天天看點
傳回

iSCSI認證配置

iSCSI認證配置

使用LinuxIO軟體target等進行設定

名詞:

  Endpoint: 目标名稱與顯式或屏蔽的TPG (IQN/WWN +标記)的組合。

  Initiator: 控制SCSI會話開啟和結束的控制裝置,比較典型的就是 計算機。

  Target: SCSI會話的接收端,通常是磁盤驅動器、錄音帶驅動器或掃描器等裝置。

  IQN (iSCSI限定名): iSCSI的一種名稱格式,惟一辨別世界上的每個裝置(例如iqn.5886.com.acme.tapedrive.sn-a12345678)。

  Network Portal: iSCSI端點與IP位址和TCP端口的組合。IANA定義的iSCSI協定的TCP端口号是3260。

  TPG(Target Portal Group): IP位址和TCP端口号的清單,确定特定iSCSI目标将偵聽哪些接口。

  WWN (World Wide Name): 辨別特定光纖通道或InfiniBand目标的唯一辨別符。每個WWN是一個8位元組的數字,來自IEEE OUI和供應商提供的資訊。

核心版本:Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

targetcli版本:/usr/bin/targetcli version 2.1.fb46

iscsid版本:iscsid version 6.2.0.874-10

iSCSI的安全認證

這三種CHAP的關系和差別:

  • discovery CHAP: 全局認證.隻有認證通過才能看到裝置。
  • TPG CHAP: 一個target下的全局隻讀認證,若要使用TPG認證的使用者名和密碼,就不能配置LUN級别的ACL,因為LUN級别的ACL優先級更高,它會覆寫TPG級别的使用者名和密碼.是以若要使用TPG級别的使用者名。密碼就不能配置LUN級别的ACL,但這樣認證是正常了,但使用者挂載後,就隻能有讀權限,而沒有寫權限。
  • LUN ACL CHAP:這是最精确的權限控制,配置後,使用者必須使用提供該ACL的WWN,以便使用該ACL的使用者名和密碼做CHAP認證,否則iSCSI将無法知道使用者到底提供的是那個ACL的使用者名和密碼,導緻使用者即便發現了并且成功登入的iSCSI,也無法擷取該LUN裝置的寫權限。
設定targetcli,配置discovery認證和tpg認證,通過認證後,磁盤隻有隻讀權限 
# targetcli進入互動模式
[[email protected] ~]# targetcli 
targetcli shell version 2.1.fb46
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

# discovery CHAP:
# 1. 啟用發現CHAP認證
/> cd iscsi/
/iscsi> 
#下面都在此目錄下操作
/iscsi> set discovery_auth enable=1
# 2. 啟用單向CHAP認證, 用戶端必須提供這裡設定的使用者名和密碼,才能發現iSCSI輸出的target.
/iscsi> set discovery_auth userid=disUser password=dis123456
# 3. 啟用雙向CHAP認證,即用戶端要提供上面設定的伺服器端的使用者名和密碼,同時伺服器端必須提供用戶端所設定的使用者名和密碼,才能認證通過.
/iscsi> set discovery_auth mutual_userid=ClientDisUser mutual_password=dis654321
# 4. 查詢配置:
/iscsi> get discovery_auth

DISCOVERY_AUTH CONFIG GROUP
===========================
enable=True
-----------
The enable discovery_auth parameter.

mutual_password=dis654321
-------------------------
The mutual_password discovery_auth parameter.

mutual_userid=ClientDisUser
---------------------------
The mutual_userid discovery_auth parameter.

password=dis123456
------------------
The password discovery_auth parameter.

userid=disUser
--------------
The userid discovery_auth parameter.

# 設定tgt全局認證,這種認證方式必須保證acls下邊沒有添加的用戶端清單,否則驗證不會生效。驗證通過後,塊裝置隻有隻讀權限(後文會實驗)。
/iscsi> cd iqn.2021-06.com.test.www:backstorage/tpg1/
/iscsi/iqn.20...kstorage/tpg1> get auth
AUTH CONFIG GROUP
=================
mutual_password=
----------------
The mutual_password auth parameter.

mutual_userid=
--------------
The mutual_userid auth parameter.

password=
---------
The password auth parameter.

userid=
-------
The userid auth parameter.

/iscsi/iqn.20...kstorage/tpg1> set attribute authentication=1 generate_node_acls=1
Parameter authentication is now '1'.
Parameter generate_node_acls is now '1'.
/iscsi/iqn.20...kstorage/tpg1> set auth userid=tpguser1 password=tgppasswd1
Parameter password is now 'tgppasswd1'.
Parameter userid is now 'tpguser1'.
/iscsi/iqn.20...kstorage/tpg1> set auth mutual_userid=ClientTPGuser1 mutual_password=ClientTPGPasswd1
Parameter mutual_password is now 'ClientTPGPasswd1'.
Parameter mutual_userid is now 'ClientTPGuser1'.

/iscsi/iqn.20...kstorage/tpg1> get auth
AUTH CONFIG GROUP
=================
mutual_password=ClientTPGPasswd1
--------------------------------
The mutual_password auth parameter.

mutual_userid=ClientTPGuser1
----------------------------
The mutual_userid auth parameter.

password=tgppasswd1
-------------------
The password auth parameter.

userid=tpguser1
---------------
The userid auth parameter.

/iscsi> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json
重新開機target服務 
# 重新開機target服務
[[email protected] ~]# systemctl restart target
[[email protected] ~]# systemctl status target
鈼[0m target.service - Restore LIO kernel target configuration
   Loaded: loaded (/usr/lib/systemd/system/target.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2021-06-24 18:21:51 CST; 5min ago
  Process: 18766 ExecStop=/usr/bin/targetctl clear (code=exited, status=0/SUCCESS)
  Process: 18776 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS)
 Main PID: 18776 (code=exited, status=0/SUCCESS)

Jun 24 18:21:51 localhost.localdomain systemd[1]: Starting Restore LIO kernel target configuration...
Jun 24 18:21:51 localhost.localdomain systemd[1]: Started Restore LIO kernel target configuration.
修改本地initiator配置并測試 
[[email protected] ~]# cd /etc/iscsi/
# 用戶端名字随便起
[[email protected] iscsi]# echo "InitiatorName=iqn.2021-06.com.test.www:client">initiatorname.iscsi  
[[email protected] iscsi]# cat initiatorname.iscsi 
InitiatorName=iqn.2021-06.com.test.www:client
# 修改iscsid.conf
[[email protected] iscsi]# vi iscsid.conf
# 找到如下部分内容進行修改
# *************
# CHAP Settings
# *************

# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP

# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
node.session.auth.username = tpguser1
node.session.auth.password = tgppasswd1

# To set a CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
node.session.auth.username_in = ClientTPGuser1
node.session.auth.password_in = ClientTPGPasswd1

# To enable CHAP authentication for a discovery session to the target
# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
discovery.sendtargets.auth.authmethod = CHAP

# To set a discovery session CHAP username and password for the initiator
# authentication by the target(s), uncomment the following lines:
discovery.sendtargets.auth.username = disUser
discovery.sendtargets.auth.password = dis123456

# To set a discovery session CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
discovery.sendtargets.auth.username_in = ClientDisUser
discovery.sendtargets.auth.password_in = dis654321

# discovery開頭的是配置發現的認證,node.session開頭的是配置的登入時的認證
# 儲存退出

# 重新開機服務(必須重新開機,否則不生效)
[[email protected] ~]# systemctl restart iscsid
# 發現目标(必須重新發現,否則不生效)
[[email protected] ~]# iscsiadm -m discovery -tst -p 192.168.2.46
192.168.2.46:3260,1 iqn.2021-06.com.test.www:backstorage
# 登入目标
[[email protected] ~]# iscsiadm -m node -T iqn.2021-06.com.test.www:backstorage -l
Logging in to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] (multiple)
Login to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] successful.

# 通過fdisk可以檢視到一塊新的磁盤/dev/sdk已經出現
[[email protected] iscsi]# fdisk -l

Disk /dev/sdk: 524 MB, 524288000 bytes, 1024000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
Disk label type: dos
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdk1               1  4294967295  2147483647+  ee  GPT

# 嘗試格式化
[[email protected] iscsi]# mkfs /dev/sdk1 
mke2fs 1.42.9 (28-Dec-2013)
/dev/sdk1: Read-only file system while setting up superblock
#顯示為隻讀系統

# 登出目标
[[email protected] ~]# iscsiadm -m node -T iqn.2021-06.com.test.www:backstorage -u
Logging out of session [sid: 1, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260]
Logout of [sid: 1, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] successful.
設定targetcli,配置acls認證,通過認證後,磁盤有讀寫權限 
# targetcli進入互動模式
[[email protected] ~]# targetcli 
targetcli shell version 2.1.fb46
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/iscsi/iqn.20...kstorage/tpg1> cd acls
/iscsi/iqn.20...age/tpg1/acls> create iqn.2021-06.com.test.www:client
Created Node ACL for iqn.2021-06.com.test.www:client
Created mapped LUN 0.
/iscsi/iqn.20...age/tpg1/acls> cd iqn.2021-06.com.test.www:client/
/iscsi/iqn.20...st.www:client> get auth
AUTH CONFIG GROUP
=================
mutual_password=
----------------
The mutual_password auth parameter.

mutual_userid=
--------------
The mutual_userid auth parameter.

password=
---------
The password auth parameter.

userid=
-------
The userid auth parameter.


