The first line of defense in iSCSI deployments is to properly define and bind targets to a target portal group (TPG) via a tag on the target (TPGT). ACL’s then provide yet more security by not only restricting how you get to the target, but which initiators are even allowed to connect to a given target.

Beyond that, you can use password authentication via CHAP to ensure only the persons you want connecting can. This can be useful in environments when ACL security isn’t sufficient and untrusted users have root access on a system capable of accessing the target.

Two forms of CHAP security are available:

• Uni-directional Authentication: Enables the target to validate the initiator.
• Bi-directional Authentication: Additionally enables the initiator to authenticate the target.

Configuring OpenSolaris iSCSI Initiators and Targets for CHAP is easy, but might be a bit counter intuitive at first. Practice makes perfect.

Before you begin, please remember that iSCSI CHAP passwords must be between 12 and 16 chars long. Spaces are fine, so “I Love iSCSI!!!!” is a valid password.

Here are the high level steps:

1. Set a CHAP name and secret of your choosing on the initiator node (iscsiadm modify initiator-node)
2. Set a CHAP name and secret of your choosing on the target node (iscsitadm modify admin)
3. UNI-DIRECTIONAL: Create an initiator entry on the target node and map to target
4. BI-DIRECTIONAL: Set target node CHAP name and secret as a target-param on initiator and enable Bi-Directional Auth (iscsiadm modify target-param)

Uni-Directional CHAP Authentication in Solaris

On the initiator:

1. Optional Set the CHAP Name of the initiator if you want one other than the default (IQN of the initiator)
2. Set the password (secret) for this initiator (use whatever you like)
3. Enable CHAP authentication for the initiator

root@aeon ~$ iscsiadm modify initiator-node --CHAP-name aeon
root@aeon ~$ iscsiadm modify initiator-node --CHAP-secret
Enter secret:
Re-enter secret:
root@aeon ~$ iscsiadm modify initiator-node --authentication CHAP

On the target:

1. Set the global CHAP username for the Target Node (You must do this!)
2. Set the global CHAP password for the Target Node
3. Create an entry for the initiator
4. Set the name of the initiator entry
5. Set the password of the initiator entry
6. Associate the initiator entry with a target

root@fisheye ~$ iscsitadm modify admin --chap-name fisheye
root@fisheye ~$ iscsitadm modify admin --chap-secret
Enter secret:
Re-enter secret:

root@fisheye ~$ iscsitadm create initiator --iqn iqn.1986-03.com.sun:01:e00000000000.464d05f9 aeon
root@fisheye ~$ iscsitadm modify initiator --chap-name aeon aeon
root@fisheye ~$ iscsitadm modify initiator --chap-secret aeon
Enter secret:
Re-enter secret:
root@fisheye ~$ iscsitadm modify target --acl aeon fisheye/luns/lun0

Bi-Direction CHAP Authentication in Solaris

Bi-Directional auth is setup using all the steps above, followed by these steps on the initiator:

1. Set the CHAP name of the target as a target-param
2. Set the CHAP secret of the target as a target-param
3. Enable bi-directional authentication on the target

root@aeon ~$ iscsiadm modify target-param --CHAP-name fisheye iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm modify target-param --CHAP-secret iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Enter secret:
Re-enter secret:
root@aeon ~$ iscsiadm modify target-param --bi-directional-authentication enable iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
root@aeon ~$ iscsiadm list target-param -v iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
Target: iqn.1986-03.com.sun:02:44783840-bce2-4101-f79f-fbf3a3242ea1
        Alias: fisheye/luns/lun0
        Bi-directional Authentication: enabled
        Authentication Type: CHAP
                CHAP Name: fisheye
                ....

When Things Go Wrong…

Example of failed authentication (bad password in initiator entry on target node):

Jun 19 05:52:18 aeon iscsi: [ID 953209 kern.warning] WARNING: iscsi connection(157) login failed - login failed to authenticate with target
Jun 19 05:52:18 aeon iscsi: [ID 372941 kern.warning] WARNING: iscsi connection(157) login failed - Initiator could not be successfully authenticated. (0x02/0x01)

Example of error when target node CHAP name and secret not set:

Jun 19 05:19:37 aeon iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(54) login failed - authentication failed with target

A Word About RADIUS Support

RADIUS support is available in the Solaris Initiator and Target… but you still have to enable passwords like above and RADIUS is only for bi-directional auth. In other words, don’t bother. If you think setting up RADIUS (I suggest FreeRADIUS if you must) for your iSCSI deployment would be fun, trust me, just shoot yourself in the head and be done with it.

