Red Hat 7 / CentOS 7 - iSCSI Target with LIO

Red Hat 7 comes with LIO as default iSCSI target, thus replacing TGT Target. targetcli is the management shell for LIO and provides an easy way to create and export LUNs.


Replacing tgtd with LIO has proven to be controversial amongst kernel developers, as Sebastian Riemer writes a comparison between LIO, IET, SCST and TGT.  The whole email can be found here.

This table compares a few features between the two:
(NOTE: these may change as new features are added to LIO or TGT)




TGT
LIO
Architecture
User space only
Kernel space only
ALUA
NO
YES
Failover Clustering
YES
YES
CPU affinity control
NO
YES
SCSI MIBs
NO
YES
FCoE
YES
YES
Native RAMDISK
NO
YES
Per-initiators targets visibility control
YES
NO
Support for iSCSI redirects
YES
NO
Support for iSNS
YES
NO
Bidirectional Commands
YES
NO


For sys admins who are used to tgtadm the switch to targetcli might be a bit of a learning curve, but one soon will find targetcli is very easy to use and very intuitive. It has a tree-like structure and also tab-completion..
Another difference is that one can create LUNs directly with targetcli, as opposed to tgtadm where one must use a utility like truncate or dd to create the LUN files.

NOTE: One can configure LIO using lio-utils (which are replaced by targetcli, however lio-utils can be used). See this article.

I will created a directory /luns where I will store the LUN files and create a few LUNs that I will map to the iSCSI target portal.

1. Start LIO target

[root@server1 ~]# systemctl start target
[root@server1 ~]# systemctl status target
target.service - Restore LIO kernel target configuration
   Loaded: loaded (/usr/lib/systemd/system/target.service; disabled)
   Active: active (exited) since Wed 2014-09-24 23:29:41 BST; 1s ago
  Process: 4151 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS)
 Main PID: 4151 (code=exited, status=0/SUCCESS)
Sep 24 23:29:41 server1 systemd[1]: Starting Restore LIO kernel target configuration...
Sep 24 23:29:41 server1 systemd[1]: Started Restore LIO kernel target configuration.

2. Create a directory to contain my LUNs

[root@server1 ~]# mkdir /luns

3. Access targetcli

[root@server1 ~]# targetcli
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> 

The default tree structure has no iqns, tpgs or luns configured.

/> ls
o- / ......................................................................................................................... [...]
  o- backstores .............................................................................................................. [...]
  | o- block .................................................................................................. [Storage Objects: 0]
  | o- fileio ................................................................................................. [Storage Objects: 0]
  | o- pscsi .................................................................................................. [Storage Objects: 0]
  | o- ramdisk ................................................................................................ [Storage Objects: 0]
  o- iscsi ............................................................................................................ [Targets: 0]
  o- loopback ......................................................................................................... [Targets: 0]
/> 

The targetcli shell supports commands like cd, pwd, cd .. ls for general management.

/> cd iscsi 
/iscsi> 


4. Create targets, TPGs and LUNs.

In iscsi I can create a target iqn with the create command. I can define my own iqn or get one by default. A target portal group will be created automatically.

/iscsi> create 
Created target iqn.2003-01.org.linux-iscsi.server1.x8664:sn.c8ec20f691ae.
Created TPG 1.
/iscsi> 

/iscsi> ls
o- iscsi .............................................................................................................. [Targets: 1]
  o- iqn.2003-01.org.linux-iscsi.server1.x8664:sn.c8ec20f691ae ........................................................... [TPGs: 1]
    o- tpg1 ................................................................................................. [no-gen-acls, no-auth]
      o- acls ............................................................................................................ [ACLs: 0]
      o- luns ............................................................................................................ [LUNs: 0]
      o- portals ...................................................................................................... [Portals: 0]


I can now cd into the iqn and tpg1 and create LUNs and set ACLs.
One can also create multiple TGPs with different ACLs and portals defined, for better access management, if one wants to allow only certain initiators access only certain LUNs and so on.

To create a LUN I first need to navigate to backstores.

/iscsi> cd /backstores/
/backstores> ls
o- backstores ................................................................................................................ [...]
  o- block .................................................................................................... [Storage Objects: 0]
  o- fileio ................................................................................................... [Storage Objects: 0]
  o- pscsi .................................................................................................... [Storage Objects: 0]
  o- ramdisk .................................................................................................. [Storage Objects: 0]
/backstores> 


I will create a “classic” LUN, sparse=true for thin provisioning, not use a RAMDISK or block device (a disk).

/backstores/fileio> create lun1 /luns/lun1.img 2G sparse=true
Created fileio lun1 with size 2147483648
/backstores/fileio> 
/backstores/fileio> ls
o- fileio ..................................................................................................... [Storage Objects: 1]
  o- lun1 ......................................................................... [/luns/lun1.img (2.0GiB) write-back deactivated]

The LUN must be mapped:
Navigate to

/> cd iscsi/iqn.2003-01.org.linux-iscsi.server1.x8664:sn.c8ec20f691ae/tpg1/luns
/iscsi/iqn.20...1ae/tpg1/luns> create storage_object=/backstores/fileio/lun1 lun=1
Created LUN 1.
/iscsi/iqn.20...1ae/tpg1/luns> 

I now need to create a portal to tell the daemon to listen for incoming connections:
Default IP is 0.0.0.0 (all)

