Solaris as an iSCSI Server with ZFS

By Alasdair Lumsden on 16 Nov 2008

iSCSI is a rather funky protocol, that allows you to export a block device (eg, a harddrive partition, zfs zvol or a regular file) as a scsi device, over TCP/IP. Typically it’s used in environments where you have storage on a device (Such as on a SAN) and want to share it with a client/server, for performance reasons, or simply to provide more storage.

In this particular instance, we have a Sun Fire x4500 (Thumper) SAN with ample storage, running Solaris 10 update 6, and I wanted to export a chunk of it to a Windows box.

Solaris as an ISCSI Server

iSCSI terminology

iSCSI Target: iSCSI Server
iSCSI Initiator: iSCSI Client

I can understand why they chose “target” and “initiator”, but when you’re starting out it’s easier to think in terms of clients and servers.

Installing requisite Solaris Packages

If you’ve performed a Core install, you might not have the required packages installed (You can check with pkginfo). If they’re missing, fetch your Solaris CD. Install and enable as follows:

pkgadd -d . SUNWiscsir SUNWiscsitgtr SUNWiscsitgtu SUNWiscsiu
svcadm enable iscsitgt

Sharing a ZFS zvol block storage unit

We need a “block device” to export over iSCSI. ZFS lets you create “sparse” zvols which start off small, and expand to full size as you use them. Let’s add a 10GB sized one:

zfs create -s -V 10G zpool01/myiscsivol

We can now share it as simply as:

zfs set shareiscsi=on zpool01/myiscsivol

Easy huh?

Configuring your iSCSI share with iscsitadm

Your weapon of choice when configuring iSCSI shares is iscsitadm. Unfortunately it’s a slightly obtuse tool, which doesn’t give you friendly feedback when you type the wrong thing in. But there are worse tools out there. You can view details of your iSCSI share with:

iscsitadm list target -v

Restricting iSCSI to a particular IP Address

If you want to restrict your iSCSI share to a particular network interface/ip address, you can do it by creating a Target Portal Group (iSCSI terminology is… odd.) For example:

iscsitadm create tpgt 1
iscsitadm modify tpgt -i 1
iscsitadm list tpgt -v 1

This creates a target portal group with a number of 1, and specifies that it should use as it’s interface. Next we associate this tpgt with the iSCSI share:

iscsitadm modify target -p 1 zpool01/myiscsivol

At this point, you can actually go ahead and mount the iSCSI target from your client. I won’t cover this off, but on Windows Server 2003 you download the iSCSI Software Initiator. It’s very easy to use and requires virtually no explanation. All I had to do was fire up the interface, add a discovery target, scan for volumes, connect one, and my iSCSI volume popped up in Disk Management. I formatted it with NTFS, and it delivered a nice 110MB/sec write speed.

Configuring CHAP Authentication

It’s definitely worth configuring CHAP Authentication to protect your iSCSI share. I won’t cover anything funky, such as Radius auth, ipsec or bidirectional target authentication, but they are available if you want them. First, we need to tell iscsitadm about our client (the “initiator”), and give it a friendly name. You’ll need the iqn (iSCSI Qualified Name), which you can get from the client (In Windows, it’s on the iSCSI “General” tab).

iscsitadm create initiator --iqn myclient

Now set the CHAP authentication parameters, the username and password. The password if you’re not using ipsec must be exactly between 12 and 16 characters:

iscsitadm modify initiator --chap-name myusername myclient
iscsitadm modify initiator --chap-secret myclient

You now need to associate the initiator entry you just created, with the ACL (Access Control List) of the iSCSI share:

iscsitadm modify target --acl myclient zpool01/myiscsivol

Now you’re all done! Congratulations :)

A Note on CHAP Passwords

I banged my head against a wall, unable to get the Windows initiator to authenticate against my iSCSI chap details. I kept getting “Authorization denied”. My password began with a “0” and contained a “!” in the middle. Changing the password to a 15 character letter only password seemed to fix this. I don’t have enough time to investigate this further, but if you run into a similar issue, using a simpler password may fix it for you.