Restore iSCSI configuration for Cinder/Nova

Posted by 站着工程师 on 2020-09-15 本文总阅读量

Restore iSCSI configuration for Cinder / Nova

In few cases (i.e. cinder-volume crash), some cinder volumes cannot be accessed by a VM (I/O errors), but are still displayed as associated when using cinder or nova CLI. Looking at the hypervisor’s log, you may see:
May 11 13:26:45 cloudhyp1 iscsid: conn 0 login rejected: target error (03/01)
May 11 13:26:45 cloudhyp1 iscsid: conn 0 login rejected: initiator failed authorization with target
May 11 13:26:45 cloudhyp1 iscsid: conn 0 login rejected: initiator failed authorization with target
On the cinder-volume host, check the configuration of iSCSI target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
\[root@controller?~\]\# targetcli ls  
o- / ......................................................................................................................... [...]
? o- backstores .............................................................................................................. [...]
? | o- block .................................................................................................. [Storage Objects: 1]
? | | o- iqn.2010-10.org.openstack:volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e? \[/dev/cinder-volumes/volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e (20.0GiB) write-thru activated]
? | o- fileio ................................................................................................. [Storage Objects: 0]
? | o- pscsi .................................................................................................. [Storage Objects: 0]
? | o- ramdisk ................................................................................................ [Storage Objects: 0]
? o- iscsi ............................................................................................................ [Targets: 7]
? | o- iqn.2010-10.org.openstack:volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e ............................................. [TPGs: 1]
? | | o- tpg1 .......................................................................................... [no-gen-acls, auth per-acl]
? | |?? o- acls .......................................................................................................... [ACLs: 0]
? | |?? o- luns .......................................................................................................... [LUNs: 1]
? | |?? | o- lun0? [block/iqn.2010-10.org.openstack:volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e (/dev/cinder-volumes/volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e)\]
? | |?? o- portals .................................................................................................... [Portals: 1]
? | |???? o- 192.168.1.1:3260 ................................................................................................. [OK]
? o- loopback ......................................................................................................... [Targets: 0]

In that case, the cloudhyp1 cannot connect to the target because no ACL are defined ([ACLs: 0])

?You have to setup the ACL manually:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[root@controller?~]# mysql -u cinder -p -e "select provider_auth from volumes where id='6e95e5b6-83e1-4958-a5e1-ba5afc94559e'" cinder  
Enter password:?
+------------------------------------------------+
| provider_auth????????????????????????????????? |
+------------------------------------------------+
| CHAP xjrFIwOQ66ktkxjrFIwO?vr2twXxoDww7wvr2twXx |
+------------------------------------------------+
The first entry is the username and the second the password. You can check that you have the same value on the hypervisor (1, 2):
[root@cloudhyp1 ~]# grep node.session.auth /var/lib/iscsi/nodes/iqn.2010-10.org.openstack:volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e/192.168.1.1,3260,1/default?
node.session.auth.authmethod = CHAP
node.session.auth.username =?xjrFIwOQ66ktkxjrFIwO
node.session.auth.password =?vr2twXxoDww7wvr2twXx
On the hypervisor, you need also to get the initiator id (3):
[root@cloudhyp1 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1994-05.com.redhat:1abc12d345e6

To update the ACL, first save the targetcli configuration:
[root@controller?~]# targetctl save
[root@controller?~]# cp /etc/target/saveconfig.json /etc/target/saveconfig.old

Replace:
????????? "node_acls": []?

By for the right volume (iqn.2010-10.org.openstack:volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e?in our case) :
????????? "node_acls": [
??????????? {
????????????? "attributes": {
??????????????? "dataout_timeout": 3,?
??????????????? "dataout_timeout_retries": 5,?
??????????????? "default_erl": 0,?
??????????????? "nopin_response_timeout": 30,?
??????????????? "nopin_timeout": 15,?
??????????????? "random_datain_pdu_offsets": 0,?
??????????????? "random_datain_seq_offsets": 0,?
??????????????? "random_r2t_offsets": 0
????????????? },?
????????????? "chap_password": "vr2twXxoDww7wvr2twXx",?
????????????? "chap_userid": "xjrFIwOQ66ktkxjrFIwO",?
????????????? "mapped_luns": [
??????????????? {
????????????????? "index": 0,?
????????????????? "tpg_lun": 0,?
????????????????? "write_protect": false
??????????????? }
????????????? ],?
????????????? "node_wwn": "iqn.1994-05.com.redhat:1abc12d345e6"
??????????? }?
????????? ]?

You have to replace?chap_userid_,?_chap_password?and?_node_wwn_?by values obtained in steps?1,?2and?3?respectively.
Then check and load the configuration:

1
2
3
4
5
[root@controller ~]# cat /etc/target/saveconfig.json | json_verify  
JSON is valid
[root@controller ~]# targetctl restore
You can connect again to the iSCSI target from the hypervisor:
[root@cloudhyp1 ~]# iscsiadm -m node -T iqn.2010-10.org.openstack:volume-6e95e5b6-83e1-4958-a5e1-ba5afc94559e -l




本站总访问量