iscsi provisioner is a out of tree provisioner for iSCSI storage for Kubernetes and OpenShift. The provisioniner uses the API provided by targetd to create and export iSCSI storage on a remote server.
iscsi provisioner has the following prerequisistes:
- an iSCSI server managed by
targetd - all the openshift nodes correclty configured to communicate with the iSCSI server
- sufficient disk space available as LVM2 volume group (vg are the only supported backing storage at the momment)
when a pvc request is issued for an iscsi provisioner controlled storage class the following happens:
- a new volume in the configured volume group is created, the size of the volume corresponds to the size requested in the pvc
- the volume is exported to the first available lun and made accessible to all the configured initiators.
- the corresponding pv is created and bound to the pvc.
Each storage class is tied to an iSCSI target and a volume group. Because an target can manage a maximum of 255 LUNs, each storage class manage at most 255 pvs. iscsi provisioner can manage multiple storage classes.
These instructions should work for RHEL/CentOS 7+ and Fedora 24+.
In various places, iSCSI Qualified Names (IQNs) need to be created. These need to be unique. So every target must have it's own unique IQN, and every client (initiator) must have its own IQN.
IF NON-UNIQUE IQNs ARE USED, THEN THERE IS A POTENTIAL FOR DATA LOSS AND BAD PERFORMANCE!
IQNs have a specific format:
iqn.YEAR-MM.com.example.blah:tag
See the wikipedia article for more information.
Before configuring the iSCSI server, it needs to have storage
configured. targetd uses LVM to provision storage.
If possible, it's best to have a dedicated disk or partition that can be configured as a volume group. However, if this is not possible, a loopback device can be used to simulate a dedicated block device.
This requires an additional dedicated disk or partition to use for the volume group. If that's not possible, see the section on using a loopback device.
Assuming that the dedicated block device is /dev/vdb and that
targetd is configured to use vg-targetd:
pvcreate /dev/vdb
vgcreate vg-targetd /dev/vdb
the volume group should be called vg-target, this way you don' have to change any default
here is how you would do it in minishift
cd /var/lib/minishift
sudo dd if=/dev/zero of=disk.img bs=1G count=2
export LOOP=`sudo losetup -f`
sudo losetup $LOOP disk.img
sudo vgcreate vg-targetd $LOOP
Only targetd needs to be installed. However, it's highly recommended
to also install targetcli as it provides a simple user interface for
looking at the state of the iSCSI system.
sudo yum install -y targetcli targetd rsyslog
Enable and start target.service. This will ensure that iSCSI
configuration persists through reboot.
sudo systemctl enable target
sudo systemctl start target
First, edit /etc/target/targetd.yaml. A working sample
configuration is provided below:
password: ciao
# defaults below; uncomment and edit
pool_name: vg-targetd
user: admin
ssl: false
target_name: iqn.2003-01.org.linux-iscsi.minishift:targetd
Next, enable and start targetd.service.
sudo systemctl enable targetd
sudo systemctl start targetd
The default configuration requires that port 3260/tcp, 3260/udp and 18700/tcp be open on the iSCSI server.
If using firewalld,
firewall-cmd --add-service=iscsi-target --permanent
firewall-cmd --add-port=18700/tcp --permanent
firewall-cmd --reload
Otherwise, add the following iptables rules to /etc/sysconfig/iptables
TODO
The iscsiadm command is required for all clients. This is provided
by the iscsi-initiator-utils package and should be part of the
standard RHEL, CentOS or Fedora installation.
sudo yum install -y iscsi-initiator-utils
Each node requires a unique initiator name. USE OF DUPLICATE NAMES MAY CAUSE PERFORMANCE ISSUES AND DATA LOSS.
By default, a random initiator name is generated when the
iscsi-initiator-utils package is installed. This usually unique
enough, but is not guaranteed. It's also not very descriptive.
To set a custom initiator name, edit the file /etc/iscsi/initiatorname.iscsi:
InitiatorName=iqn.2017-04.com.example:node1
In the above example, the initiator name is set to
iqn.2017-04.com.example:node1.
After changing the initiator name, restart iscsid.service.
sudo systemctl restart iscsid
run the following commands. The secret correspond to username and password you have chosen for targetd (admin is the default for the username)
oc new-project iscsi-provisioner
oc create sa iscsi-provisioner
oc adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:iscsi-provisioner:iscsi-provisioner
oc adm policy add-cluster-role-to-user system:pv-provisioner-controller system:serviceaccount:iscsi-provisioner:iscsi-provisioner
oc adm policy add-cluster-role-to-user system:pv-binder-controller system:serviceaccount:iscsi-provisioner:iscsi-provisioner
oc adm policy add-cluster-role-to-user system:pv-recycler-controller system:serviceaccount:iscsi-provisioner:iscsi-provisioner
oc secret new-basicauth targetd-account --username=admin --password=ciao
oc create -f https://raw.githubusercontent.com/raffaelespazzoli/iscsi-controller/master/openshift/iscsi-provisioner-dc.yaml
storage classes should look like the following
kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
name: iscsi
provisioner: iscsi
parameters:
# this id where the iscsi server is running
targetPortal: 192.168.99.100:3260
# this is the iscsi server iqn
iqn: iqn.2003-01.org.linux-iscsi.minishift:targetd
# this is the iscsi interface to be used, the default is default
# iscsiInterface: default
# this must be on eof the volume groups condifgured in targed.yaml, the default is vg-targetd
# volumeGroup: vg-targetd
# this is a comma separated list of initiators that will be give access to the created volumes, they must correspond to what you have configured in your nodes.
initiators: iqn.2017-04.com.example:node1
you can create one with the following command
oc create -f https://raw.githubusercontent.com/raffaelespazzoli/iscsi-controller/master/openshift/iscsi-provisioner-class.yaml
create a pvc
oc create -f https://raw.githubusercontent.com/raffaelespazzoli/iscsi-controller/master/openshift/iscsi-provisioner-pvc.yaml
verify that the pv has been created
oc get pv
you may also want to verify that the volume has been created in you volume group
targetcli ls
deploy a pod that uses the pvc
oc create -f https://raw.githubusercontent.com/raffaelespazzoli/iscsi-controller/master/openshift/iscsi-test-pod.yaml