序言
更换系统后需要一个网络文件存储用于备份文件,本想用NFS多方便,但是timeshift不支持网络存储,备份路径必须是一个块存储设备,
但是你还必须分好文件系统,这不是多此一举???反正我只用rsync进行同步
于是使用iscsi满足它的需求,因为iscsi连接后获取到的就是一个块存储设备
在配置过程中参考了很多网友写的博客 很有参考价值 非常感谢
《Linux下搭建iSCSI共享存储的方法 Linux-IO Target 方式 Debian9.5下实现》
他写的很全面,我在这里只记录我用到的部分
简述
iSCSI,通过TCP/IP网络传输SCSI命令提供对存储设备的块级访问,属于SAN存储,因此又叫IP-SAN,默认端口3260/TCP。
也就是说通过iSCS获取到的是一个真实的或者虚拟的存储设备,连接之后会多出一个硬件设备,就像一块本机硬盘一样,你需要在上面建立文件系统后才能使用。
而NFS、SMB等获取到的只是一个挂载点,与文件系统无关,连接后即可以使用。
客户端称为initiators,服务器上的存储目标称为target,客户端发现服务器上存储目标的过程叫discovery。
安装与配置
基于Debian/Ubuntu的发行版可以直接通过apt命令安装
服务器 | 客户端 | |
安装 | sudo apt install targetcli-fb | sudo apt install open-iscsi |
配置程序 | targetcli | iscsiadm |
相关服务 | targetclid.server | iscsid.service |
配置文件目录 | /etc/rtslib-fb-target/ | /etc/iscsi |
服务器配置 以root权限运行targetcli
sudo targetcli
该工具的使用类似linux下shell的使用
ls查看目录
set 配置参数
saceconfig 保存配置文件 默认位置 /etc/rtslib-fb-target/saveconfig.json
默认设置每次退出后会自动保存配置到该位置,之前的配置会备份到/etc/rtslib-fb-target/backup中,
并且使用gzip压缩归档,文件后缀名为gz,如果需要使用targetctl恢复,需要先使用gzip解压后才能导入配置
/> ls
o- / .................................................................................... [...]
o- backstores ......................................................................... [...]
| o- block ............................................................. [Storage Objects: 0]
| o- fileio ............................................................ [Storage Objects: 0]
| o- pscsi ............................................................. [Storage Objects: 0]
| o- ramdisk ........................................................... [Storage Objects: 0]
o- iscsi ....................................................................... [Targets: 0]
o- loopback .................................................................... [Targets: 0]
o- vhost ....................................................................... [Targets: 0]
o- xen-pvscsi .................................................................. [Targets: 0]
/>
简单的使用只需要了解两个目录backstorages和iscsi
其中backstorages是后端存储
block是块存储设备,简单的说就是连接到本机的硬盘驱动器
fileio是文件存储,简单地说就像虚拟机的镜像文件,raw,qcow2那样的镜像
pscsi是连接到本机的scsi设备,我还没用过这种设备,只在书上见过
ramdisk就是内存盘,linux上的tmpfs就属于这种,如果服务器内存很大,可以划出一部分内存做临时存储用
iscsi里面就是要配置的存储目标target
1. 添加存储设备
我使用qemu-img创建一块磁盘镜像作为存储设备
qemu-img create -f qcow2 -o preallocation=falloc /mnt/ext4linux/var/iscsi/storage-1.qcow2 20G
其中 preallocation=falloc 参数的作用是立即分配空间 但不填充 参考 《qemu-img create创建磁盘》
使用targetcli 他提供了彩色的文字方便检查配置 绿色的配置为有效配置 红色的为无效配置 白色的为默认配置
要注意不同的目录下可用的命令和选项不相同
进入/backstores/fileio目录下,使用create命令添加存储设备
/> backstores/fileio create name=demo1 file_or_dev=/mnt/ext4linux/var/iscsi/storage-1.qcow2
Created fileio demo1 with size 21478375424
/> ls
o- / .................................................................................... [...]
o- backstores ......................................................................... [...]
| o- block ............................................................. [Storage Objects: 0]
| o- fileio ............................................................ [Storage Objects: 1]
| | o- demo1 .... [/mnt/ext4linux/var/iscsi/storage-1.qcow2 (20.0GiB) write-back deactivated]
| | o- alua .............................................................. [ALUA Groups: 1]
| | o- default_tg_pt_gp .................................. [ALUA state: Active/optimized]
| o- pscsi ............................................................. [Storage Objects: 0]
| o- ramdisk ........................................................... [Storage Objects: 0]
o- iscsi ....................................................................... [Targets: 0]
o- loopback .................................................................... [Targets: 0]
o- vhost ....................................................................... [Targets: 0]
o- xen-pvscsi .................................................................. [Targets: 0]
/>
2. 添加存储目标
进入/iscsi目录后,使用create命令添加存储目标
/> iscsi/ create iqn.2021-12.cn.erika.iscsi:erika-ge.storage
Created target iqn.2021-12.cn.erika.iscsi:erika-ge.storage.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/> ls
o- / .................................................................................... [...]
