Use iSCSI to set up IP Storage Network iSCSI Security Settings

Source: Internet
Author: User

Advantages of iSCSI Technology


Compared with traditional SCSI technology, iSCSI technology has three revolutionary changes:

The original SCSI used only on the local machine is transmitted through the TCP/IP network, so that the connection distance can be extended in an unlimited region;

The number of connected servers is infinite (the upper limit of the original SCSI-3 is 15 );

Because it is a server architecture, online resizing and dynamic deployment can also be realized.


650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C3/wKiom1RE97mzGA7mAAKsGOWWPtQ203.jpg "Title =" image 1.png "alt =" wkiom1re97mzga7maaksgowwptq203.jpg "/>

Necessity for authorizing access to iSCSI Disks

Only client host a is allowed to connect to disk partition 1 shared by target, while client host B is only allowed to connect to disk partition 2 shared by target.

Case:

There is a PC-structured iSCSI target server. The shared hard disk is identified as/dev/SDC and/dev/SDD. The size is 10 GB and 5 GB, respectively, share/dev/SDD to a Windows client host with the IP address 192.168.12.136, And/dev/SDC to a Linux client host with the IP address 192.168.12.235, the IP address of the iSCSI target server is 192.168.12.246.

Install iSCSI target software

Iscsitarget: http://iscsitarget.sourceforge.net

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C5/wKioL1RFIWSQxxwrAANHAZgl9u8273.jpg "Title =" image 1.png "alt =" wkiol1rfiwsqxxwraanhazgl9u8273.jpg "/>

[[Email protected] iSCSI] # tar-xzvf iscsitarget-1.4.20.1.tar.gz

[[Email protected] iSCSI] # cd iscsitarget-1.4.20.1

[[Email protected] iscsitarget-1.4.20.1] # Make

[[Email protected] T iscsitarget-1.4.20.1] # make install

[[Email protected] iSCSI] # service iSCSI-target restart

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4C/C5/wKioL1RFCuPxU5zQAAP64Ay_68s081.jpg "Title =" image 1.png "alt =" wkiol1rfcupxu5zqaap64ay_68s081.jpg "/>

2.Add/etc/TGT/targets. conf as follows:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4C/C5/wKioL1RFC_3iqcHPAAFdhIyrm8k222.jpg "Title =" image 1.png "alt =" wkiol1rfc_3iqchpaafdhiyrm8k222.jpg "/>

3. Restart the tgtd service and set it to boot:

/Etc/init. d/tgtd restart
Chkconfig tgtd on

Client

Yum install iSCSI-initiator-utils

Iscsi shared volume of the server 192.168.12.246 found

Iscsiadm-M discovery-T sendtargets-P 192.168.12.246

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C5/wKioL1RFFO2DARsyAAIe_cbBVd8410.jpg "Title =" image 1.png "alt =" wkiol1rffo2darsyaaie_cbbvd8410.jpg "/>

As long as the client can be connected, there are two ways to authorize access to the target server so that the target server can establish a regular connection.

1. IP-based

Modify the/etc/Iet/initiators. allow file

Iqn.2010-11.net. ixdba: SDC 192.168.12.235.

Iqn.2010-11.net. ixdba: SDD 192.168.12.136


3. The initiator host obtains iSCSI target resources through password authentication.


(1) modify the/etc/Iet/initiators. allow file. The modified content is as follows:

# Iqn.2010-11.net. ixdba: SDC 192.168.12.235

# Iqn.2010-11.net. ixdba: SDD 192.168.12.136

All all

3. The initiator host obtains iSCSI target resources through password authentication.

(2) modify the/etc/Iet/ietd. conf file. The modified content is as follows:

Incominguser discovery. Auth discoverysecret

The first "incominguser" is a global parameter used to specify the account and password used for discovery query authentication. It must be consistent with the username and password set in the initiator host.

Target iqn.2010-11.net. ixdba: SDD

Incominguser login. Windows. Auth windowssecret

Lun 0 Path =/dev/SDD, type = fileio

Target iqn.2010-11.net. ixdba: SDC

Incominguser login. Linux. Auth linuxsecret

Lun 0 Path =/dev/SDC, type = fileio


The initiator host obtains iSCSI target resources through password authentication.

(2) modify the/etc/Iet/ietd. conf file. The modified content is as follows:

Target iqn.2010-11.net. ixdba: SDD

Incominguser login. Windows. Auth windowssecret

Lun 0 Path =/dev/SDD, type = fileio

Target iqn.2010-11.net. ixdba: SDC

Incominguser login. Linux. Auth linuxsecret

Lun 0 Path =/dev/SDC, type = fileio

The second and third "incominguser" options are included in the corresponding target, which is used to specify the account password used when the Windows and Linux client hosts log on to the target/iqn/Lun. It must also be consistent with the username and password set in the initiator host.


(3) configure the Linux initiator host


Modify the/etc/iSCSI/iscsid. conf file and add the following options:

# The following three are for login

Node. session. Auth. authmethod = chap # indicates that chap verification is enabled in login.

Node. session. Auth. Username = login. Linux. Auth # verify the user name, which can be any character, but must be the same as the name configured in incominguse on the target end.

Node. session. Auth. Password = linuxsecret # verify the password, which must be consistent with the password set by the incominguse option of the target.


Configure Linux initiator host

# The following three are for the Discovery

Discovery. sendtargets. Auth. authmethod = chap # indicates that chap verification is enabled during discovery.

Discovery. sendtargets. Auth. Username = discovery. Auth # verify the user name. It can be any character, but it must be the same as the name configured for incominguse on the target end.

Discovery. sendtargets. Auth. Password = discoverysecret # verify the password, which must be consistent with the password set by the incominguse option on the target side.

After the configuration is complete, restart initiator and re-execute the discovery query as follows:

[[Email protected] initiator iSCSI] #/etc/init. d/iSCSI restart

[[Email protected] initiator iSCSI] # iscsiadm-M discovery-T sendtargets-P 192.168.12.246


650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/C6/wKioL1RFKcfhgWTqAAKFx3F7bM0694.jpg "Title =" image 1.png "alt =" wkiol1rfkcfhgwtqaakfx3f7bm0694.jpg "/>


This article is from the "diaosi life" blog and will not be reproduced!

Use iSCSI to set up IP Storage Network iSCSI Security Settings

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.