Chapter 7. The Ceph iSCSI Gateway (Limited Availability)


As a storage administrator, you can install and configure an iSCSI gateway for the Red Hat Ceph Storage cluster. With Ceph’s iSCSI gateway you can effectively run a fully integrated block-storage infrastructure with all features and benefits of a conventional Storage Area Network (SAN).

Note

This technology is Limited Availability. See the Deprecated functionality chapter for additional information.

Warning

SCSI persistent reservations are not supported. Mapping multiple iSCSI initiators to an RBD image is supported, if using a cluster aware file system or clustering software that does not rely on SCSI persistent reservations. For example, VMware vSphere environments using ATS is supported, but using Microsoft’s clustering server (MSCS) is not supported.

7.1. Introduction to the Ceph iSCSI gateway

Traditionally, block-level access to a Ceph storage cluster has been limited to QEMU and librbd, which is a key enabler for adoption within OpenStack environments. Block-level access to the Ceph storage cluster can now take advantage of the iSCSI standard to provide data storage.

The iSCSI gateway integrates Red Hat Ceph Storage with the iSCSI standard to provide a highly available (HA) iSCSI target that exports RADOS Block Device (RBD) images as SCSI disks. The iSCSI protocol allows clients, known as initiators, to send SCSI commands to SCSI storage devices, known as targets, over a TCP/IP network. This allows for heterogeneous clients, such as Microsoft Windows, to access the Red Hat Ceph Storage cluster.

Figure 7.1. Ceph iSCSI Gateway HA Design

7.2. Requirements for the iSCSI target

The Red Hat Ceph Storage Highly Available (HA) iSCSI gateway solution has requirements for the number of gateway nodes, memory capacity, and timer settings to detect down OSDs.

Required Number of Nodes

Install a minimum of two iSCSI gateway nodes. To increase resiliency and I/O handling, install up to four iSCSI gateway nodes.

Memory Requirements

The memory footprint of the RBD images can grow to a large size. Each RBD image mapped on the iSCSI gateway nodes uses roughly 90 MB of memory. Ensure the iSCSI gateway nodes have enough memory to support each mapped RBD image.

Detecting Down OSDs

There are no specific iSCSI gateway options for the Ceph Monitors or OSDs, but it is important to lower the default timers for detecting down OSDs to reduce the possibility of initiator timeouts. Follow the instructions in Lowering timer settings for detecting down OSDs to reduce the possibility of initiator timeouts.

Additional Resources

7.3. Installing the iSCSI gateway

As a storage administrator, before you can utilize the benefits of the Ceph iSCSI gateway, you must install the required software packages. You can install the Ceph iSCSI gateway by using the Ansible deployment tool, or by using the command-line interface.

Each iSCSI gateway runs the Linux I/O target kernel subsystem (LIO) to provide iSCSI protocol support. LIO utilizes a user-space passthrough (TCMU) to interact with the Ceph librbd library to expose RBD images to iSCSI clients. With the Ceph iSCSI gateway you can effectively run a fully integrated block-storage infrastructure with all features and benefits of a conventional Storage Area Network (SAN).

7.3.1. Prerequisites

  • Red Hat Enterprise Linux 8 or 7.7 or higher.
  • A running Red Hat Ceph Storage 4 or higher cluster.

Use the Ansible utility to install packages and set up the daemons for the Ceph iSCSI gateway.

Prerequisites

  • The Ansible administration node with the ceph-ansible package installed.

Procedure

  1. On the iSCSI gateway nodes, enable the Red Hat Ceph Storage 4 Tools repository. For details, see the Enabling the Red Hat Ceph Storage Repositories section in the Red Hat Ceph Storage Installation Guide.
  2. On the Ansible administration node, add an entry in /etc/ansible/hosts file for the gateway group. If you colocate the iSCSI gateway with an OSD node, add the OSD node to the [iscsigws] section.

    [iscsigws]
    ceph-igw-1
    ceph-igw-2
    Copy to Clipboard Toggle word wrap
  3. Ansible places a file in the /usr/share/ceph-ansible/group_vars/ directory called iscsigws.yml.sample. Create a copy of the iscsigws.yml.sample file named it iscsigws.yml.
  4. Open the iscsigws.yml file for editing.
  5. Uncomment the trusted_ip_list option and update the values accordingly, using IPv4 or IPv6 addresses.

    Example

    Adding two gateways with the IPv4 addresses of 10.172.19.21 and 10.172.19.22, configure trusted_ip_list like this:

    trusted_ip_list: 10.172.19.21,10.172.19.22
    Copy to Clipboard Toggle word wrap
  6. Optionally, review the Ansible variables and descriptions in the iSCSI Gateway Variables section and update iscsigws.yml as needed.

    Warning

    Gateway configuration changes are only supported from one gateway at a time. Attempting to run changes concurrently through multiple gateways might lead to configuration instability and inconsistency.

    Warning

    Ansible installs the ceph-iscsi package, creates, and updates the /etc/ceph/iscsi-gateway.cfg file based on settings in the group_vars/iscsigws.yml file when the ansible-playbook command is used. If you have previously installed the ceph-iscsi package using the command-line interface described in Installing the iSCSI gateway using the command-line interface, copy the existing settings from the iscsi-gateway.cfg file to the group_vars/iscsigws.yml file.

  7. On the Ansible administration node, execute the Ansible playbook.

    • Bare-metal deployments:

      [admin@ansible ~]$ cd /usr/share/ceph-ansible
      [admin@ansible ceph-ansible]$ ansible-playbook site.yml -i hosts
      Copy to Clipboard Toggle word wrap
    • Container deployments:

      [admin@ansible ~]$ cd /usr/share/ceph-ansible
      [admin@ansible ceph-ansible]$ ansible-playbook site-container.yml -i hosts
      Copy to Clipboard Toggle word wrap
      Warning

      On stand-alone iSCSI gateway nodes, verify that the correct Red Hat Ceph Storage 4 software repositories are enabled. If they are unavailable, Ansible might install incorrect packages.

  8. To create targets, LUNs, and clients, use the gwcli utility or the Red Hat Ceph Storage Dashboard.

    Important

    Do not use the targetcli utility to change the configuration, this will result in the following issues: ALUA misconfiguration and path failover problems. There is the potential to corrupt data, to have mismatched configuration across iSCSI gateways, and to have mismatched WWN information, which will lead to client pathing problems.

The Ceph iSCSI gateway is the iSCSI target node and also a Ceph client node. The Ceph iSCSI gateway can be a standalone node or be colocated on a Ceph Object Store Disk (OSD) node. Complete the following steps to install the Ceph iSCSI gateway.

Prerequisites

  • Red Hat Enterprise Linux 8 or 7.7 and later
  • A Red Hat Ceph Storage 4 cluster or later
  • On all Ceph Monitor nodes in the storage cluster, restart the ceph-mon service, as the root user:

    Syntax

    systemctl restart ceph-mon@MONITOR_HOST_NAME
    Copy to Clipboard Toggle word wrap

    Example

    [root@mon ~]# systemctl restart ceph-mon@monitor1
    Copy to Clipboard Toggle word wrap

  • If the Ceph iSCSI gateway is not colocated on an OSD node, copy the Ceph configuration files, located in the /etc/ceph/ directory, from a running Ceph node in the storage cluster to the all iSCSI Gateway nodes. The Ceph configuration files must exist on the iSCSI gateway nodes under /etc/ceph/.
  • On all Ceph iSCSI gateway nodes, enable the Ceph Tools repository. For details see the Enabling the Red Hat Ceph Storage Repositories section in the Installation Guide.
  • On all Ceph iSCSI gateway nodes, install and configure the Ceph command-line interface. For details, see the Installing the Ceph Command Line Interface chapter in the Red Hat Ceph Storage 4 Installation Guide.
  • If needed, open TCP ports 3260 and 5000 on the firewall on all Ceph iSCSI nodes.
  • Create a new or use an existing RADOS Block Device (RBD).

Procedure

  1. On all Ceph iSCSI gateway nodes, install the ceph-iscsi and tcmu-runner packages:

    [root@iscsigw ~]# yum install ceph-iscsi tcmu-runner
    Copy to Clipboard Toggle word wrap
    Important

    If previous versions of these packages exist, remove them before installing the newer versions. You must install these newer versions from a Red Hat Ceph Storage repository.

