System Administration Guide: Devices and File Systems

Chapter 15 Configuring and Managing the Solaris Internet Storage Name Service (iSNS)

This chapter provides an overview of the Internet Storage Name Service (iSNS), and describes how to configure the Solaris iSNS server, manage the iSNS server, and manage iSNS clients. Solaris iSNS is available starting in the Solaris 10 Update 5 release. This chapter discusses the following topics:

The iSNS Technology (Overview)

The Internet Storage Name Service (iSNS) is a protocol that allows dynamic discovery of iSCSI initiators and targets within an IP storage area network SAN. The iSNS protocol enables identification, connection to, and management of iSCSI devices by providing the following services:

Name registration and discovery: The source of data that is to be stored (known as the initiator) and the storage object (known as the target) register their attributes and address, and then can obtain information about accessible storage devices dynamically.
Discovery domains and logon control: Resources in a typical storage network are divided into groups called discovery domains, which can be administered through network management applications. Discovery domains enhance security by providing access control to targets that are not enabled with their own access controls, while limiting the logon process of each initiator to a relevant subset of the available targets in the network.
State-change notification: The iSNS server notifies relevant iSNS clients of network events, for example, a newly created disk Logical Unit Number (LUN), storage resources going offline, discovery domain membership changes and link failures in a network. These notifications let a network quickly adapt to changes in topology, which is key to scalability and availability. This is an optional service.
Entity status inquiry: The iSNS server verifies that a iSNS client is available. As a result, a status change notification might be issued. This is an optional service.

In a simple configuration, the source of data that is to be stored (the initiator) exchanges data with a storage object (the target). The initiator can locate the target and the target always recognizes the initiator. For example, the Sun StorageTek^TM 5320 Network Attached Storage (NAS) appliance is a iSCSI target because it stores data. The data comes from various iSCSI clients such as a data management applications or network interface cards which act as initiators. However, in large and complex configurations, it is difficult and time-consuming to configure every initiator for every target and for every target to recognize every initiator. The iSNS server resolves this by using discovery and security mechanisms to dynamically and automatically identify initiators and targets, and manage their connections to authorized resources.

After a Solaris system has been configured as an iSNS server, all targets and initiators can register with the server. The targets and initiators become iSCSI clients or nodes of the iSNS server. These clients are members of the default discovery domain, the only domain in the default discovery domain set. When you enable the default discovery domain set, the iSNS server can provide the iSCSI Name Service (iSNS) for the clients in a simple manner.

To take advantage of the iSCSI Name Service's abilities, create several discovery domain sets and discovery domains. Then assign the clients to different domains, overlapping their memberships. The iSNS server keeps track of the clients' status as a member of one or more discovery domains. For example, when a new storage device is added to the storage network and is registered with the iSNS server, it is in the default discovery domain in the default discovery domain set. You then assign this target to the discovery domains whose initiators will use it as a resource. The iSNS server then removes this target as a member of the default discovery domain in the default discovery domain set.

All initiators and targets are assigned to at least one discovery domain. Assigning an initiator to one discovery domain restricts its access to those targets in the same discovery domain set. Assigning an initiator to several discovery domains allows it to find and use targets in all of the discovery domain sets that include the initiator's discovery domain. You can manage access to clients by disabling and enabling their discovery domain sets without affecting the clients in other discovery domain sets.

For example, a site has two discovery domain sets in addition to the default one: Production and Research. Within the two discovery domain sets are three domains in addition to the default one: Development, Operations, and Finance. The Development discovery domain is in the Research discovery domain set, Operations is in the Production domain set, and Finance is a member of both discovery domain sets. Each client has been assigned to the discovery domain set that uses it the most. A data application in the Operations discovery domain can locate and get access to storage devices in the Production discovery domain set because it is a member of that discovery domain set but it cannot get access to a storage device in the Research discovery domain set. A data application in the Finance discovery domain can locate storage devices in both the Production and Research discovery domain sets because it is a member of both sets. If the Research discovery domain set were disabled, initiators in the Finance discovery domain would not have access to the Research storage devices but would continue to have access to those in the Production discovery domain set.

Configuring the iSNS Server

You can configure the iSNS server using as described in the following task maps and sections.

Task		For Instructions
1. Accept the default properties of the iSNS server or change them.
	A. Notification of state changes of the server	How to Set Notifications for Changes in Server State
	B. Number of attempts to determine a client's availability	How to Set the Number of Retries for Client Inquiries
	C. Location of file that stores client data.	How to Specify the Data Store Location
2. Enable the iSNS server and display the settings.		How to Enable the iSNS Server Daemon How to Display the Current Server Configuration
3. Register all clients with the iSNS server.		Use the client's management interface's iSCSI configuration function to specify the IP address of the iSNS server and to allow discovery.
4. Enable the default discovery domain set.		How to Enable the Default Discovery Domain Set

After these tasks, the iSNS server is operating in a minimal manner. All of the clients are in the default discovery domain and are unassigned. Each one can identify and get access to all of the other ones.

5. Create the discovery domain sets for your site.		How to Create the Discovery Domain Sets
6. Create the discovery domains for your site.		How to Create the Discovery Domains
7. Add each discovery domain to one or more discovery domain set.		How to Add a Discovery Domain to a Discovery Domain Set
8. Assign clients to one or more discovery domains.		How to Assign Clients to a Discovery Domain
9. Verify the membership of clients in discover domains and the membership of discovery domains in discovery domain sets.		How to Display the Status of a Discovery Domain Set How to Display the Status of a Discovery Domain How to Display the Status of Clients

The next section provides instructions for setting up the iSNS environment. The following topics are discussed:

Setting Up the iSNS Administrative Settings

This section provides the procedures for changing the default administrative settings of the iSNS service and for starting the iSNS daemon. If you change a setting after the iSNS server has been started, you need to refresh the iSNS server. If you change the data store location, you need to restart the iSNS server.

See the man page for the isns(1M) command details about these operations.

How to Set Notifications for Changes in Server State

By default, all clients are notified when the iSNS server is not available. To disable these notifications, change the Management_SCNs_Enabled property.

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Use the svccfg command to disable the property:

# svccfg -s svc:/network/isns_server setprop\config/Management_SCNs_Enabled=no

Reload the server configuration:

# svcadm refresh svc:/network/isns_server

How to Set the Number of Retries for Client Inquiries

The default number of retries is 3. If the server does not get a response to three inquiries, it registers that client as unavailable. To change the number of retries, change the value of the ESI Retry Threshold property.

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Use the svccfg command to change the property to, for example, 6 retries:

# svccfg -s svc:/network/isns_server setprop\config/ESI_retry_threshold_count=6

Reload the server configuration:

# svcadm refresh svc:/network/isns_server

How to Specify the Data Store Location

The default location and name for the file that contains the client data is /etc/isns/isnsdata.xml If you have a complex network environment that includes one or more backup iSNS servers, the data store must reside in a common location so that all servers can use it. Use the data_store_location property to specify the new location. You can also change the name of the file.

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Use the svccfg command to change the location to, for example, /etc/isns2/isns_data.xml:

svccfg -s svc:/network/isns_server setprop\config/data_store_location="/etc/isns2/isns_data.xml"

If you change the data store location after the server has been enabled, you must restart the server:
# svcadm restart svc:/network/isns_server

How to Enable the iSNS Server Daemon

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Set the server to start each time the system boots:

#svcadm -v enable svc:/network/isns_server
        svc:/network/isns_server:default enabled

Verify the state of the iSNS service:

#svcs svc:/network/isns_server:default
        STATE         STIME        FMRI
        online        11:50:04     svcs svc:/network/isns_server:default

How to Disable the iSNS Server Daemon

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Set the server to start each time the system boots:

#svcadm -v disable svc:/network/isns_server
        svc:/network/isns_server:default disabled

Verify the state of the iSNS service:

#svcs svc:/network/isns_server:default
        STATE         STIME        FMRI
        disabled      11:51:05     svc:/network/isns_server:default

Using the Command Line Interface to Configure iSNS

This section provides the procedures for configuring the iSNS server using the command line interface. The following topics are discussed:

These procedures use the isnsadm(1M) command. See the man page for a complete description of all of the command options.

