Windows的iSCSI連接通過iSCSI Initiator組件完成,可以通過界面操作,從Server Manager -> Tools -> iSCSI Initiator即可進入iSCSI Initiator配置界面。
界面操作也可通過對應的PowerShell命令操作,完全通過PowerShell則使系統上電自動掛載iSCSI卷成為可能。
本文記錄Windows 2012R2掛載iSCSI的操作步驟及PowerShell腳本實現,最后探討雲盤掛載的方案實現。
Windows 7也提供了iSCSI Initiator,本文內容理論上也適用於Windows 7及之后的系統。
實驗環境為配置iSCSI Target的Linux虛機及Windows 2012R2虛機,通過virbr0連接。
Linux虛機地址為192.168.122.250,Target配置:
o- / ..................................................................... [...]
o- backstores .......................................................... [...]
| o- block .............................................. [Storage Objects: 0]
| o- fileio ............................................. [Storage Objects: 1]
| | o- testfile ................ [/tmp/fileio (500.0MiB) write-thru activated]
| | o- alua ............................................... [ALUA Groups: 1]
| | o- default_tg_pt_gp ................... [ALUA state: Active/optimized]
| o- pscsi .............................................. [Storage Objects: 0]
| o- ramdisk ............................................ [Storage Objects: 0]
o- iscsi ........................................................ [Targets: 1]
| o- iqn.2018-01.com.example:target ................................ [TPGs: 1]
| o- tpg1 ...................................... [no-gen-acls, auth per-acl]
| o- acls ...................................................... [ACLs: 1]
| | o- iqn.1994-05.com.redhat:f7897073402d .. [1-way auth, Mapped LUNs: 1]
| | o- mapped_lun0 ......................... [lun0 fileio/testfile (rw)]
| o- luns ...................................................... [LUNs: 1]
| | o- lun0 ........... [fileio/testfile (/tmp/fileio) (default_tg_pt_gp)]
| o- portals ................................................ [Portals: 1]
| o- 0.0.0.0:3260 ................................................. [OK]
o- loopback ..................................................... [Targets: 0]
/iscsi/iqn.20...e:target/tpg1>
1. Windows系統iSCSI連接的基本要素
1.1 iSCSI服務
iSCSI Initiator依賴Microsoft iSCSI Initiator服務運行,該服務默認不運行,因此系統首次配置時,需將其啟動,並設為自動啟動。
界面配置路徑:Services -> Microsoft iSCSI Initiator Service
PowerShell查詢服務狀態:
PS C:\Users\Administrator> Get-Service MSiSCSI Status Name DisplayName ------ ---- ----------- Running MSiSCSI Microsoft iSCSI Initiator Service PS C:\Users\Administrator> $service = Get-Service MSiSCSI PS C:\Users\Administrator> $service.Status Running PS C:\Users\Administrator>
啟動iSCSI服務:
PS C:\Users\Administrator> Set-Service MSiSCSI -StartupType Automatic -Status Running
Windows的命名習慣是CamelCase,不區分大小寫,PowerShell里也一樣,$service.Status寫成$service.status也行,如有特別之處再注明。
1.2 本機IQN設置
界面配置:iSCSI Initiator配置界面 -> Configuration頁 -> Initiator Name字段
通過PowerShell命令,必須指定舊的IQN號再更新其IQN號,因此需分兩步操作:
PS C:\Users\Administrator> Get-InitiatorPort InstanceName NodeAddress PortAddress ConnectionType ------------ ----------- ----------- -------------- ROOT\ISCSIPRT\0000_0 iqn.1991-05.com.microsoft:... ISCSI ANY PORT iSCSI PS C:\Users\Administrator> $initiator = Get-InitiatorPort PS C:\Users\Administrator> $initiator.NodeAddress iqn.1991-05.com.microsoft:win-3ehflk7iomd PS C:\Users\Administrator> Set-InitiatorPort iqn.1991-05.com.microsoft:win-3ehflk7iomd -NewNodeAddress iqn.1994-05.com.redhat:f7897073402d
1.3 添加Portal
界面配置:iSCSI Initiator配置界面 -> Discovery頁,這里可以添加/刪除Portal。
PowerShell命令:
PS C:\Users\Administrator> New-IscsiTargetPortal -TargetPortalAddress 192.168.122.250 InitiatorInstanceName : InitiatorPortalAddress : IsDataDigest : False IsHeaderDigest : False TargetPortalAddress : 192.168.122.250 TargetPortalPortNumber : 3260 PSComputerName :
如果不是默認的3260端口,用-TargetPortalPortNumber參數指定。
1.4 連接Target
界面配置:iSCSI Initiator配置界面 -> Target頁 -> Connect
通過PowerShell命令,在連接Target前,需查看當前Target,如果一個Target已連接,再次連接會報錯:
PS C:\Users\Administrator> Get-IscsiTarget IsConnected NodeAddress PSComputerName ----------- ----------- --------------
