HIDI: How I Did It/ posts/ Offsite Backup

Background

My coworker, Steve, and I have been talking about backup strategies for a while now. Personally, I use a combination of RAID1 on my main machine, and a nightly rdiff-backup to my NAS, which keeps a month or two of revisions. This is a good start, but is not exactly tolerant to physical disaster, such as fire, break-in, etc. Those reasons are why the concept of offsite backups was invented.

So what is a good way to do offsite backups? I don't really want to dish out the cash for a tape system, and I've got a good amount of data that I'd like backed up (documents, photos, music, etc.). Hard drives make good sense. However, the big problem with offsite backup strategies that require remembering to swap out drives is that they require somebody to swap out drives.

So Steve and I both keep a server online in our homes 24/7. We thought about giving each other shell access so that we could run rsync or rdiff-backup, but that seemed somewhat sub-par of a solution. I really wanted something that would have very little impact on the other's computers. I don't want to waste his disk space, and while I do trust him, I don't really want to have my backups stored on his machine unencrypted.

I think Steve was the first to think about iSCSI as a solution. We would each purchase a drive to have installed on the other's server. We then export that raw drive over iSCSI, where the other can connect and use the drive as they wish. In a future post, I'll explain how I set up the encrypted filesystem on my drive that is hosted at Steve's place. In this article, I'll explain how I went about getting iSCSI to work for this setup. I made use of this HOWTO.

To make the HDD available:

Add the hard drive to your computer, and note the device that it'll be. In my case, it was hda.
Install the iSCSI Target packages. Assuming you're running a Debian derivative, install iscsitarget and its kernel module:

> sudo aptitude install iscsitarget iscsitarget-source

Compile the module and install it:

> sudo module-assistant auto-install iscsitarget
> sudo dpkg -i /usr/src/iscsitarget-module-X.YY.ZZ-^I

Yes, that is a tab-complete on the dpkg install line. Use the .dpkg that was created by module-assistant.

Add the following to your /etc/ietd.conf, setting the 'path' as appropriate:

Target iqn.2001-01.org.forkit:storage.erwin.bar.remotedrive0
     IncomingUser bmoore ****************
     OutgoingUser bmoore ++++++++++++++++
     Lun 0 Path=/dev/hda,Type=blockio
     ImmediateData   Yes

I should explain some of this. The Target line specifies a new iSCSI "controller" with the name "iqn.2001-01.org.forkit:storage.erwin.bar.remotedrive0". The first part of this Target name has a standard that it follows. Quoting from the man page for ietd.conf:

Target iqn.<yyyy-mm>.<tld.domain.some.host>[:<identifier>]

A target definition and the target name. The targets name (the iSCSI Qualified Name ) must be a globally unique name (as defined by the iSCSI standard) and has to start with iqn followed by a single dot. The EUI-64 form is not supported. <yyyy-mm> is the date (year and month) at which the domain is valid. This has to be followed by a single dot and the reversed domain name. The optional <identifier> - which is freely selectable - has to be separated by a single colon. For further details please check the iSCSI spec.

IncomingUser and OutgoingUser specify the username that should be expected from an Initiator (a device trying to mount the disk), and the username that we should send back. In this case, I set them to the same id. The stars and plusses represent two unique passwords. I used pwgen to generate a couple of strings. The Lun line specifies a device to be present on the controller. I specify the path to my drive, and state that it is to use block I/O, rather than file I/O to access it (as it is a block device, not a file that we are exporting). Turning on ImmediateData is an attempt to optimize for the relatively slow link we'll have going over our broadband connections. It may not be useful, I'm not sure.

If applicable, update /etc/default/iscsitarget to have iSCSI start up at boot time:

> cat /etc/default/iscsitarget
ISCSITARGET_ENABLE=true
> /etc/init.d/iscsitarget start

Finally, forward Port 3260 on your router to the server hosting the drive.

To mount the remote drive:

Install open-iscsi, and search for your targets.

> sudo aptitude install open-iscsi
> sudo iscsiadm -m discovery -t sendtargets -p remote.example.com:3260
192.168.0.5:3260,1 iqn.2001-01.org.forkit:storage.erwin.bar.remotedrive0

Now that we've found the remote drive, we need to add our passwords.

> cd /etc/iscsi/nodes/iqn.2001-01.org.forkit:storage.erwin.bar.remotedrive0
> sudo mv 192.168.0.5,3260 remote.example.com,3260
> sudo vi remote.example.com,3260

Delete the line that says node.session.auth.authmethod = None, and add the following lines, where the passwords match up as above:

node.session.auth.authmethod = CHAP
node.session.auth.username = bmoore
node.session.auth.password = ****************
node.session.auth.username_in = bmoore
node.session.auth.password_in = ++++++++++++++++

Also, due to using NAT, we need to update one more place. node.conn[0].address = remote.example.com. It is currently set to the "Portal" address, but we need the address that we want to connect to.

Now log in:

> sudo iscsiadm --mode node \
  --targetname iqn.2001-01.org.forkit:storage.erwin.bar.remotedrive0 \
  --portal remote.example.com:3260 --login

Currently, I'm not getting anywhere. The login works, and in dmesg, I get a line like: scsi2 : iSCSI Initiator over TCP/IP. However, no devices show up. I'm having Steve check his system logs, and will get back to you.

 

Update: Steve played around with a few things, for he was getting an error -16 when trying to lauch the iSCSI Target. ERRNO 16 is device busy. Googling around led us to believe that perhaps LVM had the device open. He added a filter line to his lvm.conf file and rebooted. Apparently, that wasn't quite enough. He had to remove the Type=blockio part of the Lun line in his /etc/ietd.conf file. I'm really not sure why, but now it all works.

Check your kernel logs or dmesg. You should hopefully see something like:

scsi2 : iSCSI Initiator over TCP/IP
scsi 2:0:0:0: Direct-Access     IET      VIRTUAL-DISK     0    PQ: 0 ANSI: 4
sd 2:0:0:0: [sdc] 625142448 512-byte hardware sectors (320073 MB)
sd 2:0:0:0: [sdc] Write Protect is off
sd 2:0:0:0: [sdc] Mode Sense: 77 00 00 08
sd 2:0:0:0: [sdc] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
sd 2:0:0:0: [sdc] 625142448 512-byte hardware sectors (320073 MB)
sd 2:0:0:0: [sdc] Write Protect is off
sd 2:0:0:0: [sdc] Mode Sense: 77 00 00 08
sd 2:0:0:0: [sdc] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA sdc: sdc1
sd 2:0:0:0: [sdc] Attached SCSI disk

That means that your disk has been detected, and is now sdc. From here, you can fdisk the drive, partition, etc, just as if the drive was plugged in directly to your system.

To disconnect your iSCSI disk, use the following line:

> sudo iscsiadm --mode node \
  --targetname iqn.2001-01.org.forkit:storage.erwin.bar.remotedrive0 \
  --portal remote.example.com:3260 --logout