Overview: This article introduces the user-state tool targetcli in Lio to configure the iscsi service.
Virtual Machine environment: centos7.x (kernel version 3.10.0-862. el7.x86 _ 64)
The IP addresses are 192.168.1.200/201, respectively.
Targetcli Installation
Centos generally comes with this tool. If you do not have it, you can download it from the official website.
Quickly create IP-SAN
1. enter targetcli in the command line to enter the interaction interface. On the interaction interface, you can use ls, CD, and other commands for flexible and simple operations. The top-level directories include backstores and iSCSI. If FC or InfiniBand exists, there will be other sub-modules such as qla2xxx
2. Create a volume Resource
Use CD to enter the/backstores/block directory,
CD backstores/block
Then create a volume resource and use the block device/dev/SDB
Create Dev =/dev/SDB name = SDB
The system prompts that the SDB device is in use and reselect/dev/SDC to create the volume resource. The system prompts that the volume resource is created successfully (the readonly attribute indicates the read/write permission, and WWN indicates the unique label of the volume resource)
3. Create iSCSI
To quickly create an iscsi service, follow these steps:
A. Create an iqn
B. Add the IP address providing services and the volume to be mapped under iqn.
C. Set Authentication
The procedure is as follows:
Here is a tip. You can enter CD on the interactive interface to enter the interface and jump to the specified directory flexibly and quickly.
Create iqn In The iSCSI directory.
Add service IP addresses, ing volumes, and permission settings under the corresponding directory of iqn.
Initiator terminal discovery: You can see the logical volumes that have been logged on.
Command: iscsiadm-M discovery-T St-P IP
Logon command: Add-l or iscsiadm-M node-T iqn-L to the end of the command.
Logout command: iscsiadm-M node-T iqn-u such as iscsiadm-M node-T iqn.2018-10.hzhrinet.com: Test-u
Iscsi Authentication
Iscsi authentication is divided into discovery authentication and login authentication. Each authentication is classified into one-way authentication and two-way authentication.
The meaning of authentication and logon authentication is the same as that of the name.
One-way authentication means that when the initiator discovers the target, it must provide the correct authentication before it can discover the iscsi service on the target.
Two-way authentication means that, based on one-way authentication, the target end needs to correctly set the authentication set by the initiator end to be discovered by the initiator end.
Discovery authentication:
1. First, we can see the Default Authentication attribute, which is a global setting.
2. Set one-way authentication
First, run the command on the target side to set one-way authentication.
At this time, the initiator login will encounter an authentication error and cannot be found
In this case, we need to set the initiator configuration file/etc/iSCSI/iscsid. conf
At this time, the initiator client finds that the request is successful.
3. Set two-way authentication (must be based on one-way authentication)
First, set authentication on the initiator side
Then set initiator authentication on the target side.
Logon authentication:
Login authentication is similar to Discovery authentication. It also includes one-way authentication and two-way authentication. The setting method is almost the same as discovery authentication.
Here are a few notes
1. The generate_node_acls attribute indicates whether to enable the ACL. If no-gen-ACLs is enabled, the iqn (under/etc/iSCSI/initiatorname. iSCSI) of the initiator must be added to the ACL to log on.
2. the authentication attribute in TPG does not work (I think there is a bug ??), As long as the user password is set correctly under the iqn directory of the ACL, authentication is successful.
You can modify these options on the initiator side, which is similar to discovering authentication.
Reference: http://blog.51cto.com/zhuxu91313/2154819
Configure iSCSI using targetcli