  2. Optionally, on all Ceph iSCSI gateway nodes, install and configure the OpenSSL utility, if needed.

    1. Install the openssl package:

      [root@iscsigw ~]# yum install openssl
      Copy to Clipboard Toggle word wrap
    2. On the primary iSCSI gateway node, create a directory to hold the SSL keys:

      [root@iscsigw ~]# mkdir ~/ssl-keys
      [root@iscsigw ~]# cd ~/ssl-keys
      Copy to Clipboard Toggle word wrap
    3. On the primary iSCSI gateway node, create the certificate and key files. Enter the environmental information when prompted.

      [root@iscsigw ~]# openssl req -newkey rsa:2048 -nodes -keyout iscsi-gateway.key -x509 -days 365 -out iscsi-gateway.crt
      Copy to Clipboard Toggle word wrap
    4. On the primary iSCSI gateway node, create a PEM file:

      [root@iscsigw ~]# cat iscsi-gateway.crt iscsi-gateway.key > iscsi-gateway.pem
      Copy to Clipboard Toggle word wrap
    5. On the primary iSCSI gateway node, create a public key:

      [root@iscsigw ~]# openssl x509 -inform pem -in iscsi-gateway.pem -pubkey -noout > iscsi-gateway-pub.key
      Copy to Clipboard Toggle word wrap
    6. From the primary iSCSI gateway node, copy the iscsi-gateway.crt, iscsi-gateway.pem, iscsi-gateway-pub.key, and iscsi-gateway.key files to the /etc/ceph/ directory on the other iSCSI gateway nodes.
  3. Create a configuration file on a Ceph iSCSI gateway node, and then copy it to all iSCSI gateway nodes.

    1. Create a file named iscsi-gateway.cfg in the /etc/ceph/ directory:

      [root@iscsigw ~]# touch /etc/ceph/iscsi-gateway.cfg
      Copy to Clipboard Toggle word wrap
    2. Edit the iscsi-gateway.cfg file and add the following lines:

      Syntax

      [config]
      cluster_name = CLUSTER_NAME
      gateway_keyring = CLIENT_KEYRING
      api_secure = false
      trusted_ip_list = IP_ADDR,IP_ADDR
      Copy to Clipboard Toggle word wrap

      Example

      [config]
      cluster_name = ceph
      gateway_keyring = ceph.client.admin.keyring
      api_secure = false
      trusted_ip_list = 192.168.0.10,192.168.0.11
      Copy to Clipboard Toggle word wrap

    3. Copy the iscsi-gateway.cfg file to all iSCSI gateway nodes. Note that the file must be identical on all iSCSI gateway nodes.
  4. On all Ceph iSCSI gateway nodes, enable and start the API services:

    [root@iscsigw ~]# systemctl enable rbd-target-api
    [root@iscsigw ~]# systemctl start rbd-target-api
    [root@iscsigw ~]# systemctl enable rbd-target-gw
    [root@iscsigw ~]# systemctl start rbd-target-gw
    Copy to Clipboard Toggle word wrap
  5. Next, configure targets, LUNs, and clients. See the Configuring the iSCSI target using the command-line interface section for details.

Additional Resources

7.3.4. Additional Resources

7.4. Configuring the iSCSI target

As a storage administrator, you can configure targets, LUNs, and clients, using the gwcli command-line utility. You can also optimize performance of the iSCSI target, use the gwcli reconfigure subcommand.

Warning

Red Hat does not support managing Ceph block device images exported by the Ceph iSCSI gateway tools, such as gwcli and ceph-ansible. Also, using the rbd command to rename or remove RBD images exported by the Ceph iSCSI gateway, can result in an unstable storage cluster.

Warning

Before removing RBD images from the iSCSI gateway configuration, follow the standard procedures for removing a storage device from the operating system. For details, see the Removing a storage device chapter in the Storage Administration Guide for Red Hat Enterprise Linux 7 or the System Design Guide for Red Hat Enterprise Linux 8.

7.4.1. Prerequisites

  • Installation of the Ceph iSCSI gateway software.

The Ceph iSCSI gateway is the iSCSI target node and also a Ceph client node. Configure the Ceph iSCSI gateway either on a standalone node, or colocate it with a Ceph Object Storage Device (OSD) node.

Warning

Do not adjust other options using the gwcli reconfigure subcommand unless specified in this document or Red Hat Support has instructed you to do so.

Prerequisites

  • Installation of the Ceph iSCSI gateway software.

Procedure

  1. Start the iSCSI gateway command-line interface:

    [root@iscsigw ~]# gwcli
    Copy to Clipboard Toggle word wrap
  2. Create the iSCSI gateways using either IPv4 or IPv6 addresses:

    Syntax

    >/iscsi-targets create iqn.2003-01.com.redhat.iscsi-gw:_target_name_
    > goto gateways
    > create ISCSI_GW_NAME IP_ADDR_OF_GW
    > create ISCSI_GW_NAME IP_ADDR_OF_GW
    Copy to Clipboard Toggle word wrap

    Example

    >/iscsi-targets create iqn.2003-01.com.redhat.iscsi-gw:ceph-igw
    > goto gateways
    > create ceph-gw-1 10.172.19.21
    > create ceph-gw-2 10.172.19.22
    Copy to Clipboard Toggle word wrap

    Note

    You cannot use a mix of IPv4 and IPv6 addresses.

  3. Add a Ceph block device:

    Syntax

    > cd /disks
    >/disks/ create POOL_NAME image=IMAGE_NAME size=IMAGE_SIZE_m|g|t
    Copy to Clipboard Toggle word wrap

    Example

    > cd /disks
    >/disks/ create rbd image=disk_1 size=50g
    Copy to Clipboard Toggle word wrap

    Note

    Do not use any periods (.) in the pool or image name.

  4. Create a client:

    Syntax

    > goto hosts
    > create iqn.1994-05.com.redhat:_client_name_
    > auth use username=USER_NAME password=PASSWORD
    Copy to Clipboard Toggle word wrap

    Example

    > goto hosts
    > create iqn.1994-05.com.redhat:rh7-client
    > auth username=iscsiuser1 password=temp12345678
    Copy to Clipboard Toggle word wrap

    Important

    Red Hat does not support mixing clients, some with Challenge Handshake Authentication Protocol (CHAP) enabled and some CHAP disabled. All clients must have either CHAP enabled or have CHAP disabled. The default behavior is to only authenticate an initiator by its initiator name.

    If initiators are failing to log into the target, the CHAP authentication might not be configured correctly for some initiators, for example:

    o- hosts ................................ [Hosts: 2: Auth: MISCONFIG]
    Copy to Clipboard Toggle word wrap

    Use the following command at the hosts level to reset all the CHAP authentication:

    /> goto hosts
    /iscsi-target...csi-igw/hosts> auth nochap
    ok
    ok
    /iscsi-target...csi-igw/hosts> ls
    o- hosts ................................ [Hosts: 2: Auth: None]
      o- iqn.2005-03.com.ceph:esx ........... [Auth: None, Disks: 4(310G)]
      o- iqn.1994-05.com.redhat:rh7-client .. [Auth: None, Disks: 0(0.00Y)]
    Copy to Clipboard Toggle word wrap
  5. Add disks to a client:

    Syntax

    >/iscsi-target..eph-igw/hosts
    > cd iqn.1994-05.com.redhat:_CLIENT_NAME_
    > disk add POOL_NAME/IMAGE_NAME
    Copy to Clipboard Toggle word wrap

    Example

    >/iscsi-target..eph-igw/hosts
    > cd iqn.1994-05.com.redhat:rh7-client
    > disk add rbd/disk_1
    Copy to Clipboard Toggle word wrap

  6. To confirm that the API is using SSL correctly, search the rbd-target-api log file, located at /var/log/rbd-target-api.log or /var/log/rbd-target/rbd-target-api.log, for https, for example:

    Aug 01 17:27:42 test-node.example.com python[1879]:  * Running on https://0.0.0.0:5000/
    Copy to Clipboard Toggle word wrap
  7. Verifying that the Ceph ISCSI gateways are working:

    /> goto gateways
    /iscsi-target...-igw/gateways> ls
    o- gateways ............................ [Up: 2/2, Portals: 2]
      o- ceph-gw-1  ........................ [ 10.172.19.21 (UP)]
      o- ceph-gw-2  ........................ [ 10.172.19.22 (UP)]
    Copy to Clipboard Toggle word wrap

    If the status is UNKNOWN, check for network issues and any misconfigurations. If using a firewall, verify that the appropriate TCP port is open. Verify that the iSCSI gateway is listed in the trusted_ip_list option. Verify that the rbd-target-api service is running on the iSCSI gateway node.

