Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add documentation on setting up the iSCSI target, and on how to use the 

NetBSD iSCSI initiator together with cgd to provide encrypted iSCSI
storage.
This commit is contained in:
agc 2008-01-06 11:00:49 +00:00
parent eb14906cb2
commit d77f56d46b
2 changed files with 312 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

245
dist/iscsi/doc/HOWTO-iSCSI-encrypt.txt vendored Normal file
View File

@ -0,0 +1,245 @@
Encrypted iSCSI Devices on NetBSD
=================================
This document shows how to set up and run an encrypted iSCSI device on
NetBSD. Encryption of devices can be used for maintaining privacy on
devices located remotely, possibly on co-located hardware, for
instance, or on machines which could be stolen, or to which others
could gain access.
To encrypt the iSCSI device, we use the NetBSD iSCSI initiator,
available in NetBSD-current, and the standard cgd device. In all,
setting up an encrypted device in this manner should take less than 15
minutes, even for someone unfamiliar with iSCSI or cgd.
The approach is to layer a vnd on top of the "storage" file presented
by the iSCSI target. This is exactly the same as normal. On top of that
vnd, we layer a cgd device, which ensures that all data is encrypted
on the iSCSI device.
1. Device Initialisation
========================
This first section shows how to initialise the device, a one-time
operation.
Firstly, the initiator is started, pointing at the machine which is
presenting the iSCSI storage (i.e. the machine on which the iSCSI
target is running). In this example, the target is running on the
same machine as the initiator (a laptop called, in a moment of
inspiration, inspiron1300). A 50 MB iSCSI target is being presented
as target1.
# obj/iscsifs -u agc -h inspiron1300.wherever.co.uk /mnt &
[1] 11196
#
# df
Filesystem 1K-blocks Used Avail %Cap Mounted on
/dev/dk0 28101396 20862004 5834324 78% /
kernfs 1 1 0 100% /kern
procfs 4 4 0 100% /proc
ptyfs 1 1 0 100% /dev/pts
/dev/puffs 0 0 0 100% /mnt
#
Looking at the last line, we can see that the initiator is running
via the puffs device.
We now add a vnd device on top of the storage which the target is
presenting:
# vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
#
We now add a disklabel, which is offset 63 blocks into the iSCSI device.
This is so that the encrypted device which we shall put on top of the vnd
does not clash with the vnd's label. Chapter 14 of the NetBSD guide, on
setting up a cgd device, recommends that the cgd's type be "ccd".
# disklabel -e vnd0
# /dev/rvnd0d:
type: vnd
disk: vnd
label: fictitious
flags:
bytes/sector: 512
sectors/track: 32
tracks/cylinder: 64
sectors/cylinder: 2048
cylinders: 50
total sectors: 102400
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 0 # microseconds
drivedata: 0
4 partitions:
# size offset fstype [fsize bsize cpg/sgs]
a: 102336 63 ccd 2048 16384 28360 # (Cyl. 0 - 49)
d: 102400 0 unused 0 0 # (Cyl. 0 - 49)
~
=== EdDk.a11098a [confmode] is /tmp/EdDk.a11098a ================(22,11) 95% ==
#
We now set up the cgd device, pointing it at the vnd device.
# priv cgdconfig -s cgd0 /dev/vnd0a aes-cbc 128 < /dev/urandom
#
and then zero the cgd device's storage.
# dd if=/dev/zero of=/dev/rcgd0d bs=32k
dd: /dev/rcgd0d: Invalid argument
1601+0 records in
1600+0 records out
52428800 bytes transferred in 16.633 secs (3152095 bytes/sec)
#
We now unconfigure the cgd device.
# cgdconfig -u cgd0
#
and then write using the disklabel verification method onto the cgd. Sometimes,
this process does not always complete properly, and so it has to be repeated.
# cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
cgdconfig: could not calibrate pkcs5_pbkdf2
cgdconfig: Failed to generate defaults for keygen
# cgdconfig -g -V disklabel -o /etc/cgd/vnd0a aes-cbc 256
#
Now we have to add the password to the cgd device
# cgdconfig -V re-enter cgd0 /dev/vnd0a
/dev/vnd0a's passphrase:
re-enter device's passphrase:
#
and disklabel inside the cgd itself:
# disklabel -I -e cgd0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: fictitious
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 49
total sectors: 102336
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0 # microseconds
track-to-track seek: 0 # microseconds
drivedata: 0
4 partitions:
# size offset fstype [fsize bsize cpg/sgs]
a: 102336 0 4.2BSD 2048 16384 28360 # (Cyl. 0 - 49*)
d: 102336 0 unused 0 0 # (Cyl. 0 - 49*)
~
~
=== EdDk.a11253a [confmode] is /tmp/EdDk.a11253a =================(22,53) 95% ==
#
Having placed a disklabel inside the cgd, we can now make a filesystem on there:
# newfs /dev/rcgd0a
/dev/rcgd0a: 50.0MB (102336 sectors) block size 8192, fragment size 1024
using 4 cylinder groups of 12.49MB, 1599 blks, 3136 inodes.
super-block backups (for fsck_ffs -b #) at:
32, 25616, 51200, 76784,
#
we can then mount the new file system in the cgd on the /iscsi mount
point:
# df
Filesystem 1K-blocks Used Avail %Cap Mounted on
/dev/dk0 28101396 20910216 5786112 78% /
kernfs 1 1 0 100% /kern
procfs 4 4 0 100% /proc
ptyfs 1 1 0 100% /dev/pts
/dev/puffs 0 0 0 100% /mnt
# mount /dev/cgd0a /iscsi
# df
Filesystem 1K-blocks Used Avail %Cap Mounted on
/dev/dk0 28101396 20910216 5786112 78% /
kernfs 1 1 0 100% /kern
procfs 4 4 0 100% /proc
ptyfs 1 1 0 100% /dev/pts
/dev/puffs 0 0 0 100% /mnt
/dev/cgd0a 49519 1 47043 0% /iscsi
#
The new file system, mounted on /iscsi, can now be used as normal.
2. Unmounting the Encrypted Device
==================================
The device can be freed up using the following commands:
# umount /iscsi
# cgdconfig -u cgd0
# vnconfig -u vnd0
3. Normal Usage
===============
In normal usage, the device can be mounted. Firstly, the initiator
must be configured to connect to the device:
# vnconfig vnd0 /mnt/inspiron1300.wherever.co.uk/target1/storage
# cgdconfig cgd0 /dev/vnd0a
/dev/vnd0a's passphrase:
#
I'm using dk devices on this machine, so I now have to access the cgd
device using the dk that was assigned in the cgdconfig step. If I
wasn't using dk devices, then I'd use the cgd device.
!!!SO PICK ONE OF THE FOLLOWING TWO COMMANDS!!!
# mount /dev/cgd0a /iscsi OR
# mount /dev/dk3 /iscsi
# ls -al /iscsi
total 3
drwxr-xr-x 2 root wheel 512 Jan 1 1970 .
drwxr-xr-x 35 root wheel 1536 Jan 5 08:59 ..
# df
Filesystem 1K-blocks Used Avail %Cap Mounted on
/dev/dk0 28101396 20910100 5786228 78% /
kernfs 1 1 0 100% /kern
procfs 4 4 0 100% /proc
ptyfs 1 1 0 100% /dev/pts
/dev/puffs 0 0 0 100% /mnt
/dev/dk3 49519 1 47043 0% /iscsi
#
4. Conclusion
=============
An iSCSI disk can be in a location over which complete control
cannot be assured. In order to ensure privacy, the cgd device
can be used to encrypt the data on the iSCSI device.
This document has shown how to set up a cgd device on top of the
iSCSI device, and how to mount and unmount on a regular basis.
Alistair Crooks
Sat Jan 5 22:08:32 GMT 2008

