Masking iSCSI LUNs?

Added by Dan Swartzendruber over 2 years ago

So I'm trying to set up a small LUN for my ESXi server to boot from. Following the docs, I have initiator, initiator group, target, mapping, etc, and it all works. What surprised me was when I went to test the mapping restrictions using my Win7 iSCSI initiator. It sees the LUN and connects (it claims) to it, which freaked me out. It wasn't until I fired up the disk management tool and saw that in fact there IS no actual disk visible. I'm pretty sure the masking is working, since if I add the win7 initiator ID to the IG, suddenly I can see the 8GB disk in the disk management snap-in. I've been googling with no real answer on this: is there a way (even if at the command line) to hide LUNs I don't want anyone else to see? Thanks!


Replies

RE: Masking iSCSI LUNs? - Added by Dan Swartzendruber over 2 years ago

No comments? Even "this is exactly how it's supposed to work, and no there is no juju to change the behavior?"

RE: Masking iSCSI LUNs? - Added by Roman Strashkin over 2 years ago

maybe Target Portal Group functionality helps to you.

RE: Masking iSCSI LUNs? - Added by Dan Swartzendruber over 2 years ago

I saw that, but that requires additional IP addresses. As far as I can tell, if the initiator is not on the view, even though the LUN shows up and the initiator can apparently connect, the LUN is never actually presented to the remote client, so there is no risk of corruption. My concern was more to avoid confusion. I gather from your post that there is no way to change the current behavior then? If so, that's fine, I'd just like a definitive answer. I was very surprised when I first saw this, since when I tried the same experiment with a freebsd-based iSCSI target, not being on the view causes the LUN to be totally invisible to the remote client(s) [frankly I think that's more intuitive, but that's just my opinion...)

RE: Masking iSCSI LUNs? - Added by Roman Strashkin over 2 years ago

iSCSI plugin on CE has minimal functionality, so you can just map ALL to ALL. On EE you can create separate mappings.

via native shell you can do everything what you want :-)

RE: Masking iSCSI LUNs? - Added by Dan Swartzendruber over 2 years ago

One of us is confused (probably me.) I'm not talking about not being able to select who should see the LUN, I'm talking about the fact that even if I say "only X should be able to see LUN L", other initiators can see that LUN (they just don't get access to it.) I'm assuming this behavior is something COMSTAR-related, since I see the same behavior using NexentaCore.

RE: Masking iSCSI LUNs? - Added by Dan Swartzendruber over 2 years ago

I happened to be talking to someone at work about this subject, and it reminded me. I thought I'd bump the thread in case any new readers have any thoughts.

RE: Masking iSCSI LUNs? - Added by Rick van der Linde about 1 year ago

Probably (if you manage only a couple of iSCSI LUNs') you may want to setup some alias IP adresses and mask the iSCSI LUNs based on IP (through Target Portal Group) and assign the targets to the specific target protal groups.

Content-Type: text/html; charset=utf-8 Set-Cookie: _redmine_session=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%3D%3D--cebfb08d300a85bd88dafd1422210ebe7c9a5873; path=/; HttpOnly Status: 500 Internal Server Error X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.3 ETag: "d924a0abd8e5bc3363b5a1d308cd8444" X-Runtime: 795ms Content-Length: 11370 Cache-Control: private, max-age=0, must-revalidate redMine 500 error

Internal error

An error occurred on the page you were trying to access.
If you continue to experience problems please contact your redMine administrator for assistance.

Back