o- backstores ......................................................................... [...]
| o- block ............................................................. [Storage Objects: 0]
| o- fileio ............................................................ [Storage Objects: 1]
| | o- demo1 .... [/mnt/ext4linux/var/iscsi/storage-1.qcow2 (20.0GiB) write-back deactivated]
| | o- alua .............................................................. [ALUA Groups: 1]
| | o- default_tg_pt_gp .................................. [ALUA state: Active/optimized]
| o- pscsi ............................................................. [Storage Objects: 0]
| o- ramdisk ........................................................... [Storage Objects: 0]
o- iscsi ....................................................................... [Targets: 1]
| o- iqn.2021-12.cn.erika.iscsi:erika-ge.storage .................................. [TPGs: 1]
| o- tpg1 .......................................................... [no-gen-acls, no-auth]
| o- acls ..................................................................... [ACLs: 0]
| o- luns ..................................................................... [LUNs: 0]
| o- portals ............................................................... [Portals: 1]
| o- 0.0.0.0:3260 ................................................................ [OK]
o- loopback .................................................................... [Targets: 0]
o- vhost ....................................................................... [Targets: 0]
o- xen-pvscsi .................................................................. [Targets: 0]
/>
创建的时候如果不加IQN名称 则会生成一个随机的 如果指定一个 需要遵循一定的格式 具体参考RFC3720
前面的iqn是固定的 必须要有 后面的日期通常为创建该存储目标的日期 然后是反向域名 就和DNS的差不多
没有域名就自己编一个 又不用去注册 只为了作为标识 然后跟个冒号 冒号后面是该存储目标的识别名称
3. 关联存储设备
进入/iscsi/你设置的iqn目标/tpg1/luns目录下,使用create命令关联存储设备
/> iscsi/iqn.2021-12.cn.erika.iscsi:erika-ge.storage/tpg1/luns create /backstores/fileio/demo1
Created LUN 0.
/> ls
o- / .................................................................................... [...]
o- backstores ......................................................................... [...]
| o- block ............................................................. [Storage Objects: 0]
| o- fileio ............................................................ [Storage Objects: 1]
| | o- demo1 ...... [/mnt/ext4linux/var/iscsi/storage-1.qcow2 (20.0GiB) write-back activated]
| | o- alua .............................................................. [ALUA Groups: 1]
| | o- default_tg_pt_gp .................................. [ALUA state: Active/optimized]
| o- pscsi ............................................................. [Storage Objects: 0]
| o- ramdisk ........................................................... [Storage Objects: 0]
o- iscsi ....................................................................... [Targets: 1]
| o- iqn.2021-12.cn.erika.iscsi:erika-ge.storage .................................. [TPGs: 1]
| o- tpg1 .......................................................... [no-gen-acls, no-auth]
| o- acls ..................................................................... [ACLs: 0]
| o- luns ..................................................................... [LUNs: 1]
| | o- lun0 [fileio/demo1 (/mnt/ext4linux/var/iscsi/storage-1.qcow2) (default_tg_pt_gp)]
| o- portals ............................................................... [Portals: 1]
| o- 0.0.0.0:3260 ................................................................ [OK]
o- loopback .................................................................... [Targets: 0]
o- vhost ....................................................................... [Targets: 0]
o- xen-pvscsi .................................................................. [Targets: 0]
/>
这个时候还不能使用客户端访问存储,因为没有配置认证,先写一下客户端发现并连接服务器的方法
# 发现目标 如果服务器端口号是默认的3260 则可以省略
sudo iscsiadm -m discovery -t sendtargets -p <ip:port>
# 登录目标节点 iqn写目标节点的iqn
sudo iscsiadm -m node -T <iqn> -p <ip:port> -l
# 登出目标节点 记得先umount 防止数据丢失
sudo iscsiadm -m node -T <iqn> -p <ip:port> -u
# 删除目标节点 这里是删除本机对该目标节点的记录
sudo iscaiadm -m node -T <iqn> -o delete
这里我们先尝试连接看看会如何
e@kvm-ubuntu-01:/etc/iscsi$ sudo iscsiadm -m discovery -t sendtargets -p 172.20.0.65
172.20.0.65:3260,1 iqn.2021-12.cn.erika.iscsi:erika-ge.storage
e@kvm-ubuntu-01:/etc/iscsi$ sudo iscsiadm -m node -T iqn.2021-12.cn.erika.iscsi:erika-ge.storage -l
Logging in to [iface: default, target: iqn.2021-12.cn.erika.iscsi:erika-ge.storage, portal: 172.20.0.65,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: iqn.2021-12.cn.erika.iscsi:erika-ge.storage, portal: 172.20.0.65,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
需要在服务器上配置一下认证,即使不想使用认证也需要配置
命令很简单,进入/iscsi/你设置的iqn/tpg1目录下,使用set命令设置generate_node_acls为1
/> iscsi/iqn.2021-12.cn.erika.iscsi:erika-ge.storage/tpg1/ set attribute generate_node_acls=1
Parameter generate_node_acls is now '1'.
