|
Replication
Replication is popular technical method that involves sharing information
so as to ensure consistency between redundant resources to improve
reliability, fault-tolerance, accessibility and as while as real-time data
backup.
Replication implemented in this software is block level. By this way, any
file system and file system structure supported by the operating system can
be replicated without modification, which will ensure all data consistency
between two or more nodes
Synchronous Replication
Guarantees "zero data loss" by the means of atomic write operation,
i.e. write either completes on both sides or not at all. Write is not
considered complete until acknowledgement by both local and remote storage.
Most applications wait for a write transaction to complete before proceeding
with further work, hence overall performance decreases considerably.
Inherently, performance drops proportionally to distance, as latency is
caused by speed of light.
Then, by this way, all data on the two or more nodes will be consistent in
any time, but performance will drop a little.
Synchronous Replication
Write is considered complete as soon as local storage acknowledges
it. Remote storage is updated, but probably with a small lag. Performance is
greatly increased, but in case of losing a local storage, the remote storage
is not guaranteed to have the current copy of data and most recent data may
be lost.
Then, by this way, it may not consistency between redundant nodes in some
time point but it won't result in performance lost.
Disk image
Its a single file or storage device containing the complete
contents and structure representing a data storage medium or device, such as
a hard drive, volume, tape drive, optical disc, or USB flash drive. A disk
image is usually created by creating a complete sector-by-sector copy of the
source medium and thereby perfectly replicating the structure and contents
of a storage device.
iSCSI
In computing, iSCSI is an abbreviation of Internet Small
Computer System Interface, an Internet Protocol (IP)-based storage
networking standard for linking data storage facilities. By carrying SCSI
commands over IP networks, iSCSI is used to facilitate data transfers over
intranets and to manage storage over long distances. iSCSI can be used to
transmit data over local area networks (LANs), wide area networks (WANs), or
the Internet and can enable location-independent data storage and retrieval.
The protocol allows clients (called initiators) to send SCSI commands (CDBs)
to SCSI storage devices (targets) on remote servers. It is a popular storage
area network (SAN) protocol, allowing organizations to consolidate storage
into data center storage arrays while providing hosts (such as database and
web servers) with the illusion of locally-attached disks. Unlike traditional
Fibre Channel, which requires special-purpose cabling, iSCSI can be run over
long distances using existing network infrastructure.
Initiator
An initiator functions as an iSCSI client. An initiator typically serves the
same purpose to a computer as a SCSI bus adapter would, except that instead
of physically cabling SCSