Iscsi authentication

[Martin Dumont]

I want to set up an iscsi session to transfers data to a vdisks then export it with fc targets.
I have created the iscsi target and tried to login from the client.
I'm trying without authentication from the client side.
But the initiator can't login. And I did add the client initiator in the corresponding group with the iscsi target in it (like I do with the fc targets).
Any idea why it's not working?

[Marc Smith]

Hi Martin,

Can you please post your /etc/scst.conf and /var/log/kern.log files,
then we'll take a look.


--Marc

> --
> You received this message because you are subscribed to the Google Groups "esos-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to esos-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Martin Dumont]

[Marc Smith]

Hi Martin,

Are you sure that "iqn.2005-09.systemrescue:openiscsi" is the correct
initiator name? Is the initiator a Linux host? There is one more log
file to check: /var/log/daemon.log
Take a peak in there and you should at least see connections are being
made to the iscsi-scstd daemon. When testing from a Linux initiator,
if I do not have the correct name in the host/security group on the
ESOS side, I see no targets:
# iscsiadm -m discovery -t sendtargets -p 172.16.16.141
iscsiadm: No portals found

If I add in the initiator name and do it again, I get this:
# iscsiadm -m discovery -t sendtargets -p 172.16.16.141
172.16.16.141:3260,1 iqn.2015-03.esos.localhost:2e93a

I can then login:
# iscsiadm -m node --login
Logging in to [iface: default, target:
iqn.2015-03.esos.localhost:2e93a, portal: 172.16.16.141,3260]
(multiple)
Login to [iface: default, target: iqn.2015-03.esos.localhost:2e93a,
portal: 172.16.16.141,3260] successful.

If I had to guess, I'd say you don't have the correct initiator
name... you could try adding "*" (a single asterisk) as the initiator
name to a host group in ESOS -- this is a wildcard to match any
initiator name. Try that and see if you're successful, then remove it
put in the correct initiator name.


--Marc

[flovax]

I tried using wildcard in initiator.
The discovery does work, but not the login.

root@sysresccd /root % iscsiadm -m discovery -t st -p 10.4.1.3

10.4.1.3:3260,1 iqn.2015-04.esos.san2:4de64

10.3.1.39:3260,1 iqn.2015-04.esos.san2:4de64

root@sysresccd /root % find /etc/iscsi                                                                               /etc/iscsi

/etc/iscsi/nodes

/etc/iscsi/nodes/iqn.2015-04.esos.san2:4de64

/etc/iscsi/nodes/iqn.2015-04.esos.san2:4de64/10.4.1.3,3260,1

/etc/iscsi/nodes/iqn.2015-04.esos.san2:4de64/10.4.1.3,3260,1/default

/etc/iscsi/initiatorname.iscsi

/etc/iscsi/send_targets

/etc/iscsi/send_targets/10.4.1.3,3260

/etc/iscsi/send_targets/10.4.1.3,3260/iqn.2015-04.esos.san2:4de64,10.4.1.3,3260,1,default

/etc/iscsi/send_targets/10.4.1.3,3260/st_config

/etc/iscsi/ifaces

/etc/iscsi/ifaces/iface.example

/etc/iscsi/initiatorname.iscsi.example

/etc/iscsi/iscsid.conf

root@sysresccd /root % iscsiadm -m node --login

Logging in to [iface: default, target: iqn.2015-04.esos.san2:4de64, portal: 10.4.1.3,3260]

...(nothing more)

On the ESOS, i have this in daemon.log:

Apr  5 10:26:40 san2 iscsi-scstd: Connect from 10.4.1.2:35341 to 10.4.1.3:3260

Apr  5 10:26:41 san2 iscsi-scstd: Connect from 10.4.1.2:35342 to 10.4.1.3:3260

Is it because I'm using sysrescuecd on the initiator side?

It's a temporary solution until the data is copied over the SAN, but It should work anyway.

> email to esos-users+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to a topic in the Google Groups "esos-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to esos-users+unsubscribe@googlegroups.com.

[Marc Smith]

Look at /var/log/kern.log too... I only ever see events related to the
IP part of iSCSI in the daemon.log file, might be more information
about the login in the kern.log file.

--Marc

>> You received this message because you are subscribed to a topic in the
>> Google Groups "esos-users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

[flovax]

>> > email to esos-users+unsubscribe@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "esos-users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> esos-users+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "esos-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to esos-users+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "esos-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to esos-users+unsubscribe@googlegroups.com.

[Marc Smith]

Yeah, I don't see anything about a login attempt there... on the
initiator side when you run the command "iscsiadm -m node --login" you
said it just displays that one line, but does the command hang after
that, or does it return to the shell? Maybe something with firewall on
initiator side? I don't see any errors or issues with the ESOS
configuration.

--Marc

>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "esos-users" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> esos-users+...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "esos-users" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to esos-users+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --

>> You received this message because you are subscribed to a topic in the
>> Google Groups "esos-users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

[flovax]

The command never return.
Good point about the firewall, I didn't thought of that.
I'm also trying to mount a target on another esos with logic.
I think I have to set the qlaxxx in initiator and target mode?
Any clew on how to do this? (Qlaxxx.conf but I'm not sure).

>> >> > email to esos-users+unsubscribe@googlegroups.com.

>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "esos-users" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> esos-users+unsubscribe@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "esos-users" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an

>> > email to esos-users+unsubscribe@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "esos-users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> esos-users+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "esos-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to esos-users+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "esos-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/esos-users/pSzfNPBLRHI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to esos-users+unsubscribe@googlegroups.com.

[Marc Smith]

Edit the /etc/modprobe.conf file and add the following line:

options qla2xxx_scst qlini_mode=enabled

Then reboot the machine, or stop SCST (/etc/rc.d/rc.scst stop) and unload the qla2xxx_scst module and start SCST again.

--Marc

[flovax]

I did that and I still can't see any targets on the esos initiator.
On the target:

Apr  6 11:19:06 san2 kernel: [304581.536729] qla2x00t(3):  session for port 50:06:0b:00:00:64:ae:04 (loop ID 0) login_state 2 reappeared

Apr  6 11:19:09 san2 kernel: [304584.512156]  rport-3:0-0: blocked FC remote port time out: no longer a FCP target, removing starget

Apr  6 11:19:21 san2 kernel: [304596.345555]  rport-4:0-0: blocked FC remote port time out: removing target and saving binding

Apr  6 11:19:26 san2 kernel: [304601.336355] qla2x00t(4): session for loop_id 0 deleted

On the initiator:

[root@san1 log]# /etc/rc.d/rc.scst start

Loading SCST kernel modules...

Starting SCST userland daemons...

Applying SCST configuration...

Collecting current configuration: done.

-> Checking configuration file '/etc/scst.conf' for errors.

        -> WARNING: No HANDLER section defined. Only physical media will be configured for targets.

        -> WARNING: Driver 'iscsi' has no configured targets.

        -> Done, 2 warnings found.

-> Applying configuration.

        -> Setting target attribute 'rel_tgt_id' to value '1' for driver/target 'qla2x00t/50:06:0b:00:00:64:ac:a4': done.

        -> Setting target attribute 'rel_tgt_id' to value '2' for driver/target 'qla2x00t/50:06:0b:00:00:64:ac:a6': done.

        -> Adding new group 'compute2-even' to driver/target 'qla2x00t/50:06:0b:00:00:64:ac:a6': done.

        -> Adding new group 'esx-even' to driver/target 'qla2x00t/50:06:0b:00:00:64:ac:a6': done.

        -> Adding new initiator '10:00:00:00:c9:89:ef:47' to driver/target/group 'qla2x00t/50:06:0b:00:00:64:ac:a6/esx-even': done.

        -> Adding new initiator '10:00:00:00:c9:91:2f:e9' to driver/target/group 'qla2x00t/50:06:0b:00:00:64:ac:a6/compute2-even': done.

        -> Adding new initiator '10:00:00:00:c9:86:d0:03' to driver/target/group 'qla2x00t/50:06:0b:00:00:64:ac:a6/esx-even': done.

        -> Setting target attribute 'rel_tgt_id' to value '3' for driver/target 'qla2x00t/50:06:0b:00:00:64:ae:04': done.

        -> Adding new group 'compute2-odd' to driver/target 'qla2x00t/50:06:0b:00:00:64:ae:04': done.

        -> Adding new group 'esx-odd' to driver/target 'qla2x00t/50:06:0b:00:00:64:ae:04': done.

        -> Adding new initiator '10:00:00:00:c9:86:d0:02' to driver/target/group 'qla2x00t/50:06:0b:00:00:64:ae:04/esx-odd': done.

        -> Adding new initiator '10:00:00:00:c9:91:2f:e8' to driver/target/group 'qla2x00t/50:06:0b:00:00:64:ae:04/compute2-odd': done.

        -> Adding new initiator '10:00:00:00:c9:89:ef:46' to driver/target/group 'qla2x00t/50:06:0b:00:00:64:ae:04/esx-odd': done.

        -> Setting target attribute 'rel_tgt_id' to value '4' for driver/target 'qla2x00t/50:06:0b:00:00:64:ae:06': done.

        -> Done, 14 change(s) made.

        -> Issuing LIP on fibre channel driver/target 'qla2x00t/50:06:0b:00:00:64:ac:a4' (host11): done.

        -> Issuing LIP on fibre channel driver/target 'qla2x00t/50:06:0b:00:00:64:ac:a6' (host12): done.

        -> Issuing LIP on fibre channel driver/target 'qla2x00t/50:06:0b:00:00:64:ae:04' (host9): done.

        -> Issuing LIP on fibre channel driver/target 'qla2x00t/50:06:0b:00:00:64:ae:06' (host10): done.

All done.

I have disabled the target on the initiator box but no success.

I still can't see the target vdisks on the initiator.

[Marc Smith]

You're not really going to "see" any targets show up on the initiator side, at least not in terms of SCST and its target driver "seeing" anything. If your ESOS machine is acting as an initiator, then you'll provision storage as you normally would (eg, make a LUN visible). Then you can do a re-scan via sysfs for the qla2xxx driver (as you would on any Linux initiator) and then the LUN(s) will show up as SCSI disks. Check with 'lsscsi'.

--Marc

[flovax]

I did re-enabled the target on the ESOS initiator TUI, then re-did the HOST config on the target ESOS, and rescan with echo "- - -" > ...
Something in all this got it working.  My host config was right though.

Now I see both path.

Is there a way to make multipath working on ESOS? Or it needs a recompile?

Thanks for all your help.

[Marc Smith]

Adding support for dm-multipath is on the to-do list, so its not there today, but will be in the future.

--Marc