IMPLEMENTATION GUIDE Configure Azure VM as GAD Quorum Implementation Guide By Hitachi Vantara Month Year Reduce the costs of Global-Active Device by using a virtual machine instead of a physical storage system as the quorum. Remove the need to have a third site to host the quorum by deploying it in the cloud.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IMPLEMENTATION GUIDE
Configure Azure VM as GAD Quorum
Implementation Guide By Hitachi Vantara
Month Year
Reduce the costs of Global-Active Device by using a virtual machine instead of a physical storage system as the quorum. Remove the need to have a third site to host the quorum by deploying it in the cloud.
WHITE PAPER
Contents
Notices and Disclaimer ............................................................................................................................................3
Executive Summary..................................................................................................................................................4
About This Guide ......................................................................................................................................................5
Introduction .............................................................................................................................................................5
Intended Audience ..................................................................................................................................................5
Document Revisions ...............................................................................................................................................5
References .............................................................................................................................................................5
Configuration and Specifications ...........................................................................................................................6
VPN Tunnel ............................................................................................................................................................6
Azure Virtual Machine.............................................................................................................................................6
Azure Virtual Machine ..............................................................................................................................................7
Deployment .............................................................................................................................................................7
Storage Repository .................................................................................................................................................7
Firewall Exemption .............................................................................................................................................. 10
Targetcli .................................................................................................................................................................. 11
Auto-start ............................................................................................................................................................. 11
Configuration ....................................................................................................................................................... 11
Global-Active Device Quorums ............................................................................................................................ 15
Create iSCSI Paths.............................................................................................................................................. 15
Discover External Volumes ................................................................................................................................. 16
Define GAD Quorums .......................................................................................................................................... 19
Appendix I: Mutual CHAP Authentication ........................................................................................................... 21
Enable on targetcli ............................................................................................................................................... 21
Enable on iSCSI Ports ......................................................................................................................................... 21
Create iSCSI Paths.............................................................................................................................................. 22
3
Notices and Disclaimer
© 2021 Hitachi Vantara LLC. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or stored in a database or retrieval system for commercial purposes without the express written permission of Hitachi, Ltd., or Hitachi Vantara (collectively, “Hitachi”). Licensee may make copies of the Materials provided that any such copy is: (i) created as an essential step in utilization of the Software as licensed and is used in no other manner; or (ii) used for archival purposes. Licensee may not make any other copies of the Materials. "Materials" mean text, data, photographs, graphics, audio, video and documents.
Hitachi reserves the right to make changes to this Material at any time without notice and assumes no responsibility for its use. The Materials contain the most current information available at the time of publication.
Some of the features described in the Materials might not be currently available. Refer to the most recent product announcement for information about feature and product availability, or contact Hitachi Vantara at https://support.HitachiVantara.com/ en_us/contact-us.html.
Notice: Hitachi products and services can be ordered only under the terms and conditions of the applicable Hitachi agreements. The use of Hitachi products is governed by the terms of your agreements with Hitachi Vantara.
By using this software, you agree that you are responsible for:
Acquiring the relevant consents as may be required under local privacy laws or otherwise from authorized employees and other individuals to access relevant data; and
Verifying that data continues to be held, retrieved, deleted, or otherwise processed in accordance with relevant laws.
Notice on Export Controls. The technical data and technology inherent in this Document may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Reader agrees to comply strictly with all such regulations and acknowledges that Reader has the responsibility to obtain licenses to export, re-export, or import the Document and any Compliant Products.
EXPORT CONTROLS - Licensee will comply fully with all applicable export laws and regulations of the United States and other countries, and Licensee shall not export, or allow the export or re-export of, the Software, API, or Materials in violation of any such laws or regulations. By downloading or using the Software, API, or Materials, Licensee agrees to the foregoing and represents and warrants that Licensee is not located in, under the control of, or a national or resident of any embargoed or restricted country.
