11/10/2015

Creating an Encrypted Partition in CentOS 7

Creating an Encrypted Partition in CentOS 7

First, prepare a partition with fdisk. In this example, it is assumed that /dev/sdb1 has been created.

Then, use cryptsetup to luksFormat the partition with a passphrase.

cryptsetup -y luksFormat /dev/sdb1

You will need to type: YES
if you are sure you want to continue.

You will be prompted to Enter and Verify your passphrase.  Be sure to select one that is not too simple or less than 8 characters, as now it does verify the complexity. If you complete this successfully, then you will need the passphrase that you used to open the device.  You can open the device under any name that you want to appear underneath /dev/mapper/.

Next, use cryptsetup to luksOpen the partition to a name like "confidential" that will become part of the path to the new /dev/mapper/confidential device.

crypstsetup luksOpen /dev/sdb1 confidential

You will then be prompted with the passphrase that you used when you executed cryptsetup with luksFormat subcommand.

The device will now appear as /dev/mapper/confidential, but it will actually be a symbolic link to a /dev/dm* device.

Format the open (unencrypted) device by making a filesystem.

mkfs.ext4 /dev/mapper/confidential

Create a mount point and mount the new filesystem.

mkdir /var/lib/confidential
mount /dev/mapper/confidential /var/lib/confidential

Put the data that you want to be encrypted onto the filesystem. For example, to copy confidential data from a user's home directory to the encrypted device, you could execute something like:

cp /home/user/confidential.data /var/lib/confidential

Unmount the filesystem and use cryptsetup to luksClose the filesystem.

umount /var/lib/confidential
cryptsetup luksClose confidential

Create /etc/cryptab
confidential /dev/sdb1

11/07/2015

Creating an iSCSI target and and initiator with CentOS 7

Creating an iSCSI target and and initiator with CentOS 7

First, you will probably need to install the necessary packages, as they are not installed by default. For the iSCSI server, target portal, you will need to install scsi-target-utils and targetcli packages, and on the client, the iscsi-initiator-utils package.  For testing purposes, it may be useful to have all three installed on the server, or if you are just trying out iSCSI using just a single system for practice.  The following command will install all three packages:

yum -y install scsi-target-utils targetcli iscsi-initiator-utils


iSCSI Qualified Name (IQN) 

You will need to assign a unique iSCSI Qualified Name (IQN) for your server, client, and each target.  The IQN starts with "iqn." followed by the year-month that the target will be available after, like "2015-11".  After that, the domain name in reverse, like "com.example", and finally a colon followed by the name of the specific entity like ":lun0", or ":centos7".  Put all together the IQN looks like this: "iqn.2015-11.com.example:lun0" or "iqn.2015-11.com.example:centos7".

If you want to have a IQN generated for your system that should be universally unique that you can place into /etc/iscsi/initiatorname.iscsi, instead of setting your own, you can execute:

iscsi-iname

which should output something like:

iqn.1994-05.com.redhat:34d4db0d675

iSCSI Target Portal (Server) Configuration

Your system is already identified with an IQN in the file /etc/iscsi/initiatorname.iscsi.  You can modify this to something unique for your network (or the world), such as: iqn.2015-11.com.example:centos7.  You will need all the IQNs for the clients that will connect to your iSCSI portal. After updating the previous file, the iscsid service should be restarted with:

systemctl restart iscsid

Rather than having to edit configuration files by hand, the targetcli command provides an interface for managing the targets of your portal which uses a directory metaphor for organization and navigation.  Start the interface by executing:

targetcli

First navigate, and then create an appropriate backing store.  If you have a block device, like /dev/sdd, then you could a backing store named back1 by executing:

cd /backstores/block
create back1 /dev/sdd

To use a file image backing store with a size of 100Mb, you could execute:

cd /backstores/fileio
create back1 /var/lib/iscsi-lun0.img 100M

Next, to create target IQNs, you can create entries under /iscsi.  For example, to create a  target of iqn.2015-11.com.example:lun0, you would execute:

cd /iscsi
create iqn.2015-11.com.example:lun0

The backing store created earlier must be associated with the target IQN. You do this by navigating under the IQN, the target portal group, and the luns directory like /iscsi/iqn.2015-11.com.example:lun0/tpg1/luns.

