1 agc presented as target0. 119 1.1 agc 120 1.1 agc The other extent is used to present a simple 100 GB of storage as 121 1.1 agc target1. 122 1.1 agc 123 1.1 agc 124 1.1 agc Q4. What about security? 125 1.1 agc ========================= 126 1.1 agc 127 1.1 agc A4. A good question. RFC 3720 specifies CHAP, SRM and Kerberos as 128 1.1 agc methods of providing authentication and/or security. In practice, 129 1.1 agc it's whatever is provided by the initiator you are using which will 130 1.1 agc determine what authentication or security is used. 131 1.1 agc 132 1.1 agc If you want any form of security, it's probably best to use ssh port 133 1.1 agc forwarding for all your traffic if you're worried about security. 134 1.1 agc CHAP will only provide authentication, the other information will flow 135 1.1 agc across the network in clear. 136 1.1 agc 137 1.1 agc 138 1.1 agc Q5. Using the Microsoft initiator, I can't login with CHAP 139 1.1 agc =========================================================== 140 1.1 agc 141 1.1 agc A5. The 1.06 Microsoft initiator silently enforces a chap password 142 1.1 agc length of at least 12 characters. If you enter a password which is 143 1.1 agc less than that, your Discovery login will silently fail. 144 1.1 agc 145 1.1 agc Since CHAP provides very little authentication anyway, you are advised 146 1.1 agc not to use it - ssh port forwarding, and the use of tcp wrappers, 147 1.1 agc will do a much better job of protection. 148 1.1 agc 149 1.1 agc 150 1.1 agc Q6. What initiators work with the NetBSD iSCSI target? 151 1.1 agc ====================================================== 152 1.1 agc 153 1.1 agc A6. The NetBSD target has been tested at various times with the Microsoft 154 1.1 agc iSCSI initiator, version 1.06 (which can be downloaded for free from 155 1.1 agc www.microsoft.com, but needs Windows XP Pro to work), and also with the 156 1.1 agc NetBSD test harness, which is provided, but not installed, in the same 157 1.1 agc place as the target. 158 1.1 agc 159 1.1 agc 160 1.1 agc Q7. What is the difference between Discovery and Normal login? 161 1.1 agc =============================================================== 162 1.1 agc 163 1.1 agc A7. On direct-attached storage, the kernel verifies what storage is 164 1.1 agc available, and assigns a device node to it. With iSCSI, storage can 165 1.1 agc come and go, and our proximity to the devices doesn't matter. So we 166 1.1 agc need to find a different method of finding out what iSCSI storage is 167 1.1 agc out there. 168 1.1 agc 169 1.1 agc This is done by a "Discovery" iSCSI session - the initiator logs in 170 1.1 agc to the target, finds out what storage is being presented, then logs 171 1.1 agc back out. This can be seen by the syslog entries: 172 1.1 agc 173 1.1 agc Feb 5 10:33:44 sys3 iscsi-target: > Discovery login from iqn.1991-05.com.microsoft:inspiron on 10.4.1.5 174 1.1 agc Feb 5 10:33:44 sys3 iscsi-target: < Discovery logout from iqn.1991-05.com.microsoft:inspiron on 10.4.1.5 175 1.1 agc 176 1.1 agc The initiator will then perform a "Normal" login session, which will 177 1.1 agc establish a session between the initiator and target. This is denoted 178 1.1 agc by the syslog entries: 179 1.1 agc 180 1.1 agc Feb 5 00:00:28 sys3 iscsi-target: > Discovery login from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1 181 1.1 agc Feb 5 00:00:28 sys3 iscsi-target: < Discovery logout from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1 182 1.1 agc Feb 5 00:00:28 sys3 iscsi-target: > Normal login from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1 183 1.1 agc Feb 5 00:05:32 sys3 iscsi-target: < Normal logout from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1 184 1.1 agc 185 1.1 agc 186 1.1 agc Q8. So what do I do to try it? 187 1.1 agc ============================== 188 1.1 agc 189 1.1 agc A8. Perform the following steps: 190 1.1 agc 191 1.1 agc a) define the storage that you want to present in /etc/iscsi/targets 192 1.1 agc b) start the iSCSI target: /etc/rc.d/iscsi_target forcestart 193 1.1 agc c) use an initiator to point it at the machine you started it on 194 1.1 agc 195 1.1 agc 196 1.1 agc Q9. Why does the test harness not work properly? 197 1.1 agc ================================================ 198 1.1 agc 199 1.1 agc A9. Firstly, you should be invoking the test harness as 200 1.1 agc 201 1.1 agc iscsi-harness -n 3 -h localhost 202 1.1 agc 203 1.1 agc where the 'n' option is the number of iterations to perform, and the 204 1.1 agc 'h' parameter is the name or address of the machine where the 205 1.1 agc iscsi-target is running. 206 1.1 agc 207 1.1 agc If the harness was invoked properly, check any error messages which 208 1.1 agc the test harness sends: 209 1.1 agc 210 1.1 agc If one of them looks like: 211 1.1 agc 212 1.1 agc No matching user configuration entry for `agc' was found 213 1.1 agc Please add an entry for `agc' to `/etc/iscsi/auths' 214 1.1 agc 215 1.1 agc (where "agc" is substituted for the name of the user who was running 216 1.1 agc the test harness), then please do as suggested. The iSCSI test harness 217 1.1 agc tests, amongst other things, the CHAP authentication process, and so 218 1.1 agc CHAP credentials for that user are needed. 219 1.1 agc 220 1.1 agc 221 1.1 agc 222 1.1 agc Alistair Crooks 223 1.1 agc agc (a] NetBSD.org 224 1.1 agc Wed Feb 8 07:21:56 GMT 2006 225
Indexes created Mon Apr 13 00:22:24 UTC 2026