  8. Optionally, reconfigure the max_data_area_mb option:

    Syntax

    >/disks/ reconfigure POOL_NAME/IMAGE_NAME max_data_area_mb NEW_BUFFER_SIZE
    Copy to Clipboard Toggle word wrap

    Example

    >/disks/ reconfigure rbd/disk_1 max_data_area_mb 64
    Copy to Clipboard Toggle word wrap

    Note

    The max_data_area_mb option controls the amount of memory in megabytes that each image can use to pass SCSI command data between the iSCSI target and the Ceph cluster. If this value is too small, it can result in excessive queue full retries which will affect performance. If the value is too large, it can result in one disk using too much of the system memory, which can cause allocation failures for other subsystems. The default value for the max_data_area_mb option is 8.

  9. Configure an iSCSI initiator.

Additional Resources

There are many settings that control how the iSCSI Target transfers data over the network. These settings can be used to optimize the performance of the iSCSI gateway.

Warning

Only change these settings if instructed to by Red Hat Support or as specified in this document.

The gwcli reconfigure subcommand controls the settings that are used to optimize the performance of the iSCSI gateway.

Settings that affect the performance of the iSCSI target

  • max_data_area_mb
  • cmdsn_depth
  • immediate_data
  • initial_r2t
  • max_outstanding_r2t
  • first_burst_length
  • max_burst_length
  • max_recv_data_segment_length
  • max_xmit_data_segment_length

Additional Resources

Sometimes it is necessary to lower the timer settings for detecting down OSDs. For example, when using Red Hat Ceph Storage as an iSCSI gateway, you can reduce the possibility of initiator timeouts by lowering the timer settings for detecting down OSDs.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Access to the Ansible administration node.

Procedure

  1. Configure Ansible to use the new timer settings.

    1. On the Ansible administration node, add a ceph_conf_overrides section in the group_vars/all.yml file that looks like this, or edit any existing ceph_conf_overrides section as follows:

      ceph_conf_overrides:
           osd:
             osd_client_watch_timeout: 15
             osd_heartbeat_grace: 20
             osd_heartbeat_interval: 5
      Copy to Clipboard Toggle word wrap

      The above settings will be added to the ceph.conf configuration files on the OSD nodes when the Ansible playbook runs.

    2. Change to the ceph-ansible directory:

      [admin@ansible ~]$ cd /usr/share/ceph-ansible
      Copy to Clipboard Toggle word wrap
    3. Use Ansible to update the ceph.conf file and restart the OSD daemons on all the OSD nodes. On the Ansible admin node, run the following command:

      Bare-metal Deployments

      [admin@ansible ceph-ansible]$ ansible-playbook site.yml --limit osds
      Copy to Clipboard Toggle word wrap

      Container Deployments

      [admin@ansible ceph-ansible]$ ansible-playbook site-container.yml --limit osds -i hosts
      Copy to Clipboard Toggle word wrap

  2. Verify the timer settings are the same as set in ceph_conf_overrides:

    Syntax

    ceph daemon osd.OSD_ID config get osd_client_watch_timeout
    ceph daemon osd.OSD_ID config get osd_heartbeat_grace
    ceph daemon osd.OSD_ID config get osd_heartbeat_interval
    Copy to Clipboard Toggle word wrap

    Example

    [root@osd ~]# ceph daemon osd.0 config get osd_client_watch_timeout
    {
        "osd_client_watch_timeout": "15"
    }
    
    [root@osd ~]#  ceph daemon osd.0 config get osd_heartbeat_grace
    {
        "osd_heartbeat_grace": "20"
    }
    
    [root@osd ~]# ceph daemon osd.0 config get osd_heartbeat_interval
    {
        "osd_heartbeat_interval": "5"
    }
    Copy to Clipboard Toggle word wrap

  3. Optional: If you cannot restart the OSD daemons immediately, you can do online updates from Ceph Monitor nodes, or update all Ceph OSD nodes directly. Once you are able to restart the OSD daemons, use Ansible as described above to add the new timer settings into ceph.conf so that the settings persist across reboots.

    1. To do an online update of OSD timer settings from a Ceph Monitor node:

      Syntax

      ceph tell osd.OSD_ID injectargs '--osd_client_watch_timeout 15'
      ceph tell osd.OSD_ID injectargs '--osd_heartbeat_grace 20'
      ceph tell osd.OSD_ID injectargs '--osd_heartbeat_interval 5'
      Copy to Clipboard Toggle word wrap

      Example

      [root@mon ~]# ceph tell osd.0 injectargs '--osd_client_watch_timeout 15'
      [root@mon ~]# ceph tell osd.0 injectargs '--osd_heartbeat_grace 20'
      [root@mon ~]# ceph tell osd.0 injectargs '--osd_heartbeat_interval 5'
      Copy to Clipboard Toggle word wrap

    2. To do an online update of OSD timer settings from an Ceph OSD node:

      Syntax

      ceph daemon osd.OSD_ID config set osd_client_watch_timeout 15
      ceph daemon osd.OSD_ID config set osd_heartbeat_grace 20
      ceph daemon osd.OSD_ID config set osd_heartbeat_interval 5
      Copy to Clipboard Toggle word wrap

      Example

      [root@osd ~]# ceph daemon osd.0 config set osd_client_watch_timeout 15
      [root@osd ~]# ceph daemon osd.0 config set osd_heartbeat_grace 20
      [root@osd ~]# ceph daemon osd.0 config set osd_heartbeat_interval 5
      Copy to Clipboard Toggle word wrap

Additional Resources

  • For more information about using Red Hat Ceph Storage as an iSCSI gateway, see The Ceph iSCSI gateway in the Red Hat Ceph Storage Block Device Guide.

The Ceph iSCSI gateway can configure host groups for managing multiple servers that share the same disk configuration. iSCSI host groups creates a logical grouping of hosts and the disks that each host in the group has access to.

Important

The sharing of disk devices to multiple hosts must use a cluster-aware file system.

Prerequisites

  • Installation of the Ceph iSCSI gateway software.
  • Root-level access to the Ceph iSCSI gateway node.

Procedure

  1. Start the iSCSI gateway command-line interface:

    [root@iscsigw ~]# gwcli
    Copy to Clipboard Toggle word wrap
  2. Create a new host group:

    Syntax

    cd iscsi-targets/
    cd IQN/host-groups
    create group_name=GROUP_NAME
    Copy to Clipboard Toggle word wrap

    Example

    /> cd iscsi-targets/
    /iscsi-targets> cd iqn.2003-01.com.redhat.iscsi-gw:ceph-igw/host-groups/
    /iscsi-target.../host-groups> create group_name=igw_grp01
    Copy to Clipboard Toggle word wrap

  3. Add a host to the host group:

    Syntax

    cd GROUP_NAME
    host add client_iqn=CLIENT_IQN
    Copy to Clipboard Toggle word wrap

    Example

    > cd igw_grp01
    /iscsi-target.../host-groups/igw_grp01> host add client_iqn=iqn.1994-05.com.redhat:rh8-client
    Copy to Clipboard Toggle word wrap

    Repeat this step to add additional hosts to the group.

  4. Add a disk to the host group:

    Syntax

    cd /disks/
    /disks> create pool=POOL image=IMAGE_NAME size=SIZE
    cd /IQN/host-groups/GROUP_NAME
    disk add POOL/IMAGE_NAME
    Copy to Clipboard Toggle word wrap

    Example

    > cd /disks/
    /disks> create pool=rbd image=rbdimage size=1G
    /> cd iscsi-targets/iqn.2003-01.com.redhat.iscsi-gw:ceph-igw/host-groups/igw_grp01/
    /iscsi-target...s/igw_grp01> disk add rbd/rbdimage
    Copy to Clipboard Toggle word wrap

    Repeat this step to add additional disks to the group.

7.4.6. Additional Resources

  • For details on configuring iSCSI targets using the Red Hat Ceph Storage Dashboard, see the Creating iSCSI targets section in the Red Hat Ceph Storage Dashboard Guide.

7.5. Configuring the iSCSI initiator

You can configure the iSCSI initiator to connect to the Ceph iSCSI gateway on the following platforms.

Prerequisites

  • Red Hat Enterprise Linux 7.7 or higher.
  • Package iscsi-initiator-utils-6.2.0.873-35 or newer must be installed.
  • Package device-mapper-multipath-0.4.9-99 or newer must be installed.

Procedure

  1. Install the iSCSI initiator and multipath tools:

    [root@rhel ~]# yum install iscsi-initiator-utils
    [root@rhel ~]# yum install device-mapper-multipath
    Copy to Clipboard Toggle word wrap
  2. Set the initiator name by editing the /etc/iscsi/initiatorname.iscsi file. Note that the initiator name must match the initiator name that was used during the initial setup using the gwcli command.
  3. Configure multipath I/O.

    1. Create the default /etc/multipath.conf file and enable the multipathd service:

      [root@rhel ~]# mpathconf --enable --with_multipathd y
      Copy to Clipboard Toggle word wrap
    2. Update the /etc/multipath.conf file as follows:

      devices {
              device {
                      vendor                 "LIO-ORG"
                      product                "TCMU device"
                      hardware_handler       "1 alua"
                      path_grouping_policy   "failover"
                      path_selector          "queue-length 0"
                      failback               60
                      path_checker           tur
                      prio                   alua
                      prio_args              exclusive_pref_bit
                      fast_io_fail_tmo       25
                      no_path_retry          queue
              }
      }
      Copy to Clipboard Toggle word wrap
    3. Restart the multipathd service:

      [root@rhel ~]# systemctl reload multipathd
      Copy to Clipboard Toggle word wrap
  4. Set up CHAP and iSCSI discovery and login.

    1. Provide a CHAP user name and password by updating the /etc/iscsi/iscsid.conf file accordingly, for example:

      node.session.auth.authmethod = CHAP
      node.session.auth.username = user
      node.session.auth.password = password
      Copy to Clipboard Toggle word wrap
    2. Discover the target portals:

      Syntax

      iscsiadm -m discovery -t st -p IP_ADDR
      Copy to Clipboard Toggle word wrap

    3. Log in to target:

      Syntax

      iscsiadm -m node -T TARGET -l
      Copy to Clipboard Toggle word wrap

  5. View the multipath I/O configuration. The multipathd daemon sets up devices automatically based on the settings in the multipath.conf file.

    1. Use the multipath command to show devices setup in a failover configuration with a priority group for each path, for example:

      Example

      [root@rhel ~]# multipath -ll
      mpathbt (360014059ca317516a69465c883a29603) dm-1 LIO-ORG,TCMU device
      size=1.0G features='0' hwhandler='1 alua' wp=rw
      |-+- policy='queue-length 0' prio=50 status=active
      | `- 28:0:0:1 sde  8:64  active ready running
      `-+- policy='queue-length 0' prio=10 status=enabled
        `- 29:0:0:1 sdc  8:32  active ready running
      Copy to Clipboard Toggle word wrap

      The multipath -ll output prio value indicates the ALUA state, where prio=50 indicates it is the path to the owning iSCSI gateway in the ALUA Active-Optimized state and prio=10 indicates it is an Active-non-Optimized path. The status field indicates which path is being used, where active indicates the currently used path, and enabled indicates the failover path, if the active fails.

    2. To match the device name, for example, sde in the multipath -ll output, to the iSCSI gateway:

      Example

      [root@rhel ~]# iscsiadm -m session -P 3
      Copy to Clipboard Toggle word wrap

      The Persistent Portal value is the IP address assigned to the iSCSI gateway listed in the gwcli utility.

Prerequisites

  • Red Hat Virtualization 4.1
  • Configured MPIO devices on all Red Hat Virtualization nodes
  • The iscsi-initiator-utils-6.2.0.873-35 package or newer
  • The device-mapper-multipath-0.4.9-99 package or newer

Procedure

  1. Configure multipath I/O.

    1. Update the /etc/multipath/conf.d/DEVICE_NAME.conf file as follows:

      devices {
              device {
                      vendor                 "LIO-ORG"
                      product                "TCMU device"
                      hardware_handler       "1 alua"
                      path_grouping_policy   "failover"
                      path_selector          "queue-length 0"
                      failback               60
                      path_checker           tur
                      prio                   alua
                      prio_args              exclusive_pref_bit
                      fast_io_fail_tmo       25
                      no_path_retry          queue
              }
      }
      Copy to Clipboard Toggle word wrap
    2. Restart the multipathd service:

      [root@rhv ~]# systemctl reload multipathd
      Copy to Clipboard Toggle word wrap
  2. Click the Storage resource tab to list the existing storage domains.
  3. Click the New Domain button to open the New Domain window.
  4. Enter the Name of the new storage domain.
  5. Use the Data Center drop-down menu to select an data center.
  6. Use the drop-down menus to select the Domain Function and the Storage Type. The storage domain types that are not compatible with the chosen domain function are not available.
  7. Select an active host in the Use Host field. If this is not the first data domain in a data center, you must select the data center’s SPM host.
  8. The New Domain window automatically displays known targets with unused LUNs when iSCSI is selected as the storage type. If the target that you are adding storage from is not listed then you can use target discovery to find it, otherwise proceed to the next step.

    1. Click Discover Targets to enable target discovery options. When targets have been discovered and logged in to, the New Domain window automatically displays targets with LUNs unused by the environment. Note that LUNs external to the environment are also displayed. You can use the Discover Targets options to add LUNs on many targets, or multiple paths to the same LUNs.
    2. Enter the fully qualified domain name or IP address of the iSCSI host in the Address field.
    3. Enter the port to connect to the host on when browsing for targets in the Port field. The default is 3260.
    4. If the Challenge Handshake Authentication Protocol (CHAP) is being used to secure the storage, select the User Authentication check box. Enter the CHAP user name and CHAP password.
    5. Click the Discover button.
    6. Select the target to use from the discovery results and click the Login button. Alternatively, click the Login All to log in to all of the discovered targets.

      Important

      If more than one path access is required, ensure to discover and log in to the target through all the required paths. Modifying a storage domain to add additional paths is currently not supported.

  9. Click the + button next to the desired target. This will expand the entry and display all unused LUNs attached to the target.
  10. Select the check box for each LUN that you are using to create the storage domain.
  11. Optionally, you can configure the advanced parameters.

    1. Click Advanced Parameters.
    2. Enter a percentage value into the Warning Low Space Indicator field. If the free space available on the storage domain is below this percentage, warning messages are displayed to the user and logged.
    3. Enter a GB value into the Critical Space Action Blocker field. If the free space available on the storage domain is below this value, error messages are displayed to the user and logged, and any new action that consumes space, even temporarily, will be blocked.
    4. Select the Wipe After Delete check box to enable the wipe after delete option. You can edit this option after creating the domain, but doing so does not change the wipe after delete property of disks that already exist.
    5. Select the Discard After Delete check box to enable the discard after delete option. You can edit this option after creating the domain. This option is only available to block storage domains.
  12. Click OK to create the storage domain and close the window.

Prerequisites

  • Microsoft Windows Server 2016

Procedure

  1. Install the iSCSI initiator and configure discovery and setup.

    1. Install the iSCSI initiator driver and MPIO tools.
    2. Launch the MPIO program, click the Discover Multi-Paths tab, check the Add support for iSCSI devices box, and click Add.
    3. Reboot the MPIO program.
    4. On the iSCSI Initiator Properties window, on the Discovery tab 1 , add a target portal. Enter the IP address or DNS name 2 and Port 3 of the Ceph iSCSI gateway:

    5. On the Targets tab 1 , select the target and click Connect 2 :

    6. On the Connect To Target window, select the Enable multi-path option 1 , and click the Advanced button 2 :

    7. Under the Connect using section, select a Target portal IP 1 . Select Enable CHAP login on 2 and enter the Name and Target secret values 3 from the Ceph iSCSI client credentials section, and click OK 4 :

      Important

      Windows Server 2016 does not accept a CHAP secret less than 12 bytes.

    8. Repeat the previous two steps for each target portal defined when setting up the iSCSI gateway.
    9. If the initiator name is different than the initiator name used during the initial setup, rename the initiator name. From iSCSI Initiator Properties window, on the Configuration tab 1 , click the Change button 2 to rename the initiator name.