IP Filter is easier than ever to use in Solaris. I don’t do a lot of firewalling, but I have a strange case where I need to block access to a single port on a remote server from all but a single (my) IP. I’m no big security nut, but in this case I’ll write about it because most of the docs out there have the wrong procedure for using IP Filter on Solaris if your using something newer than build 52.

So, here is the procedure for setting up IP Filter on an OpenSolaris B52 or newer system:

1. Add your IP Filter rules to /etc/ipf/ipf.conf
2. Enable the IP Filter SMF service: svcadm enable network/ipfilter
3. Ensure that your rules are loaded: ipf -Fa -f /etc/ipf/ipf.conf
4. Ensure that the rules are in effect: ipfstat -ioh
5. Buy Darren Reed a Guinness.

Seriously, thats it. No reboot, no ifconfig, and no more “pfil” stuff.

All this goodness is thanks to Darren Reed and Packet Filtering Hooks. Read about them in his blog. Read the flag day notice here.

If your in need of rule creation help like I am, check out ipf(4) and the IP Filter examples page. If your new to IP FIlter or need a rules walk through check out SecurityFocus’s Introduction to IP Filter.

Thanks to cmihai and LeftWing in #opensolaris for their help getting me squared away.

This gives me hope… Chelsio’s 10GbE Storage Accelerators. Featuring iSCSI, RDMA, and TOE on a single card. Just think of the possibilities. Grid nodes with a single cable out of the back on which you can iSCSI boot (OpenQRM anyone?) and completely virtualize my network topology such that I can reconfigure any box in any way without having to go onsite and recable. Ultimate flexibility and all the bandwidth you need for years to come. Combine that with the iWARP low latency RDMA coming to 10Gb Ether and you have something super exciting.

Now….. pair up a card like this with OpenSolaris VNIC’s and the world is a very very tasty place.

Happy, Happy Birthday from all of us to you……. OpenSolaris is 2. Just like a child, it feels like much longer than that and you’re not quite sure what you did before they arrived.

The last year has been a good one for us. A lot of growing pains still, but we’re getting our footing and growing. The OGB has finally been replaced with a proper board. The code has surpased the number of builds leading up to Solaris 10′s initial GA. The community ranks continue to grow.

When I look a head I see a very different set of goal than we’ve had in the last 2 years. And I see a lot of new hope. I think the key now needs to be diversity and new offerings. We need to gain more acceptance among established Solaris shops and still reach out to new users who have been interested in Solaris yet reluctant. We need to do things in a fresh and new way…

And if you read that last paragraph 3 times fast it blurs into Project Indiana. There has been a lot of useless debate and chatter about Indiana but I don’t see anything to discuss… it must happen or we’ll die. We all know that big change is due, but when will it come? How will it come? The divisions I’ve seen over Indiana are almost religious: “Change needs to come! The time is at hand!” “Ya, but thats not it” “No, actually this is it!” “Um… no, we’ll wait.” But the best thing about Indiana is that it will be community owned and seperate from Solaris GA releases, so both groups are right.

What we’ve found in the last 2 years is that killer features like DTrace, ZFS, and SMF are exciting to people, but simply not enough to attract and keep people. A large community of people are waiting for our technologies to be integrated with their OS of choice, whether it be OS X or FreeBSD or Linux. They are checking out the technology and then going back and waiting. Lets learn from this please! If we want real traction we must embrase the future, and the future, at least v1.0 of it, is Project Indiana. And thats what will happen before we turn 3.

Oh….. I should point out what I think was a big accomplishment in our 2nd year: Joyent embraced the community and started hiring admins out of the community. Thats a good sign of growth and acceptance and as a company when we sell our product we’re selling people on OpenSolaris, and we’re glad to be the first company to do so.

So it was just announced that ZFS won’t be the default filesystem in Leopard. Talk about a bummer… but not shocking really. I feel bad for Jonathan, not because he was wrong, but because its really easy for misunderstandings to come from a single comment. Lets review:

“In fact, this week you’ll see that Apple is announcing at their Worldwide Developers Conference that ZFS has become the file system in Mac OS 10,” Schwartz said.

