ISCSI

From Livedoc - The Documentation Repository
Jump to: navigation, search

iSCSI is the protocol that allows SCSI commands to be sent over the network. In the case of the CSL, Linux servers use the open-iscsi software to connect to the storage arrays, which actually store the data. Solaris servers use the Solaris software iSCSI implementation. This data is sent over the SAN, not the production network.

Definitions

Initiator - the iscsi client that access the data

Target - the iscsi server that hosts the data

Node - an initiator or target

Initiator name - a unique identifier for an iSCSI node (see Naming configuration below)

CHAP (Challenge-handshake authentication protocol) - used for authenticating iSCSI; as this is insecure, all iSCSI data should travel over a separate network, in our case, the [SAN].

LUN (Logical Unit Number) - the number assigned to a logical unit, in the case of iSCSI, the storage "partitions"

Naming

All iSCSI nodes must be given a unique identifying initiator name. This is of the form iqn.yyyy-mm.{reversed domain name}:{user defined}. iqn stands for iSCSI qualified name, and yyyy-mm is the date of the first full month for which the domain name was registered. For the CSL, our initiator names are of the form iqn.1992-03.edu.tjhsst:initiator:servername.number, for initiators, and iqn.1992-03.edu.tjhsst.csl:storage:servername, for storage servers.

CHAP

This is an iSCSI authentication method. On the CSL SAN, it is currently unidirectional and not used for Send Targets.

Send Targets

This is a method for initiators to scan for LUNs on a target. It is currently the method used on the CSL SAN.

Configuration of open-iscsi

initiatorname.iscsi

This file stores the node's initiator name. See Naming above.

iscsid.conf

This file stores the server's iSCSI global configuration. An example is given below.

node.active_cnx = 1
# attach to storage automatically when started?
node.startup = automatic
# the CHAP username
node.session.auth.username = [A CHAP username]
# the CHAP password
node.session.auth.password = [A CHAP password]
# the timeout values for an iSCSI session
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 10
node.session.err_timeo.reset_timeout = 30
# other configuration
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
# network configuration
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Wait = 0
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.MaxConnections = 0
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.DataDigest = None
node.conn[0].iscsi.MaxRecvDataSegmentLength = 65536
# if we used CHAP for discovery
#discovery.sendtargets.auth.authmethod = CHAP
#discovery.sendtargets.auth.username = [A CHAP username]
#discovery.sendtargets.auth.password = [A CHAP password]

iscsiadm

iscsiadm is the main open-iscsi configuration tool.

Discovering storage resources: iscsiadm -m discovery -t sendtargets -p IP address of storage gateway In our case, the storage gateway is one of the two storage IP addresses on each storage array. Logging into the storage array: iscsiadm -m node -T storage initiator -p iSCSI gateway -l

These commands only need to be done once. After they have been run, configuration files are created under /etc/iscsi/ based off of the global configuration file. If node.startup is set to automatic, then the iSCSI LUNs will be reconnected the next time open-iscsi starts.

Configuration of Solaris iSCSI

Nagle's algorithm

Without going into what it is, it's worth mentioning the following:

  • Nagle's is ON by default for iSCSI in Solaris 10
  • Nagle's is OFF by default in OpenSolaris
  • For iSCSI, Nagle's being OFF is better!
  • To disable it, add tcp-nodelay=1; to /kernel/drv/iscsi.conf.

See http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6621560.

iscsiadm

iscsiadm is used to configure the Solaris iSCSI initiator.

The iSCSI initiator name can be set using iscsiadm modify initiator-node -N [initiator name].

Multipath

  • To configure the number of allowed sessions per target (for instance, if you wanted to configure multipath, but possibly could be used for other purposes, too), use iscsiadm modify initiator-node -c [number of sessions].
  • Solaris has a built-in list of known iSCSI targets that support multipath. If using a target device (such as the Promise VTrak arrays that currently comprise the primary SAN) that isn't part of this built-in list, Solaris will not use multipath with it by default. To enable multipath for these devices, edit /kernel/drv/scsi_vhci.conf. This is the example provided in the online Sun docs [1] (where ACME and XYZ are vendor IDs and MSU and ABC are product IDs):
device-type-scsi-options-list =
"ACME    MSU", "enable-option",
"XYZ     ABC", "enable-option";
enable-option = 0x1000000;

For our Promise VTraks:

device-type-scsi-options-list =
"Promise VTrak M310i", "enable-option";
enable-option = 0x1000000;
  • After editing the file, run stmsboot -u, which will require an immediate reboot.

CHAP

  • To enable CHAP, run iscsiadm modify initiator-node -a chap.
  • To set the CHAP username to something other than the default, run iscsiadm modify initiator-node -H [username]. Currently, the short hostname (that is, hostname without the domain part) is used for the CHAP username.
  • To set the CHAP secret, run iscsiadm modify initiator-node -C. This will launch an interactive prompt. Note that, for whatever reason, Sun's iSCSI currently has a limit of 16 characters for the CHAP secret (minimum 12).

Send Targets

  • To enable Send Targets as a discovery method, run iscsiadm modify discovery --sendtargets enable.
  • Add target addresses to scan for LUNs using iscsiadm add discovery-address [IP address]. Add multiple IP addresses one at a time.
  • NOTE: It's recommended that static configuration be used in the long run since, in the event the discovery-address added is unreachable, Solaris can take forever (an hour or more) to timeout trying to contact the target. Boot times will be extremely slow, and certain other operations may never time out (e.g. trying to zfs list when one of the zpools contains the missing iSCSI target). However, Send Targets may be useful for discovering the information needed for a static configuration. See http://storagefoo.blogspot.com/2007/10/solaris-10-iscsi-configured-with.html. The easiest workaround is similar to method 2 listed there; just temporarily give something (anything, like another server) the IPs, which should cause Solaris to stop trying since it will have reached a host that has no targets to offer.

iscsitadm

iscsitadm is used to configure Solaris iSCSI targets.