Hitachi is a registered trademark of Hitachi, Ltd., In the United States and other countries.
Active Directory, ActiveX, Bing, Excel, Hyper-V, Internet Explorer, the Internet Explorer logo, Microsoft, the Microsoft Corporate Logo, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight, SmartScreen, SQL Server, Visual Basic, Visual C++, Visual Studio, Windows, the Windows logo, Windows Azure, Windows PowerShell, Windows Server, the Windows start button, and Windows Vista are registered trademarks or trademarks of Microsoft Corporation. Microsoft product screen shots are reprinted with permission from Microsoft Corporation.
All other trademarks, service marks, and company names in this document or web site are properties of their respective owners.
WARNING: This document can only be used as Hitachi Vantara internal documentation for informational purposes only. This documentation is not meant to be disclosed to customers or discussed without a proper non-disclosure agreement (NDA).
4
Executive Summary
This guide provides instructions to deploy a virtual machine on the Microsoft Azure cloud and configure it to be an iSCSI target. We will use the Linux package “targetcli” to create and manage block devices on the virtual machine. The end objective is to leverage volumes from the iSCSI target virtual machine as quorum volumes for global-active device.
5
About This Guide
Introduction
This guide provides instructions to deploy a virtual machine on the Microsoft Azure cloud and configure it to be an iSCSI target. We will use the Linux package “targetcli” to create and manage block devices on the virtual machine. The end objective is to leverage volumes from the iSCSI target virtual machine running on Azure as quorum volumes for Global-Active Device.
Only use volumes from an iSCSI target virtual machine for Global-Active Device quorums. Do not use them as data volumes.
This guide does not include instructions for establishing a VPN connection to Azure. Refer to Azure’s documentation, such as Tutorial: Create a Site-to-Site connection in the Azure portal, to do this.
Intended Audience
This document is intended for Hitachi Vantara and Hitachi partner representatives who need a foundation of knowledge on this product to best represent it to potential buyers.
Document Revisions
Revision Number Date Author Details
1 April 2021 Dang Luong Initial release.
References
● Hitachi’s Global-Active Device User Guide ● Linux SCSI Target: Targetcli
6
Configuration and Specifications
Figure 1 below contains a high-level illustration of the connectivity between the on-premise storage systems and iSCSI target virtual machine in Azure cloud.
Figure 1. Test Environment
VPN Tunnel
We found out in the course of certifying this solution that the Azure VPN Gateway plays an important role. A sufficiently large gateway type must be used in order to support quorum traffic, otherwise the iSCSI paths between the storage systems and Azure virtual machine will suffer frequent timeouts
and disconnects.
Our testing with 16 GAD quorums experienced such issues when the two smallest gateway types, Basic and VpnGw1, were used. The timeout and disconnect problems were resolved once the Azure VPN Gateway was upgraded to a VpnGw2 type.
For a complete list of available gateway types, refer to the following link: https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/.
A tip on identifying the Azure VPN Gateway as a bottleneck is to ask Azure Support to review the object’s CPU utilization. High utilization is a sign that the gateway is a potential problem. Unfortunately, this metric cannot be checked on directly by the Azure user (at least when this paper was written).
Azure Virtual Machine
These were the settings used for the iSCSI target virtual machine:
● Operating system: SUSE Linux Enterprise Server 15 SP1 ● Kernel: 4.12.14-8.33-azure ● Instance type: Standard_B2s
– CPU: 2 virtual CPUs – Memory: 4 GB
● Targetcli version: 2.1.fb49
7
Azure Virtual Machine
Deployment
This section provides instructions for creating the virtual machine on Azure that will end up serving as the iSCSI target.
We assume the reader is familiar with using SSH public key for authentication so this topic is not covered. For a refresher, please refer to: Generate and store SSH keys in the Azure portal.
1. On the landing page of Azure Portal, expand the portal menu via the top-left shortcut and then click Virtual machines. Click Add and then click Virtual machine.
