Serving iSCSI targets from your zpool

If you've already got an OpenSolaris based NFS server, you may be interested in serving iSCSI targets. For me, this is incredibly useful with the right network configurations and a machine running KVM based virtual machines.

What is iSCSI?

If you already know, no point in reading this section but there are some important key things to know when dealing with iSCSI. All this is, is a way of executing SCSI commands over the wire (ethernet, fibre, whatever). You are sharing space at the block level and this is important to realize before you start sharing iSCSI targets amongst multiple hosts. You WILL come into issues doing this without a cluster aware filesystem such as GFS, or a volume management system such as cLVM.

iSCSI of course has its own terminology which you should be aware of. The iSCSI "server" (also referred to as portal) presents targets, and the iSCSI "client" is called the initiator. The initiator searches for available iSCSI targets on your iSCSI portal. I suggest taking a quick glace at the wikipedia artcle on iSCSI if you want more technical knowledge, but as long as you understand these basics you will be running iSCSI in no time.

Give me some targets!

Before you can start assigning targets you need to enable the iscsitgt service.

$ pfexec svcadm enable iscsitgt

Now that we have that out of the way, we can create a zvol of 100G to serve over iSCSI as follows:

$ pfexec zfs create tank/targets
$ pfexec zfs set shareiscsi=on tank/targets
$ pfexec zfs create -V 100G 
$ iscsitadm list target
Target: tank/targets/lun0
    iSCSI Name: iqn.1986-03.com.sun:02:bf1479ba-a71d-c9d7-ab45-d51a1dca3416
    Connections: 1
 tank/targets/lun0

You now have iSCSI targets being presented from your server. Accessing these all depends on your client's OS, so you may be interested in looking at using iscsi targets on Linux. Depending on your network configuration, you may need to limit these targets from being accessible on all interfaces. I highly recommend limiting this as things will get confusing if you are serving the same iSCSI targets from multiple interfaces.

Restricting access

To limit what network interface a target group listens on:

$ pfexec iscsitadm create tpgt 1
$ pfexec iscsitadm modify tpgt -i 10.20.0.2 1
$ iscsitadm list tpgt -v 1
TPGT: 1
    IP Address: 10.20.0.2
$ iscsitadm modify target -p 1 tank/targets/lun0

This creates target group 1, then modifies that group to only listen on 10.20.0.2 and finally apply group 1 to the target tank/targets/lun0. There is also a basic authentication method available called CHAP but in reality your iSCSI network should be completely isolated from other traffic. I do not see it as necessary for the authentication and that just tends to complicate things.

Tags: