14.2 Setting Up an iSCSI LIO Target Server

This section describes how to use YaST to configure an iSCSI LIO Target Server and set up iSCSI LIO target devices. You can use any iSCSI initiator software to access the target devices.

14.2.1 iSCSI LIO Target Service Start-up and Firewall Settings

The iSCSI LIO Target service is by default configured to be started manually. You can configure the service to start automatically at boot time. If you use a firewall on the server and you want the iSCSI LIO targets to be available to other computers, you must open a port in the firewall for each adapter that you want to use for target access. TCP port 3260 is the port number for the iSCSI protocol, as defined by IANA (Internet Assigned Numbers Authority).

  1. Start YaST and launch Network Services > iSCSI LIO Target.

  2. Switch to the Service tab.

  3. Under Service Start, specify how you want the iSCSI LIO target service to be started:

    • When Booting: The service starts automatically on server restart.

    • Manually: (Default) You must start the service manually after a server restart by running sudo systemctl start target. The target devices are not available until you start the service.

  4. If you use a firewall on the server and you want the iSCSI LIO targets to be available to other computers, open port 3260 in the firewall for each adapter interface that you want to use for target access. If the port is closed for all of the network interfaces, the iSCSI LIO targets are not available to other computers.

    If you do not use a firewall on the server, the firewall settings are disabled. In this case skip the following steps and leave the configuration dialog with Finish or switch to another tab to continue with the configuration.

    1. On the Services tab, select the Open Port in Firewall check box to enable the firewall settings.

    2. Click Firewall Details to view or configure the network interfaces to use. All available network interfaces are listed, and all are selected by default. Deselect all interfaces on which the port should not be opened. Save your settings with OK.

  5. Click Finish to save and apply the iSCSI LIO Target service settings.

14.2.2 Configuring Authentication for Discovery of iSCSI LIO Targets and Initiators

The iSCSI LIO Target Server software supports the PPP-CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), a three-way authentication method defined in the Internet Engineering Task Force (IETF) RFC 1994 (http://www.ietf.org/rfc/rfc1994.txt). The server uses this authentication method for the discovery of iSCSI LIO targets and initiators, not for accessing files on the targets. If you do not want to restrict the access to the discovery, use No Authentication. The No Discovery Authentication option is enabled by default. Without requiring authentication all iSCSI LIO targets on this server can be discovered by any iSCSI initiator on the same network.

If authentication is needed for a more secure configuration, you can use incoming authentication, outgoing authentication, or both. Authentication by Initiators requires an iSCSI initiator to prove that it has the permissions to run a discovery on the iSCSI LIO target. The initiator must provide the incoming user name and password. Authentication by Targets requires the iSCSI LIO target to prove to the initiator that it is the expected target. The iSCSI LIO target must provide the outgoing user name and password to the iSCSI initiator. The password needs to be different for incoming and outgoing discovery. If authentication for discovery is enabled, its settings apply to all iSCSI LIO target groups.

IMPORTANT: Security

We recommend that you use authentication for target and initiator discovery in production environments for security reasons.

To configure authentication preferences for iSCSI LIO targets:

  1. Start YaST and launch Network Services > iSCSI LIO Target.

  2. Switch to the Global tab.

  3. By default, authentication is disabled (No Discovery Authentication). To enable Authentication, select Authentication by Initiators, Outgoing Authentication or both.

  4. Provide credentials for the selected authentication method(s). The user name and password pair must be different for incoming and outgoing discovery.

  5. Click Finish to save and apply the settings.

14.2.3 Preparing the Storage Space

Before you configure LUNs for your iSCSI Target servers, you must prepare the storage you want to use. You can use the entire unformatted block device as a single LUN, or you can subdivide a device into unformatted partitions and use each partition as a separate LUN. The iSCSI target configuration exports the LUNs to iSCSI initiators.

You can use the Partitioner in YaST or the command line to set up the partitions. Refer to Section 11.1, Using the YaST Partitioner, (↑Deployment Guide) for details. iSCSI LIO targets can use unformatted partitions with Linux, Linux LVM, or Linux RAID file system IDs.

IMPORTANT: Do Not Mount iSCSI Target Devices

After you set up a device or partition for use as an iSCSI target, you never access it directly via its local path. Do not mount the partitions on the target server.

Partitioning Devices in a Virtual Environment

You can use a virtual machine guest server as an iSCSI LIO Target Server. This section describes how to assign partitions to a Xen virtual machine. You can also use other virtual environments that are supported by SUSE Linux Enterprise Server.

In a Xen virtual environment, you must assign the storage space you want to use for the iSCSI LIO target devices to the guest virtual machine, then access the space as virtual disks within the guest environment. Each virtual disk can be a physical block device, such as an entire disk, partition, or volume, or it can be a file-backed disk image where the virtual disk is a single image file on a larger physical disk on the Xen host server. For the best performance, create each virtual disk from a physical disk or a partition. After you set up the virtual disks for the guest virtual machine, start the guest server, then configure the new blank virtual disks as iSCSI target devices by following the same process as for a physical server.

File-backed disk images are created on the Xen host server, then assigned to the Xen guest server. By default, Xen stores file-backed disk images in the /var/lib/xen/images/VM_NAME directory, where VM_NAME is the name of the virtual machine.

14.2.4 Setting Up an iSCSI LIO Target Group

You can use YaST to configure iSCSI LIO target devices. YaST uses APIs provided by the lio-utils software. iSCSI LIO targets can use unformatted partitions with Linux, Linux LVM, or Linux RAID file system IDs.

IMPORTANT: Partitions

Before you begin, create the unformatted partitions that you want to use as iSCSI LIO targets as described in Section 14.2.3, Preparing the Storage Space.

  1. Start YaST and launch Network Services > iSCSI LIO Target.

  2. Switch to the Targets tab.

  3. Click Add, then define a new iSCSI LIO target group and devices:

    The iSCSI LIO Target software automatically completes the Target, Identifier, Portal Group, IP Address, and Port Number fields. Use Authentication is selected by default.

    1. If you have multiple network interfaces, use the IP address drop-down box to select the IP address of the network interface to use for this target group. To make the server accessible under all addresses, choose Bind All IP Addresses.

    2. Deselect Use Authentication if you do not want to require initiator authentication for this target group (not recommended).

    3. Click Add. Enter the path of the device or partition or Browse to add it. Optionally specify a name, then click OK. The LUN number is automatically generated, beginning with 0. A name is automatically generated if you leave the field empty.

    4. (Optional) Repeat the previous steps to add more targets to this target group.

    5. After all desired targets have been added to the group, click Next.

  4. On the Modify iSCSI Target Initiator Setup page, configure information for the initiators that are permitted to access LUNs in the target group:

    After you specify at least one initiator for the target group, the Edit LUN, Edit Auth, Delete, and Copy buttons are enabled. You can use Add or Copy to add more initiators for the target group:

    Modify iSCSI Target: Options

    • Add: Add a new initiator entry for the selected iSCSI LIO target group.

    • Edit LUN: Configure which LUNs in the iSCSI LIO target group to map to a selected initiator. You can map each of the allocated targets to a preferred initiator.

    • Edit Auth: Configure the preferred authentication method for a selected initiator. You can specify no authentication, or you can configure incoming authentication, outgoing authentication, or both.

    • Delete: Remove a selected initiator entry from the list of initiators allocated to the target group.

    • Copy: Add a new initiator entry with the same LUN mappings and authentication settings as a selected initiator entry. This allows you to easily allocate the same shared LUNs, in turn, to each node in a cluster.

    1. Click Add, specify the initiator name, select or deselect the Import LUNs from TPG check box, then click OK to save the settings.

    2. Select an initiator entry, click Edit LUN, modify the LUN mappings to specify which LUNs in the iSCSI LIO target group to allocate to the selected initiator, then click OK to save the changes.

      If the iSCSI LIO target group consists of multiple LUNs, you can allocate one or multiple LUNs to the selected initiator. By default, each of the available LUNs in the group are assigned to an initiator LUN.

      To modify the LUN allocation, perform one or more of the following actions:

      • Add: Click Add to create a new Initiator LUN entry, then use the Change drop-down box to map a target LUN to it.

      • Delete: Select the Initiator LUN entry, then click Delete to remove a target LUN mapping.

      • Change: Select the Initiator LUN entry, then use the Change drop-down box to select which Target LUN to map to it.

      Typical allocation plans include the following:

      • A single server is listed as an initiator. All of the LUNs in the target group are allocated to it.

        You can use this grouping strategy to logically group the iSCSI SAN storage for a given server.

      • Multiple independent servers are listed as initiators. One or multiple target LUNs are allocated to each server. Each LUN is allocated to only one server.

        You can use this grouping strategy to logically group the iSCSI SAN storage for a given department or service category in the data center.

      • Each node of a cluster is listed as an initiator. All of the shared target LUNs are allocated to each node. All nodes are attached to the devices, but for most file systems, the cluster software locks a device for access and mounts it on only one node at a time. Shared file systems (such as OCFS2) make it possible for multiple nodes to concurrently mount the same file structure and to open the same files with read and write access.

        You can use this grouping strategy to logically group the iSCSI SAN storage for a given server cluster.

    3. Select an initiator entry, click Edit Auth, specify the authentication settings for the initiator, then click OK to save the settings.

      You can require No Discovery Authentication, or you can configure Authentication by Initiators, Outgoing Authentication, or both. You can specify only one user name and password pair for each initiator. The credentials can be different for incoming and outgoing authentication for an initiator. The credentials can be different for each initiator.

    4. Repeat the previous steps for each iSCSI initiator that can access this target group.

    5. After the initiator assignments are configured, click Next.

  5. Click Finish to save and apply the settings.

14.2.5 Modifying an iSCSI LIO Target Group

You can modify an existing iSCSI LIO target group as follows:

  • Add or remove target LUN devices from a target group

  • Add or remove initiators for a target group

  • Modify the initiator LUN-to-target LUN mappings for an initiator of a target group

  • Modify the user name and password credentials for an initiator authentication (incoming, outgoing, or both)

To view or modify the settings for an iSCSI LIO target group:

  1. Start YaST and launch Network Services > iSCSI LIO Target.

  2. Switch to the Targets tab.

  3. Select the iSCSI LIO target group to be modified, then click Edit.

  4. On the Modify iSCSI Target LUN Setup page, add LUNs to the target group, edit the LUN assignments, or remove target LUNs from the group. After all desired changes have been made to the group, click Next.

    For option information, see Modify iSCSI Target: Options.

  5. On the Modify iSCSI Target Initiator Setup page, configure information for the initiators that are permitted to access LUNs in the target group. After all desired changes have been made to the group, click Next.

  6. Click Finish to save and apply the settings.

14.2.6 Deleting an iSCSI LIO Target Group

Deleting an iSCSI LIO target group removes the definition of the group, and the related setup for initiators, including LUN mappings and authentication credentials. It does not destroy the data on the partitions. To give initiators access again, you can allocate the target LUNs to a different or new target group, and configure the initiator access for them.

  1. Start YaST and launch Network Services > iSCSI LIO Target.

  2. Switch to the Targets tab.

  3. Select the iSCSI LIO target group to be deleted, then click Delete.

  4. When you are prompted, click Continue to confirm the deletion, or click Cancel to cancel it.

  5. Click Finish to save and apply the settings.