2. On the Basics page, specify SUSE Enterprise Linux for the Image option. We recommend the VM size be the type of Standard_B2s or larger. This type has 2 virtual CPUs and 4 GiB memory. The remaining options on this page can be set to your preference. Click Next: Disks >.
3. On the Disks page, add a data disk of the type of Premium SSD. The minimum capacity for a quorum is 12,292 MB so size the data disk with this requirement in mind. The OS disk type can be set to Standard HDD. We found this was sufficient in our testing. Click Next: Networking >.
4. On the Networking page, enter the appropriate values (based on your cloud infrastructure—the process of setting up such infrastructure is out of the scope of this paper) for the options: Virtual network, Subnet, Public IP, and Configure network security group. The selected virtual network must be able to pass traffic to and from the on-premise network(s) where the storage systems are located.
5. No additional settings are required on the remaining pages: Management, Advanced, and Tags. Click Review + create. Ensure the final details are correct and then click Create.
Storage Repository
This section provides instructions for configuring a storage repository on the virtual machine to hold the volumes to be used as GAD Quorum devices.
1. Log in to the VM via SSH.
8
2. List all disks and identify the data disk by its size with the command: sudo fdisk -l | grep "Disk /dev"
3. Create a partition on the data disk with the command: sudo fdisk /dev/sdc
a. From fdisk’s main menu, type this: n (new partition)
b. For Partition type, type this: p (primary type)
c. For Partition number, type this: 1
d. For the first sector, press Enter to accept the default value of 2048.
e. For the last sector, press Enter to accept the default value (actual number will vary based on the size of the disk).
4. Verify the new partition before creating it with the command: p (print the partition table)
9
5. Create the new partition and exit fdisk with the command: w (write table to disk and exit)
6. Create a volume group on top of the new partition with the command: sudo vgcreate vg_quorums /dev/sdc1
7. Create a logical volume in the new volume group that uses 100% of the capacity with the command: sudo lvcreate -l 100%VG vg_quorums
8. Create a XFS filesystem on top of the new logical volume with the command: sudo mkfs.xfs /dev/vg_quorums/lvol0
9. Create a mount point for the new filesystem with the command: sudo mkdir /quorums
10. Add a mount entry to /etc/fstab so that the filesystem is mounted automatically after a reboot with the command: sudo sh -c "echo /dev/vg_quorums/lvol0 /quorums xfs defaults 0 0 >> /etc/fstab"
11. Check that the entry was added correctly with the command: sudo cat /etc/fstab
10
12. Mount the filesystem with the command: sudo mount /quorums; df -h
Firewall Exemption
This section provides instructions to create a firewall exemption on the Azure network so iSCSI traffic can get to the GAD quorum virtual machine from the on-premise storage systems.
1. On the landing page of Azure Portal, expand the portal menu via the top-left shortcut and then click Virtual machines. Click into the newly created virtual machine.
2. Under Settings on the left, click Networking, and then click Add inbound port rule.
3. Enter the following values and then click Add when done.
a. Source: IP Addresses
b. Source IP addresses/CIDR ranges: subnet(s) of the on-premise arrays’ iSCSI ports
c. Source port ranges: * (asterisk)
d. Destination: IP Addresses
e. Destination IP addresses/CIDR ranges: private IP of the VM
f. Service: Custom
g. Destination port ranges: 3260
h. Protocol: TCP
4. It is not necessary to add an outbound rule for TCP 3260.
11
Targetcli
The targetcli application is installed by default on Azure’s SUSE Enterprise Linux 15 SP1.
Auto-start
1. Configure targetcli to start automatically after reboots, as well as start it now with the command: sudo systemctl enable --now targetcli
2. Verify that targetcli started successfully with the command: sudo systemctl status targetcli
Configuration
This section provides instructions to configure targetcli to serve three 13GB volumes over iSCSI.
These instructions are for a configuration without any authentication. Refer to Appendix I: Mutual CHAP Authentication if you would like to deploy one with authentication.