/> ls
o- / .................................................................................... [...]
o- backstores ......................................................................... [...]
| o- block ............................................................. [Storage Objects: 0]
| o- fileio ............................................................ [Storage Objects: 1]
| | o- demo1 ...... [/mnt/ext4linux/var/iscsi/storage-1.qcow2 (20.0GiB) write-back activated]
| | o- alua .............................................................. [ALUA Groups: 1]
| | o- default_tg_pt_gp .................................. [ALUA state: Active/optimized]
| o- pscsi ............................................................. [Storage Objects: 0]
| o- ramdisk ........................................................... [Storage Objects: 0]
o- iscsi ....................................................................... [Targets: 1]
| o- iqn.2021-12.cn.erika.iscsi:erika-ge.storage .................................. [TPGs: 1]
| o- tpg1 ............................................................. [gen-acls, no-auth]
| o- acls ..................................................................... [ACLs: 0]
| o- luns ..................................................................... [LUNs: 1]
| | o- lun0 [fileio/demo1 (/mnt/ext4linux/var/iscsi/storage-1.qcow2) (default_tg_pt_gp)]
| o- portals ............................................................... [Portals: 1]
| o- 0.0.0.0:3260 ................................................................ [OK]
o- loopback .................................................................... [Targets: 0]
o- vhost ....................................................................... [Targets: 0]
o- xen-pvscsi .................................................................. [Targets: 0]
/>
设置完后查看当前配置,会发现该iqn下的acls后面的中括号里 no-gen-acls变成了gen-acls,而且文字颜色变成了绿色,说明可以访问了
但要注意,只配置generate_node_acls的话该目标是只读的状态,应该是为了安全,毕竟不需要认证就能访问
在该iqn下的tpg1目录下查看属性 get attribute 就能看到有一条
generate_node_acls=1
--------------------
If set to 1, allow all initiators to login (i.e. demo mode).
如果设置成1,则该节点为demo模式,如果需要写入,还需要设置属性demo_mode_write_protect=0,这样才能写入,然后再次连接
e@kvm-ubuntu-01:/etc/iscsi$ sudo iscsiadm -m node -T iqn.2021-12.cn.erika.iscsi:erika-ge.storage -l
Logging in to [iface: default, target: iqn.2021-12.cn.erika.iscsi:erika-ge.storage, portal: 172.20.0.65,3260] (multiple)
Login to [iface: default, target: iqn.2021-12.cn.erika.iscsi:erika-ge.storage, portal: 172.20.0.65,3260] successful.
客户端查看当前的磁盘列表
e@kvm-ubuntu-01:/$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 86.9M 1 loop /snap/core/4917
sda 8:0 0 20G 0 disk
sr0 11:0 1 1024M 0 rom
vda 252:0 0 30G 0 disk
├─vda1 252:1 0 1M 0 part
└─vda2 252:2 0 30G 0 part /
上面20G未分区的sda就是连接到的目标节点,之后可以使用fdisk之类的软件进行分区,然后挂载使用,就像本地硬盘一样使用
4. 配置认证
请注意,iscsi的认证可能有缓存,因此如果下面的步骤如果发生认证错误,请在客户端删除发现记录后重新发现然后尝试连接
在上面的操作完成后,任何一台机器都能挂载该节点,完全没有安全性可言,因此我们需要添加认证
认证分两类:发现认证和登录(会话)认证,这两类认证又各自有单向认证和双向认证
双向认证是在单向认证的基础上,服务器向客户端确认认证信息用的,在一定程度上能避免中间人攻击
4.1. 发现认证
发现认证用于客户端发现服务器上可用的节点,属于全局认证,需要在/iscsi目录下进行
/> cd iscsi/
/iscsi> get discovery_auth
DISCOVERY_AUTH CONFIG GROUP
===========================
enable=False # 用来启用或者禁用发现认证
-----------
The enable discovery_auth parameter.
mutual_password= # 双向认证的密码
----------------
The mutual_password discovery_auth parameter.
mutual_userid= # 双向认证的用户名
--------------
The mutual_userid discovery_auth parameter.
password= # 单向认证的密码
-------------------
The password discovery_auth parameter.
userid= # 双向认证的密码
-------------
The userid discovery_auth parameter.
