Re: [storage-discuss] iSCSI TPGT Persistence Across Reboots?
A Hettinger wrote: > hey Jim, > > I really like being able to enable and disable shareiscsi from the > zfs, it makes management much easier, but I also need the TPGT > functionality. > > TPGT is a nessery part of my security policy. > 1) physical security > 2) switch only accepts a spacific MAC to/from a spacific port > (staticly assigned) (prevents MAC spoofing) > 3) firewall only permits a given IP if used with the associated > MAC (prevents IP spoofing) > 4) TPGT only permits a iqn for an associated ip (prevents iqn > spoofing). > > It's slightly harder to make sure all these associations are kept > up-to-date, but (AFAIK) it is the only way to prevent the issues > with haveing initiators being trusted systems (i suppose exempting > Kerberos, but its not feasable for what I need to do). The only > attack vector I see remaining, is the good old fastion DOS. (if > anyone wants to point out the flaw in my plan, please do). > > Is there already an RFE for this? The root cause of this issue, is that the ZFS zvol is the Solaris component offering persistence of this iSCSI Target. ZFS, due to its ease of management, does not support a means to associate iSCSI Target parameters, like TPGT with the shareiscsi attribute of a ZVOL, and rightfully so. You can have ease of management, and complexity like TGPT groups at the same time. If you like the ease of shareiscsi, but wish to add additional iSCSI properties, enable shareiscsi, then issue "iscsitadm list target -v", retain the data, disable shareiscsi, and the configure the target, plus iSCSI properties yourself. > Is changeing it planned? In time, the iSCSI target will be moving into COMSTAR (http:// www.opensolaris.org/os/project/comstar/), at which time the interface between ZFS and iSCSI will be revisited with an eye toward the future. > If so, do we have an ETA? No commitments from me. Jim > > Thanks, > > A. Hettinger > > > This message posted from opensolaris.org > ___ > storage-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/storage-discuss ___ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] iSCSI TPGT Persistence Across Reboots?
hey Jim, I really like being able to enable and disable shareiscsi from the zfs, it makes management much easier, but I also need the TPGT functionality. TPGT is a nessery part of my security policy. 1) physical security 2) switch only accepts a spacific MAC to/from a spacific port (staticly assigned) (prevents MAC spoofing) 3) firewall only permits a given IP if used with the associated MAC (prevents IP spoofing) 4) TPGT only permits a iqn for an associated ip (prevents iqn spoofing). It's slightly harder to make sure all these associations are kept up-to-date, but (AFAIK) it is the only way to prevent the issues with haveing initiators being trusted systems (i suppose exempting Kerberos, but its not feasable for what I need to do). The only attack vector I see remaining, is the good old fastion DOS. (if anyone wants to point out the flaw in my plan, please do). Is there already an RFE for this? Is changeing it planned? If so, do we have an ETA? Thanks, A. Hettinger This message posted from opensolaris.org ___ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] iSCSI TPGT Persistence Across Reboots?
Bruce, There reboot persistence of iSCSI Targets created by the shareiscsi=on attribute is not stored in the persistence directory maintained by iSCSI, but is instead maintained by ZFS itself. When the zpool is exported at system shutdown time, the association of the target port group goes away, since the iSCSI Target goes away. If you wish to retain the TPGT assignments across reboots you will have to configure the zvols via iscsitadm. Jim > Bruce McAlister wrote: >> I'll let you >> know how I get on. Thanks again :) > > Hi, > > OK, I'm still having the same issue here across reboots. What I > tried was: > > [EMAIL PROTECTED]:/ # zpool export data01 > [EMAIL PROTECTED]:/ # zpool export data02 > [EMAIL PROTECTED]:/ # mkdir -p /etc/iscsi/target > [EMAIL PROTECTED]:/ # iscsitadm modify admin -d /etc/iscsi/target > [EMAIL PROTECTED]:/ # iscsttadm show admin > > iscsitadm: > Base Directory: /etc/iscsi/target > CHAP Name: Not set > RADIUS Access: Not set > RADIUS Server: Not set > iSNS Access: Not set > iSNS Server: Not set > Fast Write ACK: Not set > > [EMAIL PROTECTED]:/ # zpool import data01 > [EMAIL PROTECTED]:/ # zpool import data02 > [EMAIL PROTECTED]:/ # iscsitadm list target -v data01/data01-000 > > Target: data01/data01-000 > iSCSI Name: iqn.1986-03.com.sun:02:923ef885-639d-4272- > c4eb-960c8534ed1c > Alias: data01/data01-000 > Connections: 0 > ACL list: > TPGT list: > LUN information: > LUN: 0 > GUID: 0x0 > VID: SUN > PID: SOLARIS > Type: disk > Size: 20G > Backing store: /dev/zvol/rdsk/data01/data01-000 > Status: online > > [EMAIL PROTECTED]:/ # iscsitadm list tpgt -v > > TPGT: 1 > IP Address: 192.168.10.50 > TPGT: 2 > IP Address: 192.168.10.51 > > [EMAIL PROTECTED]:/ # iscsitadm modify target -p 1 data01/data01-000 > [EMAIL PROTECTED]:/ # iscsitadm modify target -p 2 data01/data01-000 > [EMAIL PROTECTED]:/ # iscsitadm list target -v data01/data01-000 > > Target: data01/data01-000 > iSCSI Name: iqn.1986-03.com.sun:02:923ef885-639d-4272- > c4eb-960c8534ed1c > Alias: data01/data01-000 > Connections: 0 > ACL list: > TPGT list: > TPGT: 1 > TPGT: 2 > LUN information: > LUN: 0 > GUID: 0x0 > VID: SUN > PID: SOLARIS > Type: disk > Size: 20G > Backing store: /dev/zvol/rdsk/data01/data01-000 > Status: online > > [EMAIL PROTECTED]:/ # sync > [EMAIL PROTECTED]:/ # sync > [EMAIL PROTECTED]:/ # reboot > [EMAIL PROTECTED]:/ # iscsitadm list target -v data01/data01-000 > > Target: data01/data01-000 > iSCSI Name: iqn.1986-03.com.sun:02:923ef885-639d-4272- > c4eb-960c8534ed1c > Alias: data01/data01-000 > Connections: 0 > ACL list: > TPGT list: > LUN information: > LUN: 0 > GUID: 0x0 > VID: SUN > PID: SOLARIS > Type: disk > Size: 20G > Backing store: /dev/zvol/rdsk/data01/data01-000 > Status: online > > As you can see the target has not kept the TPGT assignments across the > reboot :( > > Do you think that this may have something to do with the fact that I > created these iscsi luns using the "shareiscsi=on" zfs parameter as > apposed to the "iscsitadm create target" command? > > Any suggestions, comments, pointers would be appreciated. > > Thanks > Bruce > > ___ > storage-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/storage-discuss Jim Dunham Solaris, Storage Software Group Sun Microsystems, Inc. 1617 Southwood Drive Nashua, NH 03063 Email: [EMAIL PROTECTED] http://blogs.sun.com/avs ___ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] iSCSI TPGT Persistence Across Reboots?
Bruce McAlister wrote: > I'll let you > know how I get on. Thanks again :) Hi, OK, I'm still having the same issue here across reboots. What I tried was: [EMAIL PROTECTED]:/ # zpool export data01 [EMAIL PROTECTED]:/ # zpool export data02 [EMAIL PROTECTED]:/ # mkdir -p /etc/iscsi/target [EMAIL PROTECTED]:/ # iscsitadm modify admin -d /etc/iscsi/target [EMAIL PROTECTED]:/ # iscsttadm show admin iscsitadm: Base Directory: /etc/iscsi/target CHAP Name: Not set RADIUS Access: Not set RADIUS Server: Not set iSNS Access: Not set iSNS Server: Not set Fast Write ACK: Not set [EMAIL PROTECTED]:/ # zpool import data01 [EMAIL PROTECTED]:/ # zpool import data02 [EMAIL PROTECTED]:/ # iscsitadm list target -v data01/data01-000 Target: data01/data01-000 iSCSI Name: iqn.1986-03.com.sun:02:923ef885-639d-4272-c4eb-960c8534ed1c Alias: data01/data01-000 Connections: 0 ACL list: TPGT list: LUN information: LUN: 0 GUID: 0x0 VID: SUN PID: SOLARIS Type: disk Size: 20G Backing store: /dev/zvol/rdsk/data01/data01-000 Status: online [EMAIL PROTECTED]:/ # iscsitadm list tpgt -v TPGT: 1 IP Address: 192.168.10.50 TPGT: 2 IP Address: 192.168.10.51 [EMAIL PROTECTED]:/ # iscsitadm modify target -p 1 data01/data01-000 [EMAIL PROTECTED]:/ # iscsitadm modify target -p 2 data01/data01-000 [EMAIL PROTECTED]:/ # iscsitadm list target -v data01/data01-000 Target: data01/data01-000 iSCSI Name: iqn.1986-03.com.sun:02:923ef885-639d-4272-c4eb-960c8534ed1c Alias: data01/data01-000 Connections: 0 ACL list: TPGT list: TPGT: 1 TPGT: 2 LUN information: LUN: 0 GUID: 0x0 VID: SUN PID: SOLARIS Type: disk Size: 20G Backing store: /dev/zvol/rdsk/data01/data01-000 Status: online [EMAIL PROTECTED]:/ # sync [EMAIL PROTECTED]:/ # sync [EMAIL PROTECTED]:/ # reboot [EMAIL PROTECTED]:/ # iscsitadm list target -v data01/data01-000 Target: data01/data01-000 iSCSI Name: iqn.1986-03.com.sun:02:923ef885-639d-4272-c4eb-960c8534ed1c Alias: data01/data01-000 Connections: 0 ACL list: TPGT list: LUN information: LUN: 0 GUID: 0x0 VID: SUN PID: SOLARIS Type: disk Size: 20G Backing store: /dev/zvol/rdsk/data01/data01-000 Status: online As you can see the target has not kept the TPGT assignments across the reboot :( Do you think that this may have something to do with the fact that I created these iscsi luns using the "shareiscsi=on" zfs parameter as apposed to the "iscsitadm create target" command? Any suggestions, comments, pointers would be appreciated. Thanks Bruce ___ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] iSCSI TPGT Persistence Across Reboots?
Jim Dunham wrote: > Bruce, > >> SNIP >> >> Is there a way that I can make this configuration static across >> reboots. > > > When first using the iSCSI Target, one must setup a location for > persistent storage of attributes. > > You can check this location with: > > # iscsitadm show admin > > If not set, one can be set with the following command: > > # iscsitadm modify admin -d /etc/iscsi/target > > or a directory of one's choosing. > > - Jim > AAAahhh OK, thats what I missed!! OK, thanks, I will export the ZFS pools, create this admin directory, import the disks and assign these targets. Hopefully that will persist across reboots. I'll let you know how I get on. Thanks again :) ___ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
Re: [storage-discuss] iSCSI TPGT Persistence Across Reboots?
Bruce, > Hi All, > > I'm busy testing/evaluating the iSCSI target on SXCE snv_b69 and I've > come across an issue of sorts, I'm not sure if this is something I'm > doing incorrectly, or if it is a known issue with the Solaris iSCSI > target. > > I have created a zpool mirror consisting of 2 x 500GB disks. This > zpool > is then split into 20GB z-vols with the "shareiscsi" option set to > "on". > > I too have 2 NIC's that have been configured in and active-active IPMP > configuration. I assign each logical address of the IPMP group to > their > own target portal group, both groups are then assigned to each > iscsi lun > so that there are 2 paths to each lun. > > This all appears to do what it says on the can up until I reboot the > box. After the reboot the target portal group tags have been removed > from the iscsi luns?! I have to manually assign the group tags every > time the system reboots. > > Is there a way that I can make this configuration static across > reboots. When first using the iSCSI Target, one must setup a location for persistent storage of attributes. You can check this location with: # iscsitadm show admin If not set, one can be set with the following command: # iscsitadm modify admin -d /etc/iscsi/target or a directory of one's choosing. - Jim > > Here is an example of the commands I run to achieve what I am > trying to > explain: > > zpool create -m legacy data01 mirror c1t2d0 c1t3d0 > zfs create -V 20g -o shareiscsi=on data01/data01-000 > . > . > . > zfs create -V 20g -o shareiscsi=on data01/data01-009 > iscsitadm create tpgt 1 > iscsitadm create tpgt 2 > iscsitadm modify tpgt -i 192.168.10.50 1 > iscsitadm modify tpgt -i 192.168.10.51 2 > iscsitadm list tpgt -v > TPGT: 2 > IP Address: 192.168.10.51 > TPGT: 1 > IP Address: 192.168.10.50 > iscsitadm modify target -p 1 data01/data01-000 > iscsitadm modify target -p 2 data01/data01-000 > iscsitadm modify target -p 1 data01/data01-001 > iscsitadm modify target -p 2 data01/data01-001 > . > . > . > iscsitadm modify target -p 1 data01/data01-009 > iscsitadm modify target -p 2 data01/data01-009 > > iscsitadm list target -v data01/data01-000 > > Target: data01/data01-000 > iSCSI Name: iqn.1986-03.com.sun:02:46348385-5e43-c798-81ef- > ad4ea7526ca1 > Alias: data01/data01-000 > Connections: 0 > ACL list: > TPGT list: > TPGT: 1 > TPGT: 2 > LUN information: > LUN: 0 > GUID: 0x0 > VID: SUN > PID: SOLARIS > Type: disk > Size: 20G > Backing store: /dev/zvol/rdsk/data01/data01-000 > Status: online > > sync > sync > reboot > > iscsitadm list target -v data01/data01-000 > > Target: data01/data01-000 > iSCSI Name: iqn.1986-03.com.sun:02:46348385-5e43-c798-81ef- > ad4ea7526ca1 > Alias: data01/data01-000 > Connections: 0 > ACL list: > TPGT list: > LUN information: > LUN: 0 > GUID: 0x0 > VID: SUN > PID: SOLARIS > Type: disk > Size: 20G > Backing store: /dev/zvol/rdsk/data01/data01-000 > Status: online > > iscsitadm list tpgt -v > TPGT: 2 > IP Address: 192.168.10.51 > TPGT: 1 > IP Address: 192.168.10.50 > > after the reboot the lun has lost it's TPGT list (1 & 2)?! > > Is there something I am doing wrong here? > > Thanks > Bruce > > ___ > storage-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/storage-discuss ___ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