False iqn.2018-01.com.example:target
連接Target:
PS C:\Users\Administrator> Connect-IscsiTarget -NodeAddress iqn.2018-01.com.example:target AuthenticationType : NONE InitiatorInstanceName : ROOT\ISCSIPRT\0000_0 InitiatorNodeAddress : iqn.1994-05.com.redhat:f7897073402d InitiatorPortalAddress : 0.0.0.0 InitiatorSideIdentifier : 400001370000 IsConnected : True IsDataDigest : False IsDiscovered : True IsHeaderDigest : False IsPersistent : False NumberOfConnections : 1 SessionIdentifier : ffffe000c714d020-4000013700000004 TargetNodeAddress : iqn.2018-01.com.example:target TargetSideIdentifier : 0300 PSComputerName :
重啟系統后是否自動重連由-IsPersistent參數指定。是否打開MultiPath由-IsMultipathEnabled參數指定。
1.5 CHAP認證
iSCSI Target可以配置發現認證和登錄認證,同時認證還分為單向認證和雙向認證。
因為雙向認證需要在Windows中配置密碼,並將該密碼配置到Target,從metadata提供的數據來看,應該是不支持的,
否則應該提供Initiator CHAP相關信息,故未做測試。
對於單向認證,發現和登錄道理是相同的,因此只測試了登錄認證的情況。
通過界面連接Target出現的對話框,點Advanced進入高級設置對話框,勾選Enable CHAP log on,
在Name和Target secret中填寫Target配置的帳號信息。Perform mutual authentication用於雙向驗證,不要勾選。
通過PowerShell連接帶CHAP認證的Target:
Connect-IscsiTarget -NodeAddress iqn.2018-01.com.example:target -IsPersistent $true -AuthenticationType ONEWAYCHAP -ChapUsername guest -ChapSecret targetsecret
AuthenticationType是字符串類型,填錯就無法通過認證,官方文檔寫取值為None, OneWayCHAP和MutualCHAP,但在命令里必須全部大寫,非常坑爹!
發現階段的認證相同,New-IscsiTargetPortal也支持校驗參數:
PS C:\Users\Administrator> Get-Help New-IscsiTargetPortal NAME New-IscsiTargetPortal SYNTAX New-IscsiTargetPortal -TargetPortalAddress <string> [-TargetPortalPortNumber <uint16>] [-InitiatorPortalAddress <string>] [-IsHeaderDigest <bool>] [-IsDataDigest <bool>] [-AuthenticationType <string>] [-InitiatorInstanceName <string>] [-ChapUsername <string>] [-ChapSecret <string>] [-CimSession <CimSession[]>] [-ThrottleLimit <int>] [-AsJob] [<CommonParameters>]
查看當前連接和會話:
PS C:\Users\Administrator> Get-IscsiTarget IsConnected NodeAddress PSComputerName ----------- ----------- --------------
True iqn.2018-01.com.example:target PS C:\Users\Administrator> get-iscsiconnection ConnectionIdentifier : ffffe0018793f020-1 InitiatorAddress : 0.0.0.0 InitiatorPortNumber : 3264 TargetAddress : 192.168.122.250 TargetPortNumber : 3260 PSComputerName : PS C:\Users\Administrator> Get-IscsiSession AuthenticationType : NONE InitiatorInstanceName : ROOT\ISCSIPRT\0000_0 InitiatorNodeAddress : iqn.1994-05.com.redhat:f7897073402d InitiatorPortalAddress : 0.0.0.0 InitiatorSideIdentifier : 400001370001 IsConnected : True IsDataDigest : False IsDiscovered : True IsHeaderDigest : False IsPersistent : True NumberOfConnections : 1 SessionIdentifier : ffffe000f70f7020-4000013700000001 TargetNodeAddress : iqn.2018-01.com.example:target TargetSideIdentifier : 0500 PSComputerName :
掛載iSCSI卷后,Windows磁盤管理可見磁盤,可以對其進行分區,格式化,分配卷標並讀寫文件。
2. iSCSI自動掛載實現
Windows系統的上電配置沒有好的選擇,仍通過Cloudbase-init來配置,有兩種方式:
- 使用LocalScriptsPlugin,制作用戶鏡像過程中將腳本放置在Cloudbase-init安裝目錄下的LocalScripts目錄。
- 使用UserDataPlugin,腳本通過元數據注入。
注意:插件執行成功,Cloudbase-init將注冊表對應項置1,下次啟動不會再執行。
典型的OpenStack metadata數據源如下,修改了連接數據來測試:
{
"admin_pass": "XkmAkLJxAx8y",
"random_seed": "...",
"uuid": "7d631f44-00ec-4503-a113-cb616d0fd81c",
"availability_zone": "nova",
"hostname": "centos-cloud.novalocal",
"launch_index": 0,
"devices": [],
"volumes": [
{
"driver_volume_type": "iscsi",
"connector": {
"platform": "x86_64",
"initiator": "iqn.1994-05.com.redhat:f7897073402d",
"multipath": false,
"os_type": "baremetal"
},
"serial": "5d30b37e-d113-49e1-b991-16b9d7d33d3e",
"data": {
"auth_password": "targetsecret",
"target_discovered": false,
"encrypted": false,
"qos_specs": null,
"target_iqn": "iqn.2018-01.com.example:target",
"target_portal": "192.168.122.250:3260",
"volume_id": "5d30b37e-d113-49e1-b991-16b9d7d33d3e",
"target_lun": 0,
"access_mode": "rw",
"auth_username": "guest",
"auth_method": "CHAP"
}
}
],
"project_id": "ac9cab947db74c0c999380a4f306693b",
"name": "centos-cloud"
}
對應PowerShell的實現腳本如下:
# iSCSI Volume Connection
# Copyright 2018
# All Rights Reserved.
# Get volume list from metadata
$metadata = Get-Content "instance.json" -Raw | ConvertFrom-Json if (-not $metadata.volumes) { Write-Host "No volume data found."
return } $volumes = $metadata.volumes Write-Host "[DBG] Found volume data:" $volumes
# Validates initiator
foreach ($vol in $volumes) { $initiator = $vol.connector.initiator if ($initiator) { break } } if ($initiator) { Write-Host "Using $initiator as initiator" } else { throw "Initiator IQN not found, could not proceed." } # Checks and brings up Microsoft iSCSI Initiator Service if it's not.
$ServiceInfo = Get-Service MSiSCSI Write-Host "iSCSI Initiator Service is " $ServiceInfo.Status if ("Running" -ne $ServiceInfo.Status) { Set-Service MSiSCSI -StartupType Automatic -Status Running } # Setup Initiator for host
$current_initiator_port = Get-InitiatorPort Set-InitiatorPort $current_initiator_port.NodeAddress -NewNodeAddress $initiator
foreach ($vol in $volumes) { $data = $vol.data $data.target_iqn = "iqn.2018-01.com.example:target"
# Get/Set target portal
$target_portal_address = $data.target_portal -Split ":"
# Check target
$portal_exists = $false
$current_target_portal = Get-IscsiTargetPortal foreach ($portal in $current_target_portal) { if ($portal.TargetPortalAddress -eq $target_portal_address[0] -and $portal.TargetPortalPortNumber -eq $target_portal_address[1]) { Write-Host "[DBG] Portal" $target_portal_address[0] "already exist"
$portal_exists = $true } } if ( -not $portal_exists) { New-IscsiTargetPortal -TargetPortalAddress $target_portal_address[0] -TargetPortalPortNumber $target_portal_address[1] } # Start: Check status for debugging
Write-Host "[DBG] CHECKING SESSIONS"
$session = Get-IscsiSession $isconnected = $false
foreach ($s in $session) { Write-Host "Look for session " $s
if (($s.TargetNodeAddress -eq $data.target_iqn) -and ($s.IsConnected -eq $true)) { Write-Host "[DBG] Target" $data.target_iqn "is connected"
$isconnected = $true
break } } Write-Host "[DBG] Check Session Is Connected" $isconnected Write-Host "[DBG] CHECKING TARGETS"
$current_targets = Get-IscsiTarget $isconnected = $false
foreach ($t in $current_targets) { Write-Host "Look for session " $s
if (($t.NodeAddress -eq $data.target_iqn) -and ($t.IsConnected -eq $true)) { Write-Host "[DBG] Target" $data.target_iqn "is connected"
$isconnected = $true
break } } Write-Host "[DBG] Check target Is Connected" $isconnected
# End: Check status for debugging
try { Disconnect-IscsiTarget -NodeAddress $data.target_iqn -Confirm $false } catch { Write-Host "[WARN] Target might not have been connected yet." } if (-not $isconnected) { # Args used for CHAP:
# -AuthenticationType: None, OneWayCHAP, MutualCHAP (MUST BE CAPITALIZED!)
# -ChapUsername
# -ChapSecret
if ($data.auth_method -eq "CHAP") { Connect-IscsiTarget -NodeAddress $data.target_iqn -IsPersistent $true -AuthenticationType ONEWAYCHAP -ChapUsername $data.auth_username -ChapSecret $data.auth_password } else { Connect-IscsiTarget -NodeAddress $data.target_iqn -IsPersistent $true } } }
注意:如果元數據有調整,則需相應地修改腳本。
3. 存儲網絡
在Windows系統支持自動掛載后,剩下即網絡的支持。將存儲服務部署在租戶網絡,掛載iSCSI在技術上沒有限制,存儲網絡須由neutron管理,這是前提條件。
需要考慮兩種場景:
- 租戶網絡在底層是同一物理網絡,這種最簡單,裸機任一端口都可以用,根據binding profile,端口會被切換到對應租戶的VLAN網絡。
- 存儲網絡與普通租戶網絡不在同一物理網絡,這就涉及到物理網絡感知的功能了。
對於后者,假設存儲網絡所在的邏輯網絡為storage-network,某租戶所在網絡為tenant1,在裸機配置端口數據時,還需將storage-network和tenant1分別配置到對應端口的physical_network字段,這個信息無法自動收集,需要人工設置。