  2. Set up multipath I/O. In PowerShell, use the PDORemovePeriod command to set the MPIO load balancing policy and the mpclaim command to set the load balancing policy. The iSCSI Initiator Tool configures the remaining options.

    Note

    Red Hat recommends increasing the PDORemovePeriod option to 120 seconds from PowerShell. You might need to adjust this value based on the application. When all paths are down, and 120 seconds expires, the operating system starts failing I/O requests.

    Set-MPIOSetting -NewPDORemovePeriod 120
    Copy to Clipboard Toggle word wrap
    1. Set the failover policy

      mpclaim.exe -l -m 1
      Copy to Clipboard Toggle word wrap
    2. Verify the failover policy

      mpclaim -s -m
      MSDSM-wide Load Balance Policy: Fail Over Only
      Copy to Clipboard Toggle word wrap
    3. Using the iSCSI Initiator tool, from the Targets tab 1 click on the Devices…​ button 2 :

    4. From the Devices window, select a disk 1 and click the MPIO…​ button 2 :

    5. The Device Details window displays the paths to each target portal. The Load Balancing Policy Fail Over Only must be selected.

    6. View the multipath configuration from the PowerShell:

      mpclaim -s -d MPIO_DISK_ID
      Copy to Clipboard Toggle word wrap

      Replace MPIO_DISK_ID with the appropriate disk identifier.

      Note

      There is one Active/Optimized path which is the path to the iSCSI gateway node that owns the LUN, and there is an Active/Unoptimized path for each other iSCSI gateway node.

  3. Optionally, tune the settings. Consider using the following registry settings:

    • Windows Disk Timeout

      Key

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk
      Copy to Clipboard Toggle word wrap

      Value

      TimeOutValue = 65
      Copy to Clipboard Toggle word wrap

    • Microsoft iSCSI Initiator Driver

      Key

      HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\<Instance_Number>\Parameters
      Copy to Clipboard Toggle word wrap

      Values

      LinkDownTime = 25
      SRBTimeoutDelta = 15
      Copy to Clipboard Toggle word wrap

Prerequisites

  • See the iSCSI Gateway (IGW) section in the Customer Portal Knowledgebase article for supported VMware ESXi versions.
  • Access to the VMware Host Client.
  • Root access to VMware ESXi host to execute the esxcli command.

Procedure

  1. Disable HardwareAcceleratedMove (XCOPY):

    > esxcli system settings advanced set --int-value 0 --option /DataMover/HardwareAcceleratedMove
    Copy to Clipboard Toggle word wrap
  2. Enable the iSCSI software. From the Navigator pane, click Storage 1 . Select the Adapters tab 2 . Click on Configure iSCSI 3 :

  3. Verify the initiator name in the Name & alias section 1 .

  4. If the initiator name is different than the initiator name used when creating the client during the initial setup using gwcli, change the initiator name: From the VMware ESX host, use these esxcli commands.

    1. Get the adapter name for the iSCSI software:

      > esxcli iscsi adapter list
      > Adapter  Driver     State   UID            Description
      > -------  ---------  ------  -------------  ----------------------
      > vmhba64  iscsi_vmk  online  iscsi.vmhba64  iSCSI Software Adapter
      Copy to Clipboard Toggle word wrap
    2. Set the initiator name:

      Syntax

      > esxcli iscsi adapter set -A ADAPTOR_NAME -n INITIATOR_NAME
      Copy to Clipboard Toggle word wrap

      Example

      > esxcli iscsi adapter set -A vmhba64 -n iqn.1994-05.com.redhat:rh7-client
      Copy to Clipboard Toggle word wrap

  5. Configure CHAP. Expand the CHAP authentication section 1 . Select “Do not use CHAP unless required by target” 2 . Enter the CHAP Name and Secret 3 credentials that were used in the initial setup. Verify the Mutual CHAP authentication section 4 has “Do not use CHAP” selected.

    Warning

    Due to a bug in the VMware Host Client, the CHAP settings are not used initially. On the Ceph iSCSI gateway node, the kernel logs include the following errors as an indication of this bug:

    > kernel: CHAP user or password not set for Initiator ACL
    > kernel: Security negotiation failed.
    > kernel: iSCSI Login negotiation failed.
    Copy to Clipboard Toggle word wrap

    To work around this bug, configure the CHAP settings using the esxcli command. The authname argument is the Name in the vSphere Web Client:

    > esxcli iscsi adapter auth chap set --direction=uni --authname=myiscsiusername --secret=myiscsipassword --level=discouraged -A vmhba64
    Copy to Clipboard Toggle word wrap
  6. Configure the iSCSI settings. Expand Advanced settings 1 . Set the RecoveryTimeout value to 25 2 .

  7. Set the discovery address. In the Dynamic targets section 1 , click Add dynamic target 2 . Under Address 3 add an IP addresses for one of the Ceph iSCSI gateways. Only one IP address needs to be added. Finally, click the Save configuration button 4 . From the main interface, on the Devices tab, you will see the RBD image.

    Note

    LUN is configured automatically, using the ALUA SATP and MRU PSP. Do not use other SATPs and PSPs. You can verify this by the esxcli command:

    Syntax

    esxcli storage nmp path list -d eui.DEVICE_ID
    Copy to Clipboard Toggle word wrap

    Replace DEVICE_ID with the appropriate device identifier.

  8. Verify that multipathing has been set up correctly.

    1. List the devices:

      Example

      > esxcli storage nmp device list | grep iSCSI
         Device Display Name: LIO-ORG iSCSI Disk (naa.6001405f8d087846e7b4f0e9e3acd44b)
         Device Display Name: LIO-ORG iSCSI Disk (naa.6001405057360ba9b4c434daa3c6770c)
      Copy to Clipboard Toggle word wrap

    2. Get the multipath information for the Ceph iSCSI disk from the previous step:

      Example

      > esxcli storage nmp path list -d naa.6001405f8d087846e7b4f0e9e3acd44b
      
      iqn.2005-03.com.ceph:esx1-00023d000001,iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw,t,1-naa.6001405f8d087846e7b4f0e9e3acd44b
         Runtime Name: vmhba64:C0:T0:L0
         Device: naa.6001405f8d087846e7b4f0e9e3acd44b
         Device Display Name: LIO-ORG iSCSI Disk (naa.6001405f8d087846e7b4f0e9e3acd44b)
         Group State: active
         Array Priority: 0
         Storage Array Type Path Config: {TPG_id=1,TPG_state=AO,RTP_id=1,RTP_health=UP}
         Path Selection Policy Path Config: {current path; rank: 0}
      
      iqn.2005-03.com.ceph:esx1-00023d000002,iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw,t,2-naa.6001405f8d087846e7b4f0e9e3acd44b
         Runtime Name: vmhba64:C1:T0:L0
         Device: naa.6001405f8d087846e7b4f0e9e3acd44b
         Device Display Name: LIO-ORG iSCSI Disk (naa.6001405f8d087846e7b4f0e9e3acd44b)
         Group State: active unoptimized
         Array Priority: 0
         Storage Array Type Path Config: {TPG_id=2,TPG_state=ANO,RTP_id=2,RTP_health=UP}
         Path Selection Policy Path Config: {non-current path; rank: 0}
      Copy to Clipboard Toggle word wrap

      From the example output, each path has an iSCSI or SCSI name with the following parts:

      Initiator name = iqn.2005-03.com.ceph:esx1 ISID = 00023d000002 Target name = iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw Target port group = 2 Device id = naa.6001405f8d087846e7b4f0e9e3acd44b

      The Group State value of active indicates this is the Active-Optimized path to the iSCSI gateway. The gwcli command lists the active as the iSCSI gateway owner. The rest of the paths have the Group State value of unoptimized and are the failover path, if the active path goes into a dead state.