/backstores/fileio> cd /iscsi/iqn.2003-01.org.linux-iscsi.server1.x8664:sn.c8ec20f691ae/tpg1/portals
/iscsi/iqn.20.../tpg1/portals> create
Using default IP port 3260
Created network portal 0.0.0.0:3260.
/iscsi/iqn.20.../tpg1/portals> 

To allow the initiator to connect I need to add its initiator iqn to the ACLs.
The initiator’s iqn is found in /etc/iscsi/initiatorname.iscsi

> cd /iscsi/iqn.2003-01.org.linux-iscsi.server1.x8664:sn.c8ec20f691ae/tpg1/acls
/iscsi/iqn.20...1ae/tpg1/acls> create iqn.2005-03.org.open-iscsi:c04e8f17af18
Created Node ACL for iqn.2005-03.org.open-iscsi:c04e8f17af18
Created mapped LUN 1.
/iscsi/iqn.20...1ae/tpg1/acls> 

On the client I can now login and see the LUN as a local disk:

# iscsiadm -m discovery -t sendtargets -p 192.168.202.100
# iscsiadm -m node -L all
# journalctl -r
archlinux kernel: sd 11:0:0:1: [sdb] Attached SCSI disk
archlinux kernel:  sdb: unknown partition table
archlinux kernel: sd 11:0:0:1: [sdb] Write cache: enabled, read cache: enabled, supports DPO and FUA
archlinux kernel: sd 11:0:0:1: [sdb] Mode Sense: 43 00 10 08
archlinux kernel: sd 11:0:0:1: [sdb] Write Protect is off
archlinux kernel: sd 11:0:0:1: [sdb] 4194304 512-byte logical blocks: (2.14 GB/2.00 GiB)
archlinux kernel: scsi 11:0:0:1: Direct-Access     LIO-ORG  lun1             4.0  PQ: 0 ANSI: 5
archlinux kernel: scsi11 : iSCSI Initiator over TCP/IP

On the server my working configuration looks like this:

/> ls
o- / ......................................................................................................................... [...]
  o- backstores .............................................................................................................. [...]
  | o- block .................................................................................................. [Storage Objects: 0]
  | o- fileio ................................................................................................. [Storage Objects: 1]
  | | o- lun1 ....................................................................... [/luns/lun1.img (2.0GiB) write-back activated]
  | o- pscsi .................................................................................................. [Storage Objects: 0]
  | o- ramdisk ................................................................................................ [Storage Objects: 0]
  o- iscsi ............................................................................................................ [Targets: 1]
  | o- iqn.2003-01.org.linux-iscsi.server1.x8664:sn.c8ec20f691ae ......................................................... [TPGs: 1]
  |   o- tpg1 ............................................................................................... [no-gen-acls, no-auth]
  |     o- acls .......................................................................................................... [ACLs: 1]
  |     | o- iqn.2005-03.org.open-iscsi:c04e8f17af18 .............................................................. [Mapped LUNs: 1]
  |     |   o- mapped_lun1 ................................................................................. [lun1 fileio/lun1 (rw)]
  |     o- luns .......................................................................................................... [LUNs: 1]
  |     | o- lun1 ................................................................................... [fileio/lun1 (/luns/lun1.img)]
  |     o- portals .................................................................................................... [Portals: 1]
  |       o- 0.0.0.0:3260 ..................................................................................................... [OK]
  o- loopback ......................................................................................................... [Targets: 0]
/> 


Enter saveconfig at /

/> saveconfig
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
/> 

5. Changing config

targetcli provides an easy way to change the configuration and attributes for LUNs, tpgs, acls etc.

For example to change LUN attributes navigate to the LUN you want to change attributes for, and choose from the options:

/> cd backstores/fileio/lun1 
/backstores/fileio/lun1> set attribute 
block_size=                           emulate_tas=          fabric_max_sectors=           queue_depth=                
emulate_dpo=                      emulate_tpu=           is_nonrot=                    unmap_granularity=           
emulate_fua_read=             emulate_tpws=                 max_unmap_block_desc_count=   unmap_granularity_alignment=  
emulate_fua_write=            emulate_ua_intlck_ctrl=       max_unmap_lba_count=          
emulate_model_alias=          emulate_write_cache=          max_write_same_len=           
emulate_rest_reord=           enforce_pr_isids=             optimal_sectors=              
.......................................keyword=
/backstores/fileio/lun1> get attribute max_write_same_len
max_write_same_len=4096 
/backstores/fileio/lun1> set attribute max_write_same_len=2048
Parameter max_write_same_len is now '2048'.

To enable user based authentication navigate to your tpg and do:

/iscsi/iqn.20...20f691ae/tpg1> get auth
AUTH CONFIG GROUP
=================
mutual_password=
----------------
The mutual_password auth parameter.

mutual_userid=
--------------
The mutual_userid auth parameter.

password=
---------
The password auth parameter.

userid=
-------
The userid auth parameter.

/iscsi/iqn.20...20f691ae/tpg1> set auth userid=iscsi_user password=’your password’

Some options, like login timeout, can also be changed here

/iscsi/iqn.20...20f691ae/tpg1> get attribute login_timeout 
login_timeout=15 
/iscsi/iqn.20...20f691ae/tpg1> set attribute login_timeout=30
Parameter login_timeout is now '30'.
/iscsi/iqn.20...20f691ae/tpg1> 

Tweaking the configuration and attributes is a matter of understanding your system and knowing what requirements are in place.