我这里只配置单向认证
/iscsi> set discovery_auth enable=1
Parameter enable is now 'True'.
/iscsi> set discovery_auth userid=admin
Parameter userid is now 'admin'.
/iscsi> set discovery_auth password=admin@r00t
Parameter password is now 'admin@r00t'.
/iscsi> get discovery_auth
DISCOVERY_AUTH CONFIG GROUP
===========================
enable=True
-----------
The enable discovery_auth parameter.
mutual_password=
----------------
The mutual_password discovery_auth parameter.
mutual_userid=
--------------
The mutual_userid discovery_auth parameter.
password=admin@r00t
-------------------
The password discovery_auth parameter.
userid=admin
------------
The userid discovery_auth parameter.
配置完后客户端也需要做相应的配置,修改文件/etc/iscsi/iscsid.conf
# To enable CHAP authentication for a discovery session to the target
# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
discovery.sendtargets.auth.authmethod = CHAP # 去掉注释 启用发现认证
# To set a discovery session CHAP username and password for the initiator
# authentication by the target(s), uncomment the following lines:
discovery.sendtargets.auth.username = admin # 去掉注释 写上用户名
discovery.sendtargets.auth.password = admin@r00t # 去掉注释 写上密码
# To set a discovery session CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
#discovery.sendtargets.auth.username_in = username_in
#discovery.sendtargets.auth.password_in = password_in
# 这两行是发现认证的双向认证的配置
重启iscsid服务,执行发现命令,成功后结果如下
e@kvm-ubuntu-01:~$ sudo iscsiadm -m discovery -t sendtargets -p 172.20.0.65
172.20.0.65:3260,1 iqn.2021-12.cn.erika.iscsi:erika-ge.storage
如果发现认证失败,则会如下
iscsiadm: Login failed to authenticate with target
iscsiadm: discovery login to 172.20.0.65 rejected: initiator failed authorization
iscsiadm: Could not perform SendTargets discovery: iSCSI login failed due to authorization failure
4.2. 配置登录认证
一个服务器下可以配置多个目标节点(target),如果不配置登录认证,则通过发现认证的客户端可以连接所有的目标节点
举个例子,一个小公司使用iscsi做中央存储服务器,分给每个员工1T空间作为网络存储。
如果不设置登录认证,则每个员工都可以随意连接该服务器上的节点。
配置过程如下,进入/iscsi/你设置的iqn目标/tpg1/ 目录下
使用set命令设置属性 set attribute generate_node_acls=0,因为要自定义访问规则,因此要把自动生成的访问规则去掉
使用set命令设置属性 set attribute authentication=1,目的是启用登录认证
然后进入acls下,使用create命令创建允许访问的客户端的iqn,这个iqn一会要填在客户端的/etc/iscsi/initiatorname.iscsi文件中
然后执行ls命令会发现该iqn后面的中括号里面的文字是红色的,说明缺少配置信息,配置无效,因为这时还没有配置认证信息,继续
进入到创建的客户读的iqn目录下,使用set命令设置单向认证信息
/> cd iscsi/iqn.2021-12.cn.erika.iscsi:erika-ge.storage/tpg1/
/iscsi/iqn.20....storage/tpg1> ls
o- tpg1 ........................................................... [no-gen-acls, auth per-acl]
o- acls ........................................................................... [ACLs: 0]
o- luns ........................................................................... [LUNs: 1]
| o- lun0 ...... [fileio/demo1 (/mnt/ext4linux/var/iscsi/storage-1.qcow2) (default_tg_pt_gp)]
o- portals ..................................................................... [Portals: 1]
o- 0.0.0.0:3260 ...................................................................... [OK]
/iscsi/iqn.20....storage/tpg1> set attribute authentication=1
Parameter authentication is now '1'.
/iscsi/iqn.20....storage/tpg1> set attribute generate_node_acls=0
Parameter generate_node_acls is now '0'.
/iscsi/iqn.20....storage/tpg1> acls/ create iqn.2021-12.cn.erika.iscsi:kvm-ubuntu.client
Created Node ACL for iqn.2021-12.cn.erika.iscsi:kvm-ubuntu.client
Created mapped LUN 0.