  9. To match all paths to their respective iSCSI gateways:

    Example

    > esxcli iscsi session connection list
    vmhba64,iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw,00023d000001,0
       Adapter: vmhba64
       Target: iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw
       ISID: 00023d000001
       CID: 0
       DataDigest: NONE
       HeaderDigest: NONE
       IFMarker: false
       IFMarkerInterval: 0
       MaxRecvDataSegmentLength: 131072
       MaxTransmitDataSegmentLength: 262144
       OFMarker: false
       OFMarkerInterval: 0
       ConnectionAddress: 10.172.19.21
       RemoteAddress: 10.172.19.21
       LocalAddress: 10.172.19.11
       SessionCreateTime: 08/16/18 04:20:06
       ConnectionCreateTime: 08/16/18 04:20:06
       ConnectionStartTime: 08/16/18 04:30:45
       State: logged_in
    
    vmhba64,iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw,00023d000002,0
       Adapter: vmhba64
       Target: iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw
       ISID: 00023d000002
       CID: 0
       DataDigest: NONE
       HeaderDigest: NONE
       IFMarker: false
       IFMarkerInterval: 0
       MaxRecvDataSegmentLength: 131072
       MaxTransmitDataSegmentLength: 262144
       OFMarker: false
       OFMarkerInterval: 0
       ConnectionAddress: 10.172.19.22
       RemoteAddress: 10.172.19.22
       LocalAddress: 10.172.19.12
       SessionCreateTime: 08/16/18 04:20:06
       ConnectionCreateTime: 08/16/18 04:20:06
       ConnectionStartTime: 08/16/18 04:30:41
       State: logged_in
    Copy to Clipboard Toggle word wrap

    Match the path name with the ISID value, and the RemoteAddress value is the IP address of the owning iSCSI gateway.

7.6. Managing iSCSI services

The ceph-iscsi package installs the configuration management logic, and the rbd-target-gw and rbd-target-api systemd services.

The rbd-target-api service restores the Linux iSCSI target state at startup, and responds to ceph-iscsi REST API calls from tools like gwcli and Red Hat Ceph Storage Dashboard. The rbd-target-gw service provides metrics using the Prometheus plug-in.

The rbd-target-api service assumes it is the only user of the Linux kernel’s target layer. Do not use the target service installed with the targetcli package when using rbd-target-api. Ansible automatically disables the targetcli target service during the Ceph iSCSI gateway installation.

Procedure

  1. To start the services:

    # systemctl start rbd-target-api
    # systemctl start rbd-target-gw
    Copy to Clipboard Toggle word wrap
  2. To restart the services:

    # systemctl restart rbd-target-api
    # systemctl restart rbd-target-gw
    Copy to Clipboard Toggle word wrap
  3. To reload the services:

    # systemctl reload rbd-target-api
    # systemctl reload rbd-target-gw
    Copy to Clipboard Toggle word wrap

    The reload request forces rbd-target-api to reread the configuration and apply it to the current running environment. This is normally not required, because changes are deployed in parallel from Ansible to all iSCSI gateway nodes.

  4. To stop the services:

    # systemctl stop rbd-target-api
    # systemctl stop rbd-target-gw
    Copy to Clipboard Toggle word wrap

    The stop request closes the gateway’s portal interfaces, dropping connections to clients and wipes the current Linux iSCSI target configuration from the kernel. This returns the iSCSI gateway to a clean state. When clients are disconnected, active I/O is rescheduled to the other iSCSI gateways by the client side multipathing layer.

7.7. Adding more iSCSI gateways

As a storage administrator, you can expand the initial two iSCSI gateways to four iSCSI gateways by using the gwcli command-line tool or the Red Hat Ceph Storage Dashboard. Adding more iSCSI gateways provides you more flexibility when using load-balancing and failover options, along with providing more redundancy.

7.7.1. Prerequisites

  • A running Red Hat Ceph Storage 4 cluster
  • Spare nodes or existing OSD nodes
  • root permissions

7.7.2. Using Ansible to add more iSCSI gateways

You can using the Ansible automation utility to add more iSCSI gateways. This procedure expands the default installation of two iSCSI gateways to four iSCSI gateways. You can configure the iSCSI gateway on a standalone node or it can be collocated with existing OSD nodes.

Prerequisites

  • Red Hat Enterprise Linux 7.7 or later.
  • A running Red Hat Ceph Storage cluster.
  • Installation of the iSCSI gateway software.
  • Having admin user access on the Ansible administration node.
  • Having root user access on the new nodes.

Procedure

  1. On the new iSCSI gateway nodes, enable the Red Hat Ceph Storage Tools repository:

    Red Hat Enterprise Linux 7

    [root@iscsigw ~]# subscription-manager repos --enable=rhel-7-server-rhceph-4-tools-rpms
    Copy to Clipboard Toggle word wrap

    Red Hat Enterprise Linux 8

    [root@iscsigw ~]# subscription-manager repos --enable=rhceph-4-tools-for-rhel-8-x86_64-rpms
    Copy to Clipboard Toggle word wrap

  2. Install the ceph-iscsi-config package:

    [root@iscsigw ~]# yum install ceph-iscsi-config
    Copy to Clipboard Toggle word wrap
  3. Append to the list in /etc/ansible/hosts file for the gateway group:

    Example

    [iscsigws]
    ...
    ceph-igw-3
    ceph-igw-4
    Copy to Clipboard Toggle word wrap

    Note

    If colocating the iSCSI gateway with an OSD node, add the OSD node to the [iscsigws] section.

  4. Change to the ceph-ansible directory:

    [admin@ansible ~]$ cd /usr/share/ceph-ansible
    Copy to Clipboard Toggle word wrap
  5. On the Ansible administration node, run the appropriate Ansible playbook:

    • Bare-metal deployments:

      [admin@ansible ceph-ansible]$ ansible-playbook site.yml -i hosts
      Copy to Clipboard Toggle word wrap
    • Container deployments:

      [admin@ansible ceph-ansible]$ ansible-playbook site-container.yml -i hosts
      Copy to Clipboard Toggle word wrap
    Important

    Providing IP addresses for the gateway_ip_list option is required. You cannot use a mix of IPv4 and IPv6 addresses.

  6. From the iSCSI initiators, re-login to use the newly added iSCSI gateways.

Additional Resources

7.7.3. Using gwcli to add more iSCSI gateways

You can use the gwcli command-line tool to add more iSCSI gateways. This procedure expands the default of two iSCSI gateways to four iSCSI gateways.

Prerequisites

  • Red Hat Enterprise Linux 7.7 or later.
  • A running Red Hat Ceph Storage cluster.
  • Installation of the iSCSI gateway software.
  • Having root user access to the new nodes or OSD nodes.

Procedure

  1. If the Ceph iSCSI gateway is not colocated on an OSD node, copy the Ceph configuration files, located in the /etc/ceph/ directory, from a running Ceph node in the storage cluster to the new iSCSI Gateway node. The Ceph configuration files must exist on the iSCSI gateway node under the /etc/ceph/ directory.
  2. Install and configure the Ceph command-line interface.
  3. On the new iSCSI gateway nodes, enable the Red Hat Ceph Storage Tools repository:

    Red Hat Enterprise Linux 7

    [root@iscsigw ~]# subscription-manager repos --enable=rhel-7-server-rhceph-4-tools-rpms
    Copy to Clipboard Toggle word wrap

    Red Hat Enterprise Linux 8

    [root@iscsigw ~]# subscription-manager repos --enable=rhceph-4-tools-for-rhel-8-x86_64-rpms
    Copy to Clipboard Toggle word wrap

  4. Install the ceph-iscsi, and tcmu-runner packages:

    Red Hat Enterprise Linux 7

    [root@iscsigw ~]# yum install ceph-iscsi tcmu-runner
    Copy to Clipboard Toggle word wrap

    Red Hat Enterprise Linux 8

    [root@iscsigw ~]# dnf install ceph-iscsi tcmu-runner
    Copy to Clipboard Toggle word wrap

    1. If needed, install the openssl package:

      Red Hat Enterprise Linux 7

      [root@iscsigw ~]# yum install openssl
      Copy to Clipboard Toggle word wrap

      Red Hat Enterprise Linux 8

      [root@iscsigw ~]# dnf install openssl
      Copy to Clipboard Toggle word wrap

  5. On one of the existing iSCSI gateway nodes, edit the /etc/ceph/iscsi-gateway.cfg file and append the trusted_ip_list option with the new IP addresses for the new iSCSI gateway nodes. For example:

    [config]
    ...
    trusted_ip_list = 10.172.19.21,10.172.19.22,10.172.19.23,10.172.19.24
    Copy to Clipboard Toggle word wrap
  6. Copy the updated /etc/ceph/iscsi-gateway.cfg file to all the iSCSI gateway nodes.

