This article will demonstrate how to export a raw block storage device over Internet in a secure manner. Re-phrased this means that you can export a hard disk from a remote machine and use it on your local computer as it was a directly attached disk, thanks to iSCSI. Authentication and secure transport channel is provided by an SSH tunnel (more info). The setup has been tested on Ubuntu 11.10 Oneiric.
Amazon AWS made it really simple to deploy a server setup in a minute:
- Launch a Micro EC2 instance and then install Ubuntu server by clicking on the links in the Ubuntu EC2StartersGuide, section “Official Ubuntu Cloud Guest Amazon Machine Images (AMIs)”.
- Create an EBS volume in the same availability zone. Attach it to the EC2 instance as “/dev/sdf” (seen as “/dev/xvdf” in latest Ubuntu versions).
- (optionally) Allocate an Elastic IP address and associate it with the EC2 instance.
Note that you can lower your AWS bill by buying a Reserved instance slot. Those slots are non-refundable and non-transferrable, so shop wisely. You can also stop the EC2 instance when you’re not using it and you won’t be billed for it but only for the allocated EBS volume storage.
You can use any other dedicated or virtual server which you own and can access by IP. An Amazon AWS EC2 instance is given here only as an example.
iSCSI server-side setup
Execute the following on your server (iSCSI target):
IP=126.96.36.199 # the public DNS IP address of the EC2 instance / server # Log in to the server ssh ubuntu@$IP # Update your SSH key in ".ssh/authorized_keys", if needed. sudo bash cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/ # so that we can log in directly as root apt-get update apt-get upgrade apt-get install linux-headers-virtual # virtual because we're running an EC2 instance apt-get install iscsitarget iscsitarget-dkms perl -pi -e 's/^ISCSITARGET_ENABLE=.*$/ISCSITARGET_ENABLE=true/' /etc/default/iscsitarget # We won't use any iSCSI authentication because the server is totally firewalled # and we access it only using an SSH tunnel. # NOTE: If you don't use Amazon EC2, make sure that you firewall this machine completely, # leaving only SSH access (TCP port 22). # update your block device location in "Path", if needed cat >> /etc/iet/ietd.conf <<EOF Target iqn.2012-03.net.famzah:storage.backup Lun 0 Path=/dev/xvdf,Type=fileio EOF /etc/init.d/iscsitarget restart echo 'PermitTunnel yes' >> /etc/ssh/sshd_config /etc/init.d/ssh restart
iSCSI client-side setup
Execute the following on your client / desktop machine (iSCSI initiator):
# Install the iSCSI client sudo apt-get install open-iscsi
How to attach an iSCSI volume on the client
The following commands show how to attach and detach a remote iSCSI volume on the client machine. The output of the commands is quoted with “#>>”.
IP=188.8.131.52 # the public DNS IP address of the EC2 instance / server # Establish the secure SSH tunnel to the remote server sudo -E \ ssh -F /dev/null \ -o PermitLocalCommand=yes \ -o LocalCommand="ifconfig tun0 172.18.0.2 pointopoint 172.18.0.1 netmask 255.255.255.0" \ -o ServerAliveInterval=60 \ -w 0:0 root@"$IP" \ 'sudo ifconfig tun0 172.18.0.1 pointopoint 172.18.0.2 netmask 255.255.255.0; hostname; echo tun0 ready' # Make sure that we can reach the remote server via the SSH tunnel ping 172.18.0.1 # Execute this one-time; it discovers the available iSCSI volumes sudo iscsiadm -m discovery -t st -p 172.18.0.1 #>> 172.18.0.1:3260,1 iqn.2012-03.net.famzah:storage.backup # Attach the remote iSCSI volume on the local machine sudo iscsiadm -m node --targetname "iqn.2012-03.net.famzah:storage.backup" --portal "172.18.0.1:3260" --login #>> Logging in to [iface: default, target: iqn.2012-03.net.famzah:storage.backup, portal: 172.18.0.1,3260] #>> Login to [iface: default, target: iqn.2012-03.net.famzah:storage.backup, portal: 172.18.0.1,3260]: successful # Check the kernel log dmesg #>> [ 1237.538172] scsi3 : iSCSI Initiator over TCP/IP #>> [ 1238.657846] scsi 3:0:0:0: Direct-Access IET VIRTUAL-DISK 0 PQ: 0 ANSI: 4 #>> [ 1238.662985] sd 3:0:0:0: Attached scsi generic sg2 type 0 #>> [ 1239.578079] sd 3:0:0:0: [sdb] 167772160 512-byte logical blocks: (85.8 GB/80.0 GiB) #>> [ 1239.751271] sd 3:0:0:0: [sdb] Write Protect is off #>> [ 1239.751279] sd 3:0:0:0: [sdb] Mode Sense: 77 00 00 08 #>> [ 1240.099649] sd 3:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA #>> [ 1241.962729] sdb: unknown partition table #>> [ 1243.568470] sd 3:0:0:0: [sdb] Attached SCSI disk # Double-check that the iSCSI volume is with the expected size (80 GB in our case) cat /proc/partitions #>> major minor #blocks name #>> ... #>> 8 16 83886080 sdb # The remote iSCSI volume is now available under /dev/sdb on our local machine. # You can use it as any other locally attached hard disk (block device). # Detach the iSCSI volume from the local machine sync sudo iscsiadm -m node --targetname "iqn.2012-03.net.famzah:storage.backup" --portal "172.18.0.1:3260" --logout #>> Logging out of session [sid: 1, target: iqn.2012-03.net.famzah:storage.backup, portal: 172.18.0.1,3260] #>> Logout of [sid: 1, target: iqn.2012-03.net.famzah:storage.backup, portal: 172.18.0.1,3260]: successful # Check the kernel log dmesg #>> [ 1438.942277] connection1:0: detected conn error (1020) # Double-check that the iSCSI volume is no longer available on the local machine cat /proc/partitions #>> no "sdb"
Once you have the iSCSI block device volume attached on your local computer, you can use it as you need, just like it was a normal hard disk. Only it will be slower because each I/O operation takes place over Internet. For example, you can locally encrypt the iSCSI volume with TrueCrypt, in order to prevent the administrators of the remote machine to be able to see your files.