1. Log in to targetcli with the command: sudo targetcli
2. Create three 13 GB volumes in the /quorums folder with the following command (change the number after “volume” as you go): /backstores/fileio create volume0 /quorums/volume0 13g
12
3. Verify the volumes were created successfully with the command: ls /backstores/fileio
4. Create an iSCSI target with the command: /iscsi create
5. Remove the default listening portal and create a new one specific to the VM’s private IP address with the following steps.
a. Enter the portal directory with the command (your target will be different): cd /iscsi/iqn.2003-01.org.linux-iscsi.quorum-1.x8664:sn.e5d4db916f12/tpg1/portals/
b. Delete the default portal with the command: delete 0.0.0.0 3260
c. Create a new portal specific to the VM’s private IP address with the command: create 10.2.1.5 3260
d. Verify the new portal was created successfully with the command: ls
6. Map the three volumes with the following steps:
a. Enter the luns directory with the command: cd /iscsi/iqn.2003-01.org.linux-iscsi.quorum-1.x8664:sn.e5d4db916f12/tpg1/luns
b. Map the volumes with the command (change the number after “volume” as you go): create /backstores/fileio/volume0
c. Verify the volumes were mapped successfully with the command: ls
7. Mask the initiator IQNs of the storage systems so they can access the LUNs with the following steps:
a. Enter the acls directory with the command: cd /iscsi/iqn.2003-01.org.linux-iscsi.quorum-1.x8664:sn.e5d4db916f12/tpg1/acls
b. Mask each IQN with the command (your IQNs will be different): create iqn.1994-04.jp.co.hitachi:rsd.r90.i.0877e3.1g
13
c. Verify the masking was successfully with the command: ls
8. Save the changes with the following steps:
a. Enter the root directory with the command: cd /
b. Save the changes with the command: saveconfig
14
9. View the configuration in its entirety with the command: ls
10. Quit out of targetcli with the command: exit
15
Global-Active Device Quorums
This section describes how to discover the volumes from the iSCSI target virtual machine and turn them into GAD quorums. The procedure is the same as it is to virtualize a physical Fibre Channel or iSCSI storage system.
Create iSCSI Paths
1. Log in to Storage Navigator. Click External Storage on the left side, and then click the iSCSI Paths tab.
2. Click the Add iSCSI Paths button.
3. Click the Discover iSCSI Targets button.
4. For each storage system’s iSCSI port that will be connected to the Azure VM, execute the following steps:
a. Local Port ID: iSCSI port
b. Remote IP Address: private IP address of the Azure VM
c. Remote TCP Port Number: 3260
d. Click the Add button.
5. After all desired iSCSI ports have been added to the discovery list, click the OK button.
16
6. Back on the Add iSCSI Paths window, leave Authentication Method=None and Mutual CHAP=Disable. Click the Add button.
7. Click Finish button and then click the Apply button.
8. The screenshot below shows the iSCSI paths after creation.
Discover External Volumes
1. Click the External Storage Systems tab and then click the Add External Volumes button.
17
2. Click the Create External Path Group button.
3. Click the Discover External Target Ports button.
4. Select the iSCSI ports that were used to define the iSCSI paths in the previous section and then click the Add button.
5. Click the OK button.
18
6. If discovery is successful, LIO-ORG will be listed as an external storage system, as shown below. Select the discovered external paths and click the Add button.
7. Click the OK button.
8. Back on the Add External Volumes screen, click the Next button.
9. The screenshot below shows three external volumes were discovered. Select the discovered volumes and then click the Add button.
10. Click the Finish button and then click the Apply button.
19
11. The screenshot below shows the external volumes after they have been successfully virtualized.
Define GAD Quorums
1. Expand Replication, click Remote Connections, and then click the Quorum Disks tab.
2. Click the Add Quorum Disks button.
3. For each quorum to be created, execute the following steps:
20
a. Quorum Disk ID: value from available list
b. Available LDEVs: external volume to be used as quorum
c. Remote Storage System: remote array that will be paired with this new quorum
d. Click the Add button.