    Important

    The iscsi-gateway.cfg file must be identical on all iSCSI gateway nodes.

  7. Optionally, if using SSL, also copy the ~/ssl-keys/iscsi-gateway.crt, ~/ssl-keys/iscsi-gateway.pem, ~/ssl-keys/iscsi-gateway-pub.key, and ~/ssl-keys/iscsi-gateway.key files from one of the existing iSCSI gateway nodes to the /etc/ceph/ directory on the new iSCSI gateway nodes.
  8. Enable and start the API service on the new iSCSI gateway nodes:

    [root@iscsigw ~]# systemctl enable rbd-target-api
    [root@iscsigw ~]# systemctl start rbd-target-api
    Copy to Clipboard Toggle word wrap
  9. Start the iSCSI gateway command-line interface:

    [root@iscsigw ~]# gwcli
    Copy to Clipboard Toggle word wrap
  10. Creating the iSCSI gateways using either IPv4 or IPv6 addresses:

    Syntax

    >/iscsi-target create iqn.2003-01.com.redhat.iscsi-gw:_TARGET_NAME_
    > goto gateways
    > create ISCSI_GW_NAME IP_ADDR_OF_GW
    > create ISCSI_GW_NAME IP_ADDR_OF_GW
    Copy to Clipboard Toggle word wrap

    Example

    >/iscsi-target create iqn.2003-01.com.redhat.iscsi-gw:ceph-igw
    > goto gateways
    > create ceph-gw-3 10.172.19.23
    > create ceph-gw-4 10.172.19.24
    Copy to Clipboard Toggle word wrap

    Important

    You cannot use a mix of IPv4 and IPv6 addresses.

  11. From the iSCSI initiators, re-login to use the newly added iSCSI gateways.

Additional Resources

After installing the iSCSI gateway and configuring the iSCSI target and an initiator, verify that the initiator is properly connected to the iSCSI target.

Prerequisites

  • Installation of the Ceph iSCSI gateway software.
  • Configured the iSCSI target.
  • Configured the iSCSI initiator.

Procedure

  1. Start the iSCSI gateway command-line interface:

    [root@iscsigw ~]# gwcli
    Copy to Clipboard Toggle word wrap
  2. Verify that the initiator is connected the iSCSI target:

    /> goto hosts
    /iscsi-target...csi-igw/hosts> ls
    o- hosts .............................. [Hosts: 1: Auth: None]
      o- iqn.1994-05.com.redhat:rh7-client  [LOGGED-IN, Auth: None, Disks: 0(0.00Y)]
    Copy to Clipboard Toggle word wrap

    The initiator status is LOGGED-IN if it is connected.

  3. Verify that LUNs are balanced across iSCSI gateways:

    /> goto hosts
    /iscsi-target...csi-igw/hosts> ls
    o- hosts ................................. [Hosts: 2: Auth: None]
      o- iqn.2005-03.com.ceph:esx ............ [Auth: None, Disks: 4(310G)]
      | o- lun 0 ............................. [rbd.disk_1(100G), Owner: ceph-gw-1]
      | o- lun 1 ............................. [rbd.disk_2(10G), Owner: ceph-gw-2]
    Copy to Clipboard Toggle word wrap

    When creating a disk, the disk is assigned an iSCSI gateway as its Owner based on what gateways have the lowest number of mapped LUNs. If this number is balanced, gateways are assigned based on a round robin allocation. Currently, the balancing of LUNs is not dynamic and cannot be selected by the user.

    When the initiator is logged into the target, and the multipath layer is in a optimized state, the initiator’s operating system multipath utilities report the path to the Owner gateway as being in ALUA Active-Optimized (AO) state. The multipath utilities report the other paths as being in the ALUA Active-non-Optimized (ANO) state.

    If the AO path fails, one of the other iSCSI gateways is used. The ordering for the failover gateway depends on the initiator’s multipath layer, where normally, the order is based on which path was discovered first.

Upgrading the Red Hat Ceph Storage iSCSI gateways can be done by using an Ansible playbook designed for rolling upgrades.

Prerequisites

  • A running Ceph iSCSI gateway.
  • A running Red Hat Ceph Storage cluster.
  • Admin-level access to all nodes in the storage cluster.
Note

You can run the upgrade procedure as an administrative user or as root. If you want to run it as root, make sure that you have ssh set up for use with Ansible.

Procedure

  1. Verify that the correct iSCSI gateway nodes are listed in the Ansible inventory file (/etc/ansible/hosts).
  2. Run the rolling upgrade playbook:

    [admin@ansible ceph-ansible]$ ansible-playbook rolling_update.yml
    Copy to Clipboard Toggle word wrap
  3. Run the appropriate playbook to finish the upgrade:

    Bare-metal deployments

    [admin@ansible ceph-ansible]$ ansible-playbook site.yml --limit iscsigws -i hosts
    Copy to Clipboard Toggle word wrap

    Container deployments

    [admin@ansible ceph-ansible]$ ansible-playbook site-container.yml --limit iscsigws -i hosts
    Copy to Clipboard Toggle word wrap

Additional Resources

Upgrading the Red Hat Ceph Storage iSCSI gateways can be done in a rolling fashion, by upgrading one bare-metal iSCSI gateway node at a time.

Warning

Do not upgrade the iSCSI gateway while upgrading and restarting Ceph OSDs. Wait until the OSD upgrades are finished and the storage cluster is in an active+clean state.

Prerequisites

  • A running Ceph iSCSI gateway.
  • A running Red Hat Ceph Storage cluster.
  • Having root access to the iSCSI gateway node.

Procedure

  1. Update the iSCSI gateway packages:

    [root@iscsigw ~]# yum update ceph-iscsi
    Copy to Clipboard Toggle word wrap
  2. Stop the iSCSI gateway daemons:

    [root@iscsigw ~]# systemctl stop rbd-target-api
    [root@iscsigw ~]# systemctl stop rbd-target-gw
    Copy to Clipboard Toggle word wrap
  3. Verify that the iSCSI gateway daemons stopped cleanly:

    [root@iscsigw ~]# systemctl status rbd-target-gw
    Copy to Clipboard Toggle word wrap
    1. If the rbd-target-gw service successfully stops, then skip to step 4.
    2. If the rbd-target-gw service fails to stop, then do the following steps:

      1. If the targetcli package is not install, then install the targetcli package:

        [root@iscsigw ~]# yum install targetcli
        Copy to Clipboard Toggle word wrap
      2. Check for existing target objects:

        [root@iscsigw ~]# targetcli ls
        Copy to Clipboard Toggle word wrap

        Example

        o- / ............................................................. [...]
        o- backstores .................................................... [...]
        | o- user:rbd ..................................... [Storage Objects: 0]
        o- iscsi .................................................. [Targets: 0]
        Copy to Clipboard Toggle word wrap

        If the backstores and Storage Objects are empty, then the iSCSI target has been shutdown cleanly and you can skip to step 4.

      3. If you have still have target objects, use the following command to force remove all target objects:

        [root@iscsigw ~]# targetcli clearconfig confirm=True
        Copy to Clipboard Toggle word wrap
        Warning

        If multiple services are using the iSCSI target, use targetcli in interactive mode to delete those specific objects.

  4. Update the tcmu-runner package:

    [root@iscsigw ~]# yum update tcmu-runner
    Copy to Clipboard Toggle word wrap
  5. Stop the tcmu-runner service:

    [root@iscsigw ~]# systemctl stop tcmu-runner
    Copy to Clipboard Toggle word wrap
  6. Restart the iSCSI gateway services in the following order:

    [root@iscsigw ~]# systemctl start tcmu-runner
    [root@iscsigw ~]# systemctl start rbd-target-gw
    [root@iscsigw ~]# systemctl start rbd-target-api
    Copy to Clipboard Toggle word wrap

7.11. Monitoring the iSCSI gateways

Red Hat Ceph Storage cluster now incorporates a generic metric gathering framework within the OSDs and MGRs to provide built-in monitoring. The metrics are generated within the Red Hat Ceph Storage cluster and there is no need to access client nodes to scrape metrics. To monitor the performance of RBD images, Ceph has a built-in MGR Prometheus exporter module to translate individual RADOS object metrics into aggregated RBD image metrics for Input/Output(I/O) operations per second, throughput, and latency. The Ceph iSCSI gateway also provides a Prometheus exporter for Linux-IO (LIO) level performance metrics, supporting monitoring and visualization tools like Grafana. These metrics include the information about defined Target Portal Groups (TPGs) and mapped Logical Unit Numbers (LUNs), per LUN state and the number of Input Output operations per second (IOPS), read bytes and write bytes per LUN per client. By default, the Prometheus exporter is enabled. You can change the default settings by using the following options in the iscsi-gateway.cfg:

Example

[config]

prometheus_exporter = True
prometheus_port = 9287
prometheus_host = xx.xx.xx.xxx
Copy to Clipboard Toggle word wrap

Note

The gwtop tool used for Ceph iSCSI gateway environments to monitor performance of exported Ceph block device (RBD) images is deprecated.