/iscsi/iqn.20....storage/tpg1> cd acls/iqn.2021-12.cn.erika.iscsi:kvm-ubuntu.client/
/iscsi/iqn.20...ubuntu.client> set auth userid=e
Parameter userid is now 'e'.
/iscsi/iqn.20...ubuntu.client> set auth password=admin@r00t
Parameter password is now 'admin@r00t'.
/iscsi/iqn.20...ubuntu.client> cd iscsi/iqn.2021-12.cn.erika.iscsi:erika-ge.storage/tpg1/
/iscsi/iqn.20....storage/tpg1> ls
o- tpg1 ........................................................... [no-gen-acls, auth per-acl]
o- acls ........................................................................... [ACLs: 1]
| o- iqn.2021-12.cn.erika.iscsi:kvm-ubuntu.client .............. [1-way auth, Mapped LUNs: 1]
| o- mapped_lun0 ................................................. [lun0 fileio/demo1 (rw)]
o- luns ........................................................................... [LUNs: 1]
| o- lun0 ...... [fileio/demo1 (/mnt/ext4linux/var/iscsi/storage-1.qcow2) (default_tg_pt_gp)]
o- portals ..................................................................... [Portals: 1]
o- 0.0.0.0:3260 ...................................................................... [OK]
/iscsi/iqn.20....storage/tpg1> cd /
/> ls
o- / .................................................................................... [...]
o- backstores ......................................................................... [...]
| o- block ............................................................. [Storage Objects: 0]
| o- fileio ............................................................ [Storage Objects: 1]
| | o- demo1 ...... [/mnt/ext4linux/var/iscsi/storage-1.qcow2 (20.0GiB) write-back activated]
| | o- alua .............................................................. [ALUA Groups: 1]
| | o- default_tg_pt_gp .................................. [ALUA state: Active/optimized]
| o- pscsi ............................................................. [Storage Objects: 0]
| o- ramdisk ........................................................... [Storage Objects: 0]
o- iscsi ...................................................... [1-way disc auth, Targets: 1]
| o- iqn.2021-12.cn.erika.iscsi:erika-ge.storage .................................. [TPGs: 1]
| o- tpg1 ..................................................... [no-gen-acls, auth per-acl]
| o- acls ..................................................................... [ACLs: 1]
| | o- iqn.2021-12.cn.erika.iscsi:kvm-ubuntu.client ........ [1-way auth, Mapped LUNs: 1]
| | o- mapped_lun0 ........................................... [lun0 fileio/demo1 (rw)]
| o- luns ..................................................................... [LUNs: 1]
| | o- lun0 [fileio/demo1 (/mnt/ext4linux/var/iscsi/storage-1.qcow2) (default_tg_pt_gp)]
| o- portals ............................................................... [Portals: 1]
| o- 0.0.0.0:3260 ................................................................ [OK]
o- loopback .................................................................... [Targets: 0]
o- vhost ....................................................................... [Targets: 0]
o- xen-pvscsi .................................................................. [Targets: 0]
/>
设置完成后,配置的客户端iqn后面的中括号里面的文字会变成绿色
然后修改客户端的配置文件/etc/iscsi/initiatorname.iscsi
将InitiatorName=后面的改成上面配置的客户端的iqn
然后修改客户端的配置文件/etc/iscsi/iscsid.conf
# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP # 去掉注释 启用登录认证
# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
node.session.auth.username = e # 去掉注释 写上用户名
node.session.auth.password = admin@r00t # 去掉注释 写上密码
重启服务iscsid,删除节点记录后重新发现并登录
e@kvm-ubuntu-01:/etc/iscsi$ sudo iscsiadm -m node -T iqn.2021-12.cn.erika.iscsi:erika-ge.storage -o delete
e@kvm-ubuntu-01:/etc/iscsi$ sudo iscsiadm -m discovery -t sendtargets -p 172.20.0.65
172.20.0.65:3260,1 iqn.2021-12.cn.erika.iscsi:erika-ge.storage
e@kvm-ubuntu-01:/etc/iscsi$ sudo iscsiadm -m node -T iqn.2021-12.cn.erika.iscsi:erika-ge.storage -l
Logging in to [iface: default, target: iqn.2021-12.cn.erika.iscsi:erika-ge.storage, portal: 172.20.0.65,3260] (multiple)
Login to [iface: default, target: iqn.2021-12.cn.erika.iscsi:erika-ge.storage, portal: 172.20.0.65,3260] successful.
到这里就结束了 谢谢观看