Pay attention to which /backstore file you used previously. If you created the block device /backstores/block/back1 earlier then you would execute:

cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/luns
create /backstores/block/back1 

If you created the fileio backstore earlier, then you would execute:

cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/luns
create /backstores/fileio/back1

Then, for each client, an acl must be added. Begin by changing to the acls under your IQN/tpg1:

cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/acls

For each client, add the acl by creating an IQN entry:

create iqn.2015-11.com.example.com:centos7

Optionally, add authentication information (this matches the initiator configuration below):

cd iqn.2015-11.com.example.com:centos7
set auth userid=student
set auth password=password

If you return to the targetcli interface interface later, you can navigate to this "directory" and use the following command to view the authentication information for this client (this command is useful in user "directories" within targetcli, too):

cd /iscsi/iqn.2015-11.com.example.com:lun0/tpg1/acls/iqn.2015-11.com.example.com:centos7
info

which output:

chap_password: password
chap_userid: student
wwns:

iqn.2015-11.com.example:centos7

When you are done, you can leave the program.

exit

Hot Tip! Each time you exit targetcli, it informs you that it has updated the /etc/target/saveconfig.json file, which could be edited.  Also, targetcli keeps a copy of the last ten configurations you have used in /etc/target/backup. So it is easy to edit the current configuration or restore one of these configuration files by copying the /etc/target/backup/saveconfig-[TIMESTAMP].json file over the /etc/target/saveconfig.json, and then restart the iscsid service.

After you have finished providing each client acl, you can should review the configuration by using the following suggestions.  You can navigate the configuration like a normal filesystem with cd and ls, and use info and help to get information specific to each directory of the configuration:

cd /
ls 
cd /backstores/fileio
ls
help
cd /iscsi
ls

If you are satisfied, then exit the interface by executing:

exit

Finally, enable and start the iscsid service:

systemctl enable iscsid
systemctl start iscsid

If this is working correctly, then the port 3260/tcp should be listening and shown by the following command:

ss -tln | grep 3260

which should show:

LISTEN     0      5                         *:3260                     *:*  

You may need to enable the port through the firewalld configuration, which is used for the firewall by default.  You have several ways that you could achieve this with greater security, but this example assumes that you want to make the port open for all addresses:

firewall-cmd --zone public --add-port 3260/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all



iSCSI Initiator (Client) Configuration

Just as was done on the server, the client should be identified by a IQN in the /etc/iscsi/initiatorname.iscsi file. Make sure that the you use the same IQN for each client that you used to create the acl entries on the server.  Don't forget to update the /etc/iscsi/initiatorname.iscsi file and restart the iscsid service:

systemctl restart iscsid

If you set a userid and password in the acl you created on the server, then in /etc/iscsi/iscsid.conf on the client, uncomment and modify the userid and password to match the one that you used:

node.session.auth.authmethod = CHAP
node.session.auth.username = student
node.session.auth.password = password

First, you need to discover the target at the portal by executing:

iscsiadm -m discovery -t sendtargets -p 10.0.2.5 # where the IP is the target portal server above

The above command should show the IQNs available at the target portal server.  You can attempt to login to see if you have any errors, especially if using authentication by using:

iscsiadm -m node --login

For information about the session which is hopefully created, you can use iscsiadm in the session mode.  In the session mode, you can print session information in increasing verbosity by setting the -P option from 0 for the lowest verbosity to 3 the highest verbosity.  For example, here's the inetadm command run in session mode to print out medium high verbosity:

inetadm -P 2 -m session

which had the output of:

Target: iqn.2015-11.com.example:lun0 (non-flash)
Current Portal: 10.0.2.5:3260,1
Persistent Portal: 10.0.2.5:3260,1
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.2015-11.com.example:centos7
Iface IPaddress: 10.0.2.5
Iface HWaddress:
Iface Netdev:
SID: 1
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE
*********
Timeouts:
*********
Recovery Timeout: 120
Target Reset Timeout: 30
LUN Reset Timeout: 30
Abort Timeout: 15
*****
CHAP:
*****
username: student
password: ********
username_in:
password_in: ********
************************
Negotiated iSCSI params:
************************
HeaderDigest: None
DataDigest: None
MaxRecvDataSegmentLength: 262144
MaxXmitDataSegmentLength: 262144
FirstBurstLength: 65536
MaxBurstLength: 262144
ImmediateData: Yes
InitialR2T: Yes
MaxOutstandingR2T: 1

Once you have resolved any issues with making a connection, you should enable and start the iscsi service:

systemctl enable iscsi
systemctl start iscsi

If everything has gone successfully, then a new SCSI disk device should appear with a name found by listing /dev/sd*.  In this example, the new disk appears as /dev/sdb.