7.12. Removing the iSCSI configuration

To remove the iSCSI configuration, use the gwcli utility to remove hosts and disks, and the Ansible purge-iscsi-gateways.yml playbook to remove the iSCSI target configuration.

Warning

Using the purge-iscsi-gateways.yml playbook is a destructive action against the iSCSI gateway environment.

Warning

An attempt to use purge-iscsi-gateways.yml fails if RBD images have snapshots or clones and are exported through the Ceph iSCSI gateway.

Prerequisites

  • Disconnect all iSCSI initiators:

    • Red Hat Enterprise Linux initiators:

      Syntax

      iscsiadm -m node -T TARGET_NAME --logout
      Copy to Clipboard Toggle word wrap

      Replace TARGET_NAME with the configured iSCSI target name, for example:

      Example

      # iscsiadm -m node -T iqn.2003-01.com.redhat.iscsi-gw:ceph-igw --logout
      Logging out of session [sid: 1, target: iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw, portal: 10.172.19.21,3260]
      Logging out of session [sid: 2, target: iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw, portal: 10.172.19.22,3260]
      Logout of [sid: 1, target: iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw, portal: 10.172.19.21,3260] successful.
      Logout of [sid: 2, target: iqn.2003-01.com.redhat.iscsi-gw:iscsi-igw, portal: 10.172.19.22,3260] successful.
      Copy to Clipboard Toggle word wrap

    • Windows initiators:

      See the Microsoft documentation for more details.

    • VMware ESXi initiators:

      See the VMware documentation for more details.

Procedure

  1. Run the iSCSI gateway command line utility:

    [root@iscsigw ~]# gwcli
    Copy to Clipboard Toggle word wrap
  2. Remove the hosts:

    Syntax

    /> cd /iscsi-target/iqn.2003-01.com.redhat.iscsi-gw:$TARGET_NAME/hosts
    /> /iscsi-target...TARGET_NAME/hosts> delete CLIENT_NAME
    Copy to Clipboard Toggle word wrap

    Replace TARGET_NAME with the configured iSCSI target name, and replace CLIENT_NAME with iSCSI initiator name, for example:

    Example

    /> cd /iscsi-target/iqn.2003-01.com.redhat.iscsi-gw:ceph-igw/hosts
    /> /iscsi-target...eph-igw/hosts> delete iqn.1994-05.com.redhat:rh7-client
    Copy to Clipboard Toggle word wrap

  3. Remove the disks:

    Syntax

    /> cd /disks/
    /disks> delete POOL_NAME.IMAGE_NAME
    Copy to Clipboard Toggle word wrap

    Replace POOL_NAME with the name of the pool and the IMAGE_NAME with the name of the image.

    Example

    /> cd /disks/
    /disks> delete rbd.disk_1
    Copy to Clipboard Toggle word wrap

  4. As a root user, for the containerized deployment ensure all the Red Hat Ceph Storage tools and repositories are enabled on the iSCSI gateway nodes:

    Red Hat Enterprise Linux 7

    [root@admin ~]# subscription-manager repos --enable=rhel-7-server-rpms
    [root@admin ~]# subscription-manager repos --enable=rhel-7-server-extras-rpms
    [root@admin ~]# subscription-manager repos --enable=rhel-7-server-rhceph-4-tools-rpms --enable=rhel-7-server-ansible-2.9-rpms
    Copy to Clipboard Toggle word wrap

    Red Hat Enterprise Linux 8

    [root@admin ~]# subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
    [root@admin ~]# subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
    [root@admin ~]# subscription-manager repos --enable=rhceph-4-tools-for-rhel-8-x86_64-rpms --enable=ansible-2.9-for-rhel-8-x86_64-rpms
    Copy to Clipboard Toggle word wrap

    Note

    For bare-metal deployment, the Ceph tools are enabled with client install.

  5. On each of the iSCSI gateway nodes, install the ceph-common and ceph-iscsi packages:

    Red Hat Enterprise Linux 7

    [root@admin ~]# yum install -y ceph-common
    [root@admin ~]# yum install -y ceph-iscsi
    Copy to Clipboard Toggle word wrap

    Red Hat Enterprise Linux 8

    [root@admin ~]# dnf install -y ceph-common
    [root@admin ~]# dnf install -y ceph-iscsi
    Copy to Clipboard Toggle word wrap

  6. Run the yum history list command and get the transaction ID of the ceph-iscsi installation.
  7. Switch to Ansible user:

    Example

    [root@admin ~]# su ansible
    Copy to Clipboard Toggle word wrap

  8. Navigate to the /usr/share/ceph-ansible/ directory:

    Example

    [ansible@admin ~]# cd /usr/share/ceph-ansible
    Copy to Clipboard Toggle word wrap

  9. As the ansible user, run the iSCSI gateway purge Ansible playbook:

    [ansible@admin ceph-ansible]$ ansible-playbook purge-iscsi-gateways.yml
    Copy to Clipboard Toggle word wrap
  10. Enter the type of purge when prompted:

    lio
    In this mode the Linux iSCSI target configuration is purged on all iSCSI gateways that are defined. Disks that were created are left untouched within the Ceph storage cluster.
    all
    When all is chosen, the Linux iSCSI target configuration is removed together with all RBD images that were defined within the iSCSI gateway environment, other unrelated RBD images will not be removed. Be sure to choose the correct mode because this operation deletes data.

    Example

    [ansible@rh7-iscsi-client ceph-ansible]$ ansible-playbook purge-iscsi-gateways.yml
    Which configuration elements should be purged? (all, lio or abort) [abort]: all
    
    
    PLAY [Confirm removal of the iSCSI gateway configuration] *********************
    
    
    GATHERING FACTS ***************************************************************
    ok: [localhost]
    
    
    TASK: [Exit playbook if user aborted the purge] *******************************
    skipping: [localhost]
    
    
    TASK: [set_fact ] *************************************************************
    ok: [localhost]
    
    
    PLAY [Removing the gateway configuration] *************************************
    
    
    GATHERING FACTS ***************************************************************
    ok: [ceph-igw-1]
    ok: [ceph-igw-2]
    
    
    TASK: [igw_purge | purging the gateway configuration] *************************
    changed: [ceph-igw-1]
    changed: [ceph-igw-2]
    
    
    TASK: [igw_purge | deleting configured rbd devices] ***************************
    changed: [ceph-igw-1]
    changed: [ceph-igw-2]
    
    
    PLAY RECAP ********************************************************************
    ceph-igw-1                 : ok=3    changed=2    unreachable=0    failed=0
    ceph-igw-2                 : ok=3    changed=2    unreachable=0    failed=0
    localhost                  : ok=2    changed=0    unreachable=0    failed=0
    Copy to Clipboard Toggle word wrap

  11. Check if the active containers are removed:

    Red Hat Enterprise Linux 7

    [root@admin ~]# docker ps
    Copy to Clipboard Toggle word wrap

    Red Hat Enterprise Linux 8

    [root@admin ~]# podman ps
    Copy to Clipboard Toggle word wrap

    The Ceph iSCSI container IDs are removed.

  12. Optional: Remove the ceph-iscsi package:

    Syntax

    yum history undo TRANSACTION_ID
    Copy to Clipboard Toggle word wrap

    Example

    [root@admin ~]# yum history undo 4
    Copy to Clipboard Toggle word wrap

    Warning

    Do not remove the ceph-common packages. This removes the contents of /etc/ceph and renders the daemons on that node unable to start.

7.13. Additional Resources

  • For details on managing iSCSI gateway using the Red Hat Ceph Storage Dashboard, see the iSCSI functions section in the Dashboard Guide for Red Hat Ceph Storage 4
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat