This chapter provides an overview of the Internet Storage Name Service (iSNS), and describes how to configure the Solaris iSNS server, manage the iSNS server, and manage iSNS clients. Solaris iSNS is available starting in the Solaris 10 Update 5 release. This chapter discusses the following topics:
The Internet Storage Name Service (iSNS) is a protocol that allows dynamic discovery of iSCSI initiators and targets within an IP storage area network SAN. The iSNS protocol enables identification, connection to, and management of iSCSI devices by providing the following services:
Name registration and discovery: The source of data that is to be stored (known as the initiator) and the storage object (known as the target) register their attributes and address, and then can obtain information about accessible storage devices dynamically.
Discovery domains and logon control: Resources in a typical storage network are divided into groups called discovery domains, which can be administered through network management applications. Discovery domains enhance security by providing access control to targets that are not enabled with their own access controls, while limiting the logon process of each initiator to a relevant subset of the available targets in the network.
State-change notification: The iSNS server notifies relevant iSNS clients of network events, for example, a newly created disk Logical Unit Number (LUN), storage resources going offline, discovery domain membership changes and link failures in a network. These notifications let a network quickly adapt to changes in topology, which is key to scalability and availability. This is an optional service.
Entity status inquiry: The iSNS server verifies that a iSNS client is available. As a result, a status change notification might be issued. This is an optional service.
In a simple configuration, the source of data that is to be stored (the initiator) exchanges data with a storage object (the target). The initiator can locate the target and the target always recognizes the initiator. For example, the Sun StorageTekTM 5320 Network Attached Storage (NAS) appliance is a iSCSI target because it stores data. The data comes from various iSCSI clients such as a data management applications or network interface cards which act as initiators. However, in large and complex configurations, it is difficult and time-consuming to configure every initiator for every target and for every target to recognize every initiator. The iSNS server resolves this by using discovery and security mechanisms to dynamically and automatically identify initiators and targets, and manage their connections to authorized resources.
After a Solaris system has been configured as an iSNS server, all targets and initiators can register with the server. The targets and initiators become iSCSI clients or nodes of the iSNS server. These clients are members of the default discovery domain, the only domain in the default discovery domain set. When you enable the default discovery domain set, the iSNS server can provide the iSCSI Name Service (iSNS) for the clients in a simple manner.
To take advantage of the iSCSI Name Service's abilities, create several discovery domain sets and discovery domains. Then assign the clients to different domains, overlapping their memberships. The iSNS server keeps track of the clients' status as a member of one or more discovery domains. For example, when a new storage device is added to the storage network and is registered with the iSNS server, it is in the default discovery domain in the default discovery domain set. You then assign this target to the discovery domains whose initiators will use it as a resource. The iSNS server then removes this target as a member of the default discovery domain in the default discovery domain set.
All initiators and targets are assigned to at least one discovery domain. Assigning an initiator to one discovery domain restricts its access to those targets in the same discovery domain set. Assigning an initiator to several discovery domains allows it to find and use targets in all of the discovery domain sets that include the initiator's discovery domain. You can manage access to clients by disabling and enabling their discovery domain sets without affecting the clients in other discovery domain sets.
For example, a site has two discovery domain sets in addition to the default one: Production and Research. Within the two discovery domain sets are three domains in addition to the default one: Development, Operations, and Finance. The Development discovery domain is in the Research discovery domain set, Operations is in the Production domain set, and Finance is a member of both discovery domain sets. Each client has been assigned to the discovery domain set that uses it the most. A data application in the Operations discovery domain can locate and get access to storage devices in the Production discovery domain set because it is a member of that discovery domain set but it cannot get access to a storage device in the Research discovery domain set. A data application in the Finance discovery domain can locate storage devices in both the Production and Research discovery domain sets because it is a member of both sets. If the Research discovery domain set were disabled, initiators in the Finance discovery domain would not have access to the Research storage devices but would continue to have access to those in the Production discovery domain set.
You can configure the iSNS server using as described in the following task maps and sections.
Task |
For Instructions |
|
---|---|---|
1. Accept the default properties of the iSNS server or change them. |
||
A. Notification of state changes of the server | ||
B. Number of attempts to determine a client's availability | ||
C. Location of file that stores client data. | ||
2. Enable the iSNS server and display the settings. | ||
3. Register all clients with the iSNS server. |
Use the client's management interface's iSCSI configuration function to specify the IP address of the iSNS server and to allow discovery. |
|
4. Enable the default discovery domain set. |
After these tasks, the iSNS server is operating in a minimal manner. All of the clients are in the default discovery domain and are unassigned. Each one can identify and get access to all of the other ones.
5. Create the discovery domain sets for your site. | ||
6. Create the discovery domains for your site. | ||
7. Add each discovery domain to one or more discovery domain set. | ||
8. Assign clients to one or more discovery domains. | ||
9. Verify the membership of clients in discover domains and the membership of discovery domains in discovery domain sets. |
How to Display the Status of a Discovery Domain Set |
The next section provides instructions for setting up the iSNS environment. The following topics are discussed:
This section provides the procedures for changing the default administrative settings of the iSNS service and for starting the iSNS daemon. If you change a setting after the iSNS server has been started, you need to refresh the iSNS server. If you change the data store location, you need to restart the iSNS server.
See the man page for the isns(1M) command details about these operations.
By default, all clients are notified when the iSNS server is not available. To disable these notifications, change the Management_SCNs_Enabled property.
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Use the svccfg command to disable the property:
# svccfg -s svc:/network/isns_server setprop\config/Management_SCNs_Enabled=no |
Reload the server configuration:
# svcadm refresh svc:/network/isns_server |
The default number of retries is 3. If the server does not get a response to three inquiries, it registers that client as unavailable. To change the number of retries, change the value of the ESI Retry Threshold property.
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Use the svccfg command to change the property to, for example, 6 retries:
# svccfg -s svc:/network/isns_server setprop\config/ESI_retry_threshold_count=6 |
Reload the server configuration:
# svcadm refresh svc:/network/isns_server |
The default location and name for the file that contains the client data is /etc/isns/isnsdata.xml If you have a complex network environment that includes one or more backup iSNS servers, the data store must reside in a common location so that all servers can use it. Use the data_store_location property to specify the new location. You can also change the name of the file.
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Use the svccfg command to change the location to, for example, /etc/isns2/isns_data.xml:
svccfg -s svc:/network/isns_server setprop\config/data_store_location="/etc/isns2/isns_data.xml" |
If you change the data store location after the server has been enabled, you must restart the server:
# svcadm restart svc:/network/isns_server |
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Set the server to start each time the system boots:
#svcadm -v enable svc:/network/isns_server svc:/network/isns_server:default enabled |
Verify the state of the iSNS service:
#svcs svc:/network/isns_server:default STATE STIME FMRI online 11:50:04 svcs svc:/network/isns_server:default |
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Set the server to start each time the system boots:
#svcadm -v disable svc:/network/isns_server svc:/network/isns_server:default disabled |
Verify the state of the iSNS service:
#svcs svc:/network/isns_server:default STATE STIME FMRI disabled 11:51:05 svc:/network/isns_server:default |
This section provides the procedures for configuring the iSNS server using the command line interface. The following topics are discussed:
These procedures use the isnsadm(1M) command. See the man page for a complete description of all of the command options.
The following command shows the properties of the iSNS server:
#isnsadm show-config Data Store Location: /etc/isns/isnsdata.xml Entity Status Inquiry Non-Response Threshold: 3 Management SCN Enabled: yes Authorized Control Node Names: - |
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Activate the default discovery domain set:
#isnsadm enable-dd-set Default |
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Create a discovery domain set:
#isnsadm create-dd-set set_name |
Enable the discovery domain set:
#isnsadm enable-dd-set set_name |
View all the discovery domain sets, including the new one:
#isnsadm list-dd-set -v DD Set name: Default State: Enabled DD Set name:set_name State: Enabled |
The list of discovery domain sets includes the default discovery domain set as well as the new one.
New discovery domains are members of the default discovery domain set. After you create them, you add them to the new discovery domain set.
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Create the discovery domain:
#isnsadm create-dd domain_name |
View the new discovery domain in the Default discovery domain set:
#isnsadm list-dd-set Default DD name: name DD set(s): Default |
Create other discovery domains.
This task removes the discovery domain from the default discovery domain set and adds it the discovery domain set that you specify. Because the new discovery domain set has been enabled, all the clients in its discovery domains can be discovered by the iSNS server.
You do not need to have privileges to list the members of the discovery domains and discovery domain sets.
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
List the discovery domains to identify the one you want to add.
#isnsadm list-dd -v Default |
List the discovery domain sets to identify the one you want as the container for the new discovery domain.
#isnsadm list-dd-set |
Move the discovery domain to the discovery domain set that you want:
#isnsadm add-dd domain_name -s set_name |
View the new addition to the discovery domain set:
#isnsadm list-dd-set -v domain_name |
Use the client's management interface to register the client. Using the iSCSI configuration function, specify the IP address of the iSNS server and allow discovery of the client by the iSNS server.
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Verify that the client has been registered with the iSNS server:
#isnsadm list-node iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.45173FEA.engr Alias: STK5320_NAS Type: Target . iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.454F00A2.acct Alias: Type: Initiator |
The output shows the clients' iSCSI names.
Verify the name of the discovery domain:
#isnsadm list-dd |
Add the client to the discovery domain:
#isnsadm add-node -d domain_name iSCSI_Name |
For example, to add the target called “STK5320_NAS” to the Eng-dd discovery domain:
#isnsadm add-node -d Eng-dd iqn.1986-03.com.sun:01:000e0c9f10da.454F00A2.engr |
List all the clients in the discovery domain to verify the client has been added:
#isnsadm list-dd -v domain_name |
For example, to check the Eng-dd discovery domain:
#isnsadm list-dd -v Eng-dd DD name: Eng-dd DD set: Development-dds iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.45173FEA.engr iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.454F00A2.acct iSCSI name: iqn.1986-03.com.sun:01:e00000000000.46fd8e2b |
This section describes how to maintain the iSNS discovery domain sets and their members, the initiators and targets. As the site grows, continue to add clients, discovery domains, and discovery domain sets as described in the following sections:
This section provides the other procedures for managing the iSNS server, using the command line interface. The following topics are discussed:
Show the status of the discovery domain set and list the discovery domains that are its members:
#isnsadm list-dd-set -v set_name |
Show the status of the discovery domain and lists the clients that are its members:
#isnsadm list-dd -v domain_name |
Select one of the following to display client status:
Show the status of all clients:
#isnsadm list-node -v |
Show the status of only the clients that are targets, that is, storage objects:
#isnsadm list-node -t |
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
List the clients to identify the one you want to remove.
#isnsadm list-node -v iSCSI Name: iqn.1986-03.com.sun:01:000e0c9f10da.45173FEA.engr Alias: STK5320_NAS Type: Target Network Entity: SE5310 Portal: 172.20.57.95:3260 Portal Group: 1 Portal: 172.20.56.95:3260 Portal Group: 1 DD Name: Research,Finance |
The output shows the client's iSCSI name and the name of the discovery domains of which it is a member.
Remove the client from the discovery domain.
#isnsadm remove-node -d domain_name iSCSI_name |
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
List the discovery domains to identify the one you want to remove.
#isnsadm list-dd -v |
Remove the discovery domain from the discovery domain set.
#isnsadm remove-dd set_name domain_name |
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Deactivate a discovery domain set:
#isnsadm disable-dd-set set_name |
Verify that the state of the discovery domain set has changed to Disabled:
#isnsadm list-dd-set set_name |
After you remove a discovery domain set, its discovery domains remain. A discovery domain must be a member of at least one discovery domain set.
Use the “iSNS Server Management” RBAC profile to obtain the authorizations needed for managing the iSNS service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
List the discovery domain sets to identify the one you want to remove.
#isnsadm list-dd-set -v |
Remove the discovery domain set.
#isnsadm remove-dd-set set_name |
This section described how to configure the iSNS service to work with Sun Cluster 3.2 as a Service Management Facility (SMF) proxy resource so that Sun Cluster can manage the failover of the iSNS service to other cluster nodes.
For information about Sun Cluster, see Sun Cluster Concepts Guide for Solaris OS (http://docs.sun.com/app/docs/doc/819-2969). To configure Sun Cluster to manage the failover of the iSNS service, use the following general procedure:
Encapsulate the iSNS service. Use the Sun Cluster SMF proxy resource type, SUNW.Proxy_SMF_failover to encapsulate the iSNS SMF service, registering it with the clresourcetype register. For instructions on how to encapsulate SMF services with Sun Cluster, see Enabling Solaris SMF Services to Run With Sun Cluster (http://docs.sun.com/app/docs/doc/819-2974/gcjaz?a=view) .
Create a resource group for the iSNS service, using the clresourcegroup create command. See Creating a Resource Group (http://docs.sun.com/app/docs/doc/819-2974).
Add an iSNS resource to the resource group, using the clresource create command. Specify the type as SUNW.Proxy_SMF_failover and specify the Proxied_service_instances property as the path to a file that contains the properties for the iSNS service. Place the file in a cluster file system so that each node shares the file. For information on cluster file systems, see How to Create a Cluster File System (http://docs.sun.com/app/docs/doc/819-2970/6n57ljhns?a=view)
Specify the iSNS data store location as described in How to Specify the Data Store Location, specifying the mount point for the cluster file system in the path. Specify the same data store file property on all nodes of the cluster so that all nodes share the data store.
Set the cluster resource group online, using the clresourcegroup online command.
Because you cannot use svcadm to disable, enable, or refresh SMF services that have been encapsulated as a proxy resource, use the following general procedure to change the properties of the iSNS service:
Set the iSNS resource group offline.
Disable the iSNS proxy resource.
Change the property of the iSNS service on all nodes of the cluster node list.
Re-enable the iSNS proxy resource.
Set the iSNS resource group online.