Building an IP storage network with iSCSI storage Technology (Security article)

In the previous article, we described how to build a simple iSCSI networked storage System, where the iSCSI initiator client hosts can connect and use all the disks and partitions shared by iSCSI Target, and in many cases, It is necessary to connect to a shared disk or partition by authorizing authentication, for example, to allow only client host A to connect to the disk partition one that target shares, while client Host B allows only disk partitions that are shared by target to be connected, and so on, in which case the iSCSI Authorization is set on target host.

ISCSI has a good advantage in authorized access and security management, it can use a host-based, that is, based on an IP address to set allow or deny access, or through user account password authentication to complete the Allow or deny access settings.

The following is an application case to describe the iSCSI licensing method for acquiring disk resources.

There is a PC architecture of the iSCSI target server, the shared hard disk is identified as/DEV/SDC, size 10G, and then this hard disk is divided into two partitions/dev/sdc1 and/DEV/SDC2, respectively, will/dev/ SDC1 share to a Windows Client host with an IP address of 192.168.12.136, sharing/dev/sdc2 to a Linux client host with an IP address of 192.168.12.26, ISCSI The target server has an IP address of 192.168.12.246. Next, the IP authentication and the user password authentication are two ways to tell how to achieve this requirement.

First, initiator host IP authentication method to obtain iSCSI target resources

This configuration is simple, simply by modifying the two files on the iSCSI target server, first locate the ietd.conf file in the Iscsitarget home directory/etc/iet directory, and then add the following:

Target IQN.2000-04.NET.IXDBA:SDC1

Lun 0 Path=/dev/sdc1,type=fileio

Target IQN.2002-04.NET.IXDBA:SDC2

Lun 0 Path=/dev/sdc2,type=fileio

In the ietd.conf file, two target is defined, each target adds a corresponding disk partition, and then modifies the/etc/iet/ Initiators.allow file, which defines the access rules of the initiator host to the target server, similar to the/etc/hosts.allow file in the Linux operating system. The contents of the modified Initiators.allow file are as follows:

IQN.2000-04.NET.IXDBA:SDC1 192.168.12.136

IQN.2002-04.NET.IXDBA:SDC2 192.168.12.26

Modification completed, restart Iscsi-target service:

[Root@iscsi-target iet]# Service Iscsi-target restart

Stopping ISCSI Target: [OK]

Starting ISCSI Target: [OK]

Next, do the following on the Linux initiator host with an IP address of 192.168.12.26:

[root@ initiator iscsi]#/etc/init.d/iscsi restart

[root@ Initiator iSCSI] #iscsiadm-M discovery-t sendtargets-p 192.168.12.246

192.168.12.246:3260,1 IQN.2002-04.NET.IXDBA:SDC2

[root@ Initiator iSCSI] #fdisk-L

disk/dev/sda:320.0 GB, 320072933376 bytes

255 heads, Sectors/track, 38913 cylinders

Units = Cylinders of 16065 * 8225280 bytes

Device Boot Start End Blocks Id System

/DEV/SDA1 * 1 104391 Linux

/dev/sda2 38913 312464250 8e Linux LVM

disk/dev/sdb:5724 MB, 5724794880 bytes

177 heads, Sectors/track, 1018 cylinders

Units = Cylinders of 10974 * 5618688 bytes

Device Boot Start End Blocks Id System

/DEV/SDB1 1 1018 5585735 Linux

By restarting the iSCSI service, re-executing target discovery, the Linux system has identified the disk partitions that target shares, where "/dev/sdb:5724 MB" is the iSCSI shared disk, and then the shared disk can be managed and used on Linux.

Finally, log on to the Windows system, open Microsoft iSCSI Initiator, and add iSCSI shared disks, which is simple, not detailed here.