ls /dev/sd*

Shows the output:

/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb 

Most likely, the new device will be the last one shown like /dev/sdb above.  To get it ready for a filesystem, you can use fdisk and the new device name to create a partition.  In the following example, one new partition is created that uses all the space on the device:

fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): 
Using default response p
Partition number (1-4, default 1): 
First sector (8192-204799, default 8192): 
Using default value 8192
Last sector, +sectors or +size{K,M,G} (8192-204799, default 204799): 
Using default value 204799
Partition 1 of type Linux and of size 96 MiB is set

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Now executing the following command should show the new partition, /dev/sdb1:

ls /dev/sd*

Shows the output:

/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb /dev/sdb1

To prepare the partition for mounting, create a filesystem on it it, in this case an ext4 filesystem will be created:

mkfs -t ext4 /dev/sdb1

Create the directory where you want to mount the new filesystem such as /mnt/lun0

mkdir /mnt/lun0

Verify that the filesystem can be successfully mounted:

mount /dev/sdb1 /mnt/lun0
mount | grep lun0

If successful, this should output something like:

/dev/sdb1 on /mnt/lun0 type ext4 (rw,relatime,seclabel,stripe=4096,data=ordered)

When you want to make this mount permanent, you have to be careful to add the "_netdev" mount option in your /etc/fstab entry.  It is also a good idea to use UUID identifiers instead of device names as device names may change depending on the order in which devices are detected.  To discover the UUID for the new device execute:

blkid 

or for this specific example

blkid /dev/sdb1

which had the output of:

/dev/sdb1: UUID="3735827d-b4f4-48ed-aca1-a264a3ec956e" TYPE="ext4"

The entry in this example would look similar to the following, but your UUID will be different.
CHECK THE OUTPUT OF blkid FOR YOUR CORRECT UUID:

UUID=3735827d-b4f4-48ed-aca1-a264a3ec956e /mnt/lun0  ext4 _netdev 0 0

After adding the entry, unmount your new device, and the mount all /etc/fstab entries to verify that your new entry is correct.  

umount /dev/sdb1
mount -a
mount | grep lun0

should output:

/dev/sdb1 on /mnt/lun0 type ext4 (rw,relatime,seclabel,stripe=4096,data=ordered,_netdev)

If that works, and you won't disturb anyone else on the system, you might reboot the system(s) starting with the server first, and then the client, to verify that everything has been enabled correctly for automatic mounting of the iSCSI device. After the systems have rebooted, check that the client is still mounting the lun0 target with:

mount | grep lun0

If you made it this far, then congratulations! You have a persistent iSCSI target portal server and an iSCSI initiator client able to perform CHAP authentication.

Wrap-up and Troubleshooting

If you are still having issues, then review the files that were updated, and the firewall settings.  For example, the wrong IQN for a client will mean failure to authorize, the wrong userid or password, a failure to authenticate.  Also, revisit the targetcli interface and review the configuration information.  Here's a quick tour of some troubleshooting with commands in bold, the output of the command in italics. and the relevant information highlighted.

cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2015-11.com.example:centos7

fdisk -l
Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000d9dbb

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048    39938047    19968000   83  Linux
/dev/sda2        39938048    41943039     1002496   82  Linux swap / Solaris

Disk /dev/sdb: 104 MB, 104857600 bytes, 204800 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
Disk label type: dos
Disk identifier: 0x761d8fba

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            8192      204799       98304   83  Linux

blkid 
/dev/sda1: UUID="cfc6be43-cf4b-4cb5-9bf3-67f24d1d5205" TYPE="ext4" 

/dev/sda2: UUID="d5c08700-0ff1-4062-a13b-f3782b80c66b" TYPE="swap" 
/dev/sdb1: UUID="3735827d-b4f4-48ed-aca1-a264a3ec956e" TYPE="ext4"

cat /etc/fstab
# /etc/fstab
# Created by anaconda on Fri Nov 6 16:02:18 2015
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=cfc6be43-cf4b-4cb5-9bf3-67f24d1d5205 /                       ext4    defaults        1 1
UUID=d5c08700-0ff1-4062-a13b-f3782b80c66b swap                    swap    defaults        0 0