/iscsi/iqn.20...st.www:client> set auth userid=acluser1 password=aclpasswd1   
Parameter password is now 'aclpasswd1'.
Parameter userid is now 'acluser1'.
/iscsi/iqn.20...st.www:client> set auth mutual_userid=ClientLUNuser1 mutual_password=ClientLUNPasswd1
Parameter mutual_password is now 'ClientLUNPasswd1'.
Parameter mutual_userid is now 'ClientLUNuser1'.
/iscsi/iqn.20...st.www:client> get auth
AUTH CONFIG GROUP
=================
mutual_password=ClientLUNPasswd1
--------------------------------
The mutual_password auth parameter.

mutual_userid=ClientLUNuser1
----------------------------
The mutual_userid auth parameter.

password=aclpasswd1
-------------------
The password auth parameter.

userid=acluser1
---------------
The userid auth parameter.


/iscsi/iqn.20...st.www:client> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup/.
Configuration saved to /etc/target/saveconfig.json
重新開機target服務 
# 重新開機target服務
[[email protected] ~]# systemctl restart target
[[email protected] ~]# systemctl status target
鈼[0m target.service - Restore LIO kernel target configuration
   Loaded: loaded (/usr/lib/systemd/system/target.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2021-06-24 18:21:51 CST; 5min ago
  Process: 18766 ExecStop=/usr/bin/targetctl clear (code=exited, status=0/SUCCESS)
  Process: 18776 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS)
 Main PID: 18776 (code=exited, status=0/SUCCESS)

Jun 24 18:21:51 localhost.localdomain systemd[1]: Starting Restore LIO kernel target configuration...
Jun 24 18:21:51 localhost.localdomain systemd[1]: Started Restore LIO kernel target configuration.
修改本地initiator配置并測試 
# 配置用戶端
[[email protected] iscsi]# echo "InitiatorName=iqn.2021-06.com.test.www:client">initiatorname.iscsi                                
[[email protected] iscsi]# cat initiatorname.iscsi 
InitiatorName=iqn.2021-06.com.test.www:client
# 修改iscsid.conf
[[email protected] iscsi]# vi iscsid.conf
# 對應内容修改成如下内容
# *************
# CHAP Settings
# *************

# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP

# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
node.session.auth.username = acluser1
node.session.auth.password = aclpasswd1

# To set a CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
node.session.auth.username_in = ClientLUNuser1
node.session.auth.password_in = ClientLUNPasswd1

# To enable CHAP authentication for a discovery session to the target
# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
discovery.sendtargets.auth.authmethod = CHAP

# To set a discovery session CHAP username and password for the initiator
# authentication by the target(s), uncomment the following lines:
discovery.sendtargets.auth.username = disUser
discovery.sendtargets.auth.password = dis123456

# To set a discovery session CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
discovery.sendtargets.auth.username_in = ClientDisUser
discovery.sendtargets.auth.password_in = dis654321

# 更新了node.session相關的配置,改為了acl中添加的用戶端配置

# 儲存退出

# 重新開機服務(必須重新開機,否則不生效)
[[email protected] ~]# systemctl restart iscsid
# 發現目标(必須重新發現,否則不生效)
[[email protected] ~]# iscsiadm -m discovery -tst -p 192.168.2.46
192.168.2.46:3260,1 iqn.2021-06.com.test.www:backstorage
# 登入目标
[[email protected] ~]# iscsiadm -m node -T iqn.2021-06.com.test.www:backstorage -l
Logging in to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] (multiple)
Login to [iface: default, target: iqn.2021-06.com.test.www:backstorage, portal: 192.168.2.46,3260] successful.

# 通過fdisk可以檢視到一塊新的磁盤/dev/sdk已經出現
[[email protected] iscsi]# fdisk -l

Disk /dev/sdk: 524 MB, 524288000 bytes, 1024000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
Disk label type: dos
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdk1               1  4294967295  2147483647+  ee  GPT

# 嘗試格式化
[[email protected] iscsi]# mkfs /dev/sdk1 
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=4096 blocks
4096 inodes, 16364 blocks
818 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=16777216
2 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks: 
        8193

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

# 操作成功,可以進行讀寫。
Storage iSCSI chap targetcli target
上一篇: 13.羅馬數字轉成整形 Roman to Integer
下一篇: 取出資料庫裡面的資料并呈現在頁面上

繼續閱讀