Having switched off unauthenticated access to the SAN on the SAN, I had to work out how to set CHAP secrets on a per-host basis and modify iscsid.conf accordingly. Cue considerable trial and error, but it seems to be working now. The salient points being:
- There is an awful lot of caching going on. This makes testing much more interesting.
- Best to start with a clean slate. First thing to do is see if there are any sessions and terminate them (assuming nothing mounted) as a first pass. To to this:
- iscsiadm -m session -o show
- iscsiadm -m node -U all
- Configure iscsid.conf
- set node.session.auth.password and discovery.sendtargets.auth.password to the SAN CHAP password
- set node.session.auth.password_in and discovery.sendtargets.auth.password_in to the host CHAP password (as set on the SAN)
- uncomment node.session.auth.authmethod = CHAP and discovery.sendtargets.auth.authmethod = CHAP
- Restart iscsid to pick up all that. And reestablish the iscsi discovery cache and login to create an authenticated session.
- systemctl restart iscsid
- iscsiadm -m discovery -t sendtargets -p 129.169.10.233
- iscsiadm -m node -o show
- iscsiadm -m node -T iqn.1992-01.com.lsi:2365.60080e5000410cf20000000053e0b82d -p 129.169.10.233 -l
- iscsiadm -m session -o show
- Mounting things in fstab requires network, so lines look like:
- /dev/mapper/imap_archive-lv_mailhome /mailhome ext4 _netdev 0 0
- Make 0.0.0.0 not try to automatically log in. Out of the box iscsid on Centos 6/7 seems to automatically login. It cannot to the two interfaces which are IP 0.0.0.0 of course, so we can prevent that:
- iscsiadm -m node -p 0.0.0.0 -o update -n node.startup -v manual
Leave a Reply
You must be logged in to post a comment.