4. Click the Finish button and then click the Apply button.
5. The screenshot below shows the quorums after they have been successfully created.
21
Appendix I: Mutual CHAP Authentication
This section describes how to configure mutual (bidirectional) authentication with Challenge Handshake Authentication Protocol (CHAP). Mutual CHAP authentication means that the on-premise storage systems have to authenticate with the Azure virtual machine and vice-versa. The extra security prevents unintended access from other devices on the same network.
Enable on targetcli
1. Log in to targetcli with the command: sudo targetcli
2. Enable Mutual CHAP Authentication with the following steps:
a. cd /iscsi/iqn.2003-01.org.linux-iscsi.quorum-1.x8664:sn.e5d4db916f12/tpg1/
b. set attribute authentication=1
3. Set the user IDs and passwords to be used for Mutual CHAP Authentication with the fol lowing commands:
a. cd /iscsi/iqn.2003-01.org.linux-iscsi.quorum-1.x8664:sn.e5d4db916f12/tpg1/iqn.1994-04.jp.co.hitachi:rsd.r90.i.0877e3.1g/
b. set auth userid=<chosen_auth_userid>
c. set auth password=<chosen_auth_password>
d. set auth mutual_userid=<chosen_auth_mutual_userid>
e. set auth mutual_password=<chosen_auth_mutual_password>
f. Repeat steps (a) to (e) for the remaining IQNs.
4. Save the changes with the following steps:
a. Enter the root directory with the command: cd /
b. Save the changes with the command: saveconfig
5. Quit out of targetcli with the command: exit
Enable on iSCSI Ports
1. Log in to Storage Navigator. Click Ports/Host Groups/iSCSI Targets on the left side, and then click the Ports tab.
2. Select the iSCSI ports to be configured with Mutual CHAP Authentication and then click the Edit Ports button.
22
3. Fill out the following fields, click the Finish button and then click the Apply button.
a. CHAP User Name: corresponds to the value for “auth userid” set in targetcli
b. Secret: corresponds to the value for “auth password” set in targetcli
Create iSCSI Paths
1. Log in to Storage Navigator. Click External Storage on the left side, and then click the iSCSI Paths tab.
2. Click the Add iSCSI Paths button.
3. Click the Discover iSCSI Targets button.
4. For each storage system’s iSCSI port that will be connected to the Azure VM, execute the following steps:
a. Local Port ID: iSCSI port
b. Remote IP Address: private IP address of the Azure VM
c. Remote TCP Port Number: 3260
d. Click the Add button.
5. After all desired iSCSI ports have been added to the discovery list, click the OK button.
23
6. Back on the Add iSCSI Paths window, execute the following steps:
a. Authentication Method: CHAP
b. Mutual CHAP: Enable
c. User Name: corresponds to the value for “auth mutual_userid” set in targetcli
d. Secret: corresponds to the value for “auth mutual_password” set in targetcli
e. Click the Add button.
7. Click the Finish button, and then click the Apply button.
8. The screenshot below shows the iSCSI paths after creation.
9. The remaining steps to discover external volumes and define GAD quorums are the same as without Mutual CHAP Authentication.
Hitachi Vantara
Corporate Headquarters
2535 Augustine Drive
Santa Clara, CA 95054 USA
hitachivantara.com | community.hitachivantara.com
Contact Information USA: 1-800-446-0744
Global: 1-858-547-4526
hitachivantara.com/contact
HITACHI is a registered trademark of Hitachi, Ltd. VSP is a trademark or registered trademark of Hitachi Vantara LLC. Microsoft, Azure and Windows are trademarks or
registered trademarks of Microsoft Corporation. All other trademarks, service marks and company names are properties of their respective owners.
D/Luong April 2021
Related Documents