How to Display the Current Server Configuration

The following command shows the properties of the iSNS server:

#isnsadm show-config
        Data Store Location: /etc/isns/isnsdata.xml
        Entity Status Inquiry Non-Response Threshold: 3
        Management SCN Enabled: yes
        Authorized Control Node Names: -

How to Enable the Default Discovery Domain Set

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Activate the default discovery domain set:
#isnsadm enable-dd-set Default

How to Create the Discovery Domain Sets

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Create a discovery domain set:
#isnsadm create-dd-set set_name

Enable the discovery domain set:
#isnsadm enable-dd-set set_name

View all the discovery domain sets, including the new one:

#isnsadm list-dd-set -v
        DD Set name: Default
            State: Enabled
        DD Set name:set_name
            State: Enabled

The list of discovery domain sets includes the default discovery domain set as well as the new one.

How to Create the Discovery Domains

New discovery domains are members of the default discovery domain set. After you create them, you add them to the new discovery domain set.

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Create the discovery domain:
#isnsadm create-dd domain_name

View the new discovery domain in the Default discovery domain set:

#isnsadm list-dd-set Default
         DD name: name
             DD set(s): Default

Create other discovery domains.

How to Add a Discovery Domain to a Discovery Domain Set

This task removes the discovery domain from the default discovery domain set and adds it the discovery domain set that you specify. Because the new discovery domain set has been enabled, all the clients in its discovery domains can be discovered by the iSNS server.

You do not need to have privileges to list the members of the discovery domains and discovery domain sets.

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

List the discovery domains to identify the one you want to add.
#isnsadm list-dd -v Default

List the discovery domain sets to identify the one you want as the container for the new discovery domain.
#isnsadm list-dd-set

Move the discovery domain to the discovery domain set that you want:
#isnsadm add-dd domain_name -s set_name

View the new addition to the discovery domain set:
#isnsadm list-dd-set -v domain_name

How to Assign Clients to a Discovery Domain

Before You Begin

Use the client's management interface to register the client. Using the iSCSI configuration function, specify the IP address of the iSNS server and allow discovery of the client by the iSNS server.

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Verify that the client has been registered with the iSNS server:

#isnsadm list-node 
       iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.45173FEA.engr
	      Alias: STK5320_NAS
	      Type: Target
	      .
       iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.454F00A2.acct
	      Alias:
	      Type: Initiator

The output shows the clients' iSCSI names.

Verify the name of the discovery domain:
#isnsadm list-dd

Add the client to the discovery domain:

#isnsadm add-node  -d domain_name iSCSI_Name

For example, to add the target called “STK5320_NAS” to the Eng-dd discovery domain:

#isnsadm add-node -d Eng-dd  iqn.1986-03.com.sun:01:000e0c9f10da.454F00A2.engr

List all the clients in the discovery domain to verify the client has been added:

#isnsadm list-dd -v domain_name

For example, to check the Eng-dd discovery domain:

#isnsadm list-dd -v Eng-dd
     	 DD name:	Eng-dd
          DD set: Development-dds
         iSCSI Name:	iqn.1986-03.com.sun:01:000e0c9f10da.45173FEA.engr
	        iSCSI Name:	iqn.1986-03.com.sun:01:000e0c9f10da.454F00A2.acct
	        iSCSI name: iqn.1986-03.com.sun:01:e00000000000.46fd8e2b

Managing the iSNS Server and Clients

This section describes how to maintain the iSNS discovery domain sets and their members, the initiators and targets. As the site grows, continue to add clients, discovery domains, and discovery domain sets as described in the following sections:

This section provides the other procedures for managing the iSNS server, using the command line interface. The following topics are discussed:

How to Display the Status of a Discovery Domain Set

Show the status of the discovery domain set and list the discovery domains that are its members:
#isnsadm list-dd-set -v set_name

How to Display the Status of a Discovery Domain

Show the status of the discovery domain and lists the clients that are its members:
#isnsadm list-dd -v domain_name

How to Display the Status of Clients

Select one of the following to display client status:
- Show the status of all clients:
  #isnsadm list-node -v
- Show the status of only the clients that are targets, that is, storage objects:
  #isnsadm list-node -t

How to Remove a Client from a Discovery Domain

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

List the clients to identify the one you want to remove.

#isnsadm list-node -v
       iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.45173FEA.engr
	      Alias: STK5320_NAS
	      Type: Target
	      Network Entity: SE5310
	      Portal: 172.20.57.95:3260
		      Portal Group: 1
	      Portal: 172.20.56.95:3260
		      Portal Group: 1
	      DD Name: Research,Finance

The output shows the client's iSCSI name and the name of the discovery domains of which it is a member.

Remove the client from the discovery domain.

#isnsadm remove-node -d domain_name iSCSI_name

How to Remove a Discovery Domain from a Discovery Domain Set

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

List the discovery domains to identify the one you want to remove.
#isnsadm list-dd -v

Remove the discovery domain from the discovery domain set.
#isnsadm remove-dd set_name domain_name

How to Disable a Discovery Domain Set

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Deactivate a discovery domain set:
#isnsadm disable-dd-set set_name

Verify that the state of the discovery domain set has changed to Disabled:
#isnsadm list-dd-set set_name

How to Remove a Discovery Domain Set

After you remove a discovery domain set, its discovery domains remain. A discovery domain must be a member of at least one discovery domain set.

Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

List the discovery domain sets to identify the one you want to remove.
#isnsadm list-dd-set -v

Remove the discovery domain set.
#isnsadm remove-dd-set set_name

Configuring High Availability of iSNS Server Using Sun Cluster

This section described how to configure the iSNS service to work with Sun Cluster 3.2 as a Service Management Facility (SMF) proxy resource so that Sun Cluster can manage the failover of the iSNS service to other cluster nodes.

For information about Sun Cluster, see Sun Cluster Concepts Guide for Solaris OS (http://docs.sun.com/app/docs/doc/819-2969). To configure Sun Cluster to manage the failover of the iSNS service, use the following general procedure:

Encapsulate the iSNS service. Use the Sun Cluster SMF proxy resource type, SUNW.Proxy_SMF_failover to encapsulate the iSNS SMF service, registering it with the clresourcetype register. For instructions on how to encapsulate SMF services with Sun Cluster, see Enabling Solaris SMF Services to Run With Sun Cluster (http://docs.sun.com/app/docs/doc/819-2974/gcjaz?a=view) .
Create a resource group for the iSNS service, using the clresourcegroup create command. See Creating a Resource Group (http://docs.sun.com/app/docs/doc/819-2974).
Add an iSNS resource to the resource group, using the clresource create command. Specify the type as SUNW.Proxy_SMF_failover and specify the Proxied_service_instances property as the path to a file that contains the properties for the iSNS service. Place the file in a cluster file system so that each node shares the file. For information on cluster file systems, see How to Create a Cluster File System (http://docs.sun.com/app/docs/doc/819-2970/6n57ljhns?a=view)
Specify the iSNS data store location as described in How to Specify the Data Store Location, specifying the mount point for the cluster file system in the path. Specify the same data store file property on all nodes of the cluster so that all nodes share the data store.
Set the cluster resource group online, using the clresourcegroup online command.

Because you cannot use svcadm to disable, enable, or refresh SMF services that have been encapsulated as a proxy resource, use the following general procedure to change the properties of the iSNS service:

Set the iSNS resource group offline.
Disable the iSNS proxy resource.
Change the property of the iSNS service on all nodes of the cluster node list.
Re-enable the iSNS proxy resource.
Set the iSNS resource group online.