NetBSD-5.0.2/dist/iscsi/doc/FAQ
iSCSI Frequently Asked Questions
================================
Q1. What is iSCSI?
==================
A1. It's an IETF standard (RFC 3720) for remote access to block-level
storage. It can be thought of as similar to NFS, except that an NFS
server exports files; the iSCSI target exports blocks to the iSCSI
initiators, which are the clients.
Q2. What's the difference between an initiator and a target?
============================================================
A2. The target is the iSCSI server - it serves up blocks to the
clients, which are called initiators. Typically, initiators are part
of the operating system, since the operating system manages block
storage, presenting it to the user as file systems sitting on top of
the storage.
Targets do not generally need to be part of the operating system,
indeed there is some flexibility to be gained by having targets as
part of the user-level daemons that are run. This means that
security credentials need not be buried in the kernel.
Q3. So how do I use it?
=======================
A3. Firstly, you need to set up the iSCSI target. The target is
simply sitting there, waiting for requests for blocks. So we need to
configure the target with an area of storage for it to present to the
initiators.
To set up the target, you need to edit the /etc/iscsi/targets file.
It has a certain layout, to provide a means of (a) mirroring and (b)
combining multiple areas to present one large contiguous area of
storage. This can be multiply-layered.
The basic unit of storage is an extent. This can be either a file
or a device. The offset of the start of the extent to be presented
must be given, and also the length of the extent.
A device is made up of one or more extents, and/or one or more
other devices.
At the highest level, a target is what is presented to the initiator,
and is made up of one or more devices, and/or one or more extents.
The simple example is as follows, consisting of one piece of storage
presented by one target:
# extent file or device start length
extent0 /tmp/iscsi-target0 0 100MB
will produce an extent of storage which is based on one file,
/tmp/iscsi-target0, which starts 0 bytes into the file, and is 100 MB
in length. The file will be created if it does not already exist.
# target storage netmask
target0 extent0 0.0.0.0/0
That extent is then used in target0, and will be presented to an
initiator running on any host.
Extents must be defined before they can be used, and extents cannot
be used more than once.
Devices are used to combine extents or other devices. Device
definitions have the following format:
# devices
device0 RAID1 extent0 extent1
A "RAID1" device behaves in much the same way that RAID1 devices work
in the storage arena - they mirror the original storage. There can be
any number of devices or extents in a RAID1 device, not just 2, but
each device or extent must be of the same size.
A "RAID0" device combines the storage, to produce a larger area of
(virtually) "contiguous" storage.
Devices must be defined before they can be used, and devices may not
be used more than once.
A more detailed example would be as follows:
# Complex file showing 3-way RAID1 (with RAID1 components),
# also using local and (NFS) remote components
# extents
extent0 /iscsi/extents/0 0 100MB
extent1 /imports/remote1/iscsi/extents/0 0 100MB
extent2 /iscsi/extents/1 0 100MB
extent3 /imports/remote1/iscsi/extents/1 0 100MB
extent4 /iscsi/extents/2 0 100MB
extent5 /imports/remote1/iscsi/extents/2 0 100MB
extent6 /iscsi/extents/3 0 100GB
# devices
device0 RAID1 extent0 extent1
device1 RAID1 extent2 extent3
device2 RAID1 extent4 extent5
device3 RAID1 device0 device1 device2
# targets
target0 device3 10.4.0.0/16
# a target can be made from just an extent
target1 extent6 127.0.0.0/8
which will make 7 extents, 3 of them 100 MB in length and remote (via
NFS), and 3 of them 100 MB in length and local, and one of them large
(100 GB) and local. Three separate occurrences of a local and remote
100 MB extent are combined to make three RAID1 devices, and then those
three RAID1 devices are combined into another RAID1 device, and
presented as target0.
The other extent is used to present a simple 100 GB of storage as
target1.
Q4. What about security?
=========================
A4. A good question. RFC 3720 specifies CHAP, SRM and Kerberos as
methods of providing authentication and/or security. In practice,
it's whatever is provided by the initiator you are using which will
determine what authentication or security is used.
If you want any form of security, it's probably best to use ssh port
forwarding for all your traffic if you're worried about security.
CHAP will only provide authentication, the other information will flow
across the network in clear.
Q5. Using the Microsoft initiator, I can't login with CHAP
===========================================================
A5. The 1.06 Microsoft initiator silently enforces a chap password
length of at least 12 characters. If you enter a password which is
less than that, your Discovery login will silently fail.
Since CHAP provides very little authentication anyway, you are advised
not to use it - ssh port forwarding, and the use of tcp wrappers,
will do a much better job of protection.
Q6. What initiators work with the NetBSD iSCSI target?
======================================================
A6. The NetBSD target has been tested at various times with the Microsoft
iSCSI initiator, version 1.06 (which can be downloaded for free from
www.microsoft.com, but needs Windows XP Pro to work), and also with the
NetBSD test harness, which is provided, but not installed, in the same
place as the target.
Q7. What is the difference between Discovery and Normal login?
===============================================================
A7. On direct-attached storage, the kernel verifies what storage is
available, and assigns a device node to it. With iSCSI, storage can
come and go, and our proximity to the devices doesn't matter. So we
need to find a different method of finding out what iSCSI storage is
out there.
This is done by a "Discovery" iSCSI session - the initiator logs in
to the target, finds out what storage is being presented, then logs
back out. This can be seen by the syslog entries:
Feb 5 10:33:44 sys3 iscsi-target: > Discovery login from iqn.1991-05.com.microsoft:inspiron on 10.4.1.5
Feb 5 10:33:44 sys3 iscsi-target: < Discovery logout from iqn.1991-05.com.microsoft:inspiron on 10.4.1.5
The initiator will then perform a "Normal" login session, which will
establish a session between the initiator and target. This is denoted
by the syslog entries:
Feb 5 00:00:28 sys3 iscsi-target: > Discovery login from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1
Feb 5 00:00:28 sys3 iscsi-target: < Discovery logout from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1
Feb 5 00:00:28 sys3 iscsi-target: > Normal login from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1
Feb 5 00:05:32 sys3 iscsi-target: < Normal logout from iqn.1993-03.org.NetBSD.iscsi-initiator:agc on 127.0.0.1
Q8. So what do I do to try it?
==============================
A8. Perform the following steps:
a) define the storage that you want to present in /etc/iscsi/targets
b) start the iSCSI target: /etc/rc.d/iscsi_target forcestart
c) use an initiator to point it at the machine you started it on
Q9. Why does the test harness not work properly?
================================================
A9. Firstly, you should be invoking the test harness as
iscsi-harness -n 3 -h localhost
where the 'n' option is the number of iterations to perform, and the
'h' parameter is the name or address of the machine where the
iscsi-target is running.
If the harness was invoked properly, check any error messages which
the test harness sends:
If one of them looks like:
No matching user configuration entry for `agc' was found
Please add an entry for `agc' to `/etc/iscsi/auths'
(where "agc" is substituted for the name of the user who was running
the test harness), then please do as suggested. The iSCSI test harness
tests, amongst other things, the CHAP authentication process, and so
CHAP credentials for that user are needed.
Alistair Crooks
agc@NetBSD.org
Wed Feb 8 07:21:56 GMT 2006