67
dist/iscsi/doc/HOWTO-iSCSI-target.txt vendored Normal file
View File

@ -0,0 +1,67 @@
The NetBSD iSCSI HOWTO
======================
This document is intended to tell you how to set up an iSCSI target on
a NetBSD host, so that block storage can be presented to the network.
It then goes on to show how to connect to that storage using the
Microsoft iSCSI initiator (version 1.06, running on Windows XP).
1. Configuring the NetBSD iSCSI target
======================================
1.1. Decide what storage will be presented
The iSCSI target serves up block storage to clients on the network.
These clients are called "initiators". Firstly, we must decide how
much storage we are going to serve up, and for this document, we
will serve up 100 MB. It will be in a file called /tmp/iscsi-target0.
So we must first edit /etc/iscsi/targets, so that it contains the
following lines:
# extent file or device start length
extent0 /tmp/iscsi-target0 0 100MB
# target flags storage netmask
target0 rw extent0 0/0
The extent definition tells the file which is used as backing
store. It is persistent, so that the target can serve up the
same storage after reboot. Its length is 100 MB, and there is
no offset into the file for the start of the extent. (An offset
is useful if you need to skip over MBRs, or disklabels).
The extent is mounted read-write by "target0", and is served up
to any host (the 0.0.0.0/0 netmask).
1.2. Start the iscsi-target
Issue the command:
# /etc/rc.d/iscsi_target forcestart
and you should see the messages from the iscsi-target:
Starting iscsi_target.
Reading configuration from `/etc/iscsi/targets'
target0:rw:0/0
extent0:/tmp/iscsi-target0:0:104857600
DISK: 1 logical units (204800 blocks, 512 bytes/block), type iscsi fs
DISK: LU 0: 100 MB disk storage for "target0"
TARGET: TargetName is iqn.1994-04.org.netbsd.iscsi-target
1.3 You're done!
Congratulations - your iSCSI target is now up and running and
serving blocks to initiators.
2. Configuring the Microsoft iSCSI initiator, version 1.06
==========================================================
Please see the relevant documentation on setting up iSCSI initiators.
Alistair Crooks
Sun Jan 6 10:38:19 GMT 2008