UUID=3735827d-b4f4-48ed-aca1-a264a3ec956e /mnt/lun0  ext4 _netdev 0 0 

grep -Ev '^#|^$' /etc/iscsi/iscsid.conf  # exclude comments and blank lines
iscsid.startup = /bin/systemctl start iscsid.socket iscsiuio.socket
node.startup = automatic
node.leading_login = No
node.session.auth.authmethod = CHAP
node.session.auth.username = student
node.session.auth.password = password
node.session.timeo.replacement_timeout = 120
node.conn[0].timeo.login_timeout = 15
# remaining output omitted

firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 23/tcp 3260/tcp 23/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

targetcli
/iscsi> cd /
/> ls
o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- block .............................................. [Storage Objects: 0]
  | o- fileio ............................................. [Storage Objects: 1]
  | | o- back1 ....... [/var/lib/iscsi-lun0.img (100.0MiB) write-back activated]
  | o- pscsi .............................................. [Storage Objects: 0]
  | o- ramdisk ............................................ [Storage Objects: 0]
  o- iscsi ........................................................ [Targets: 1]
  | o- iqn.2015-11.com.example:lun0 .................................. [TPGs: 1]
  |   o- tpg1 ........................................... [no-gen-acls, no-auth]
  |     o- acls ...................................................... [ACLs: 1]
  |     | o- iqn.2015-11.com.example:centos7 .................. [Mapped LUNs: 1]
  |     |   o- mapped_lun0 ............................ [lun0 fileio/back1 (rw)]
  |     o- luns ...................................................... [LUNs: 1]
  |     | o- lun0 ..................... [fileio/back1 (/var/lib/iscsi-lun0.img)]
  |     o- portals ................................................ [Portals: 1]
  |       o- 0.0.0.0:3260 ................................................. [OK]
  o- loopback ..................................................... [Targets: 0]

/> cd /iscsi/iqn.2015-11.com.example:lun0/tpg1/acls/iqn.2015-11.com.example:centos7/
/iscsi/iqn.20...ample:centos7> info
chap_password: password
chap_userid: student
wwns:
iqn.2015-11.com.example:centos7
exit

iscsiadm -m discovery -t sendtargets -p 10.0.2.5 # the -p must be the correct IP for the portal

10.0.2.5:3260,1 iqn.2015-11.com.example:lun0

iscsiadm -m node -v --login

10.0.2.5:3260,1 iqn.2015-11.com.example:lun0

iscsiadm -P3 -m session 
iSCSI Transport Class version 2.0-870
version 6.2.0.873-28
Target: iqn.2015-11.com.example:lun0 (non-flash)
Current Portal: 10.0.2.5:3260,1
Persistent Portal: 10.0.2.5:3260,1
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.2015-11.com.example:centos7
Iface IPaddress: 10.0.2.5
Iface HWaddress:
Iface Netdev:
SID: 1
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE
*********
Timeouts:
*********
Recovery Timeout: 120
Target Reset Timeout: 30
LUN Reset Timeout: 30
Abort Timeout: 15
*****
CHAP:
*****
username: student
password: ********
username_in:
password_in: ********
************************
Negotiated iSCSI params:
************************
HeaderDigest: None
DataDigest: None
MaxRecvDataSegmentLength: 262144
MaxXmitDataSegmentLength: 262144
FirstBurstLength: 65536
MaxBurstLength: 262144
ImmediateData: Yes
InitialR2T: Yes
MaxOutstandingR2T: 1
************************
Attached SCSI devices:
************************
Host Number: 3 State: running
scsi3 Channel 00 Id 0 Lun: 0
Attached scsi disk sdb State: running

Good Luck!

Creating a loop device for testing filesystems in Linux

Creating a loop device for testing filesystems in Linux

If you wanted to have a disk for testing different file systems, but were not able to add a disk to your system, then you might be stuck. By creating a filesystem within a file, you can use a loop mounted device, and you do not have to be stuck!

For example, you could create a 100M /var/lib/testdisk file with the following command:

dd if=/dev/zero of=/var/lib/testdisk bs=1M count=100

Then, you can set up that file as a loop device:

losetup --find # to find the next available loop device, typically /dev/loop0 as shown used below
losetup /dev/loop0 /var/lib/testdisk

Next, you can format the loop device with a filesystem:
mkfs -t ext4 /dev/loop0

Use the filesystem by creating a directory and mounting it:

mkdir /test-ext4
mount /dev/loop0 /test-ext4

In the future to mount this filesystem image, you will be able to just use the command:

mount -o loop /var/lib/testdisk /test-ext4

To make this device permanent you could add the following lines to /etc/fstab:

/var/lib/testdisk       /test-ext4              ext4    loop,nodev      0 0


About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.