ZFS being the “default” filesystem wasn’t said, but implied. Its possible that it will be the default or preferred for OS X Server, who knows. While Jonathan and I don’t hang out for Sunday brunch, I would tend to think this is one of those situations where a single comment becomes a big story and people start inferring things that maybe they shouldn’t. Maybe ZFS becoming the default FS was discussed and then retracted? Who knows. But I’ve seen this stuff happen a couple times now first hand and its sooooo easy to happen.

The first hand knowledge that I have has gone back and forth. First ZFS was in, then it was out, then it was in but read-only at least initially, then it was said that that was a mistake and it will be Read/Write but no provided as the default FS. Its hard to say really when these issues tend to be more marketing driven than technical.

I did want to respond to one line in the story though:

“Skeptics have said that ZFS as the default file system in Leopard made no sense. Among the problems in using ZFS is that it wasn’t designed for consumer use, and it uses up a lot of processing power.”

Thats a load of crap. ZFS is designed for a wide range of applications including consumer. Thats the beauty of ZFS, it flies everywhere from 256MB Thumb Drive to EMC DMX without skipping a beat. And it certainly does NOT use up a lot of processing power. I use ZFS on everything, from the X4100 and T1000 nodes at Joyent, to X4500 Thumpers, to NetApp Filers via iSCSI, to my home storage arrays, to my 30GB Video iPod… CPU has never been an issue, ever.

Whatever happens with OS X, so long as ZFS is present I’m happy, because it means that all my USB drives, backup disks, and iPod data are accessible on OS X and not just my Solaris systems. And, with the added iSCSI Support in Leopard I can finally use those data stores from my MacBook Pro as well.

Yes, thats right, on Saturday June 16th OpenSolaris will spend the day in the park with friends, family, coworkers and everyone associated in any way with Solaris.

This all started some time ago. I’m not a Sun employee but I work closely with many. I always thought it’d be awesome to be at a Sun Company picnic, because I’m a family man and I really like to not just meet people but meet the whole family. Our spouses and girl/boyfriends hear plenty about what we do and the people we work with (in the community or at the office, there isn’t a difference)… but when do they get to meet these people? When do they get to see all these people we spend so much time with? A picnic! Thats the key. And now, thanks to OpenSolaris, the whole Solaris family, whether they have a Sun badge or not, can participate.

This event isn’t just for “OpenSolaris people”. Solaris is part of an integrated stack and whether your a Java developer or a VAR salesperson or a SysAdmin or just someone who thinks Solaris and Sun solutions are neato, your part of our family. Everyone is invited. Bring your spouse and children, bring your PM and their family, bring your manager and their family, bring your directors dog. Everyone is welcome.

This event is an Open one and I’m running it like one. I had an idea and started to work on it. My wife heard about it and got excited and wanted to contribute and had such good ideas I’ve named her as the project lead. We’re hoping lots of people will want to get involved. But just getting people involved and interested isn’t enough. If a project is going to grow it requires contribution, people who are excited and want to participate by giving back. That could be by evangelism (telling your friends and coworkers), that could be by submitting (bringing) food or drinks to share, that could be volunteering a grill (build team), or thinking of some games for the kids (user support).

Open Source projects are just like a picnic… 10,000 people can show up but if no one brings anything to the party it’ll be a pretty boring one. Its all about contribution, its all about adding your personal and distinct gifts and talents together with other peoples personal and distinct gifts and talents to create something fun, exciting, and in this case tasty.

So I hope you’ll join us for a good time on June 16th at Baylands Park in Sunnyvale. Please see development lead Tamarah Rockwood’s blog for details and how to get involved.

An for everyone here in our beautiful SIlicon Valley for USENIX, please come and join us!

Registration is not required, but we’d encourage it for planning purposes: See the event on Upcoming.Yahoo.

I’ve put up the video from the Silicon Valley OpenSolaris Users Group meeting last month when Ian Murdock discussed Project Indiana. I’m sorry but the video is in Quicktime h.264/AAC and will work great on Mac and Windows but probly not so well on Solaris… sorry, I don’t have an X86 iMovie plugin for DiVX. Anyway, its up, have a look at make your own judgments.

URL: http://cuddletech.bingodisk.com/public/SVOSUG-IanMurdock.m4v

At 90 minutes MiniDV tapes run out.. but you don’t miss anything, the audience keeps making points, largely about drivers untill people eventually just slowly start leaving because it gets late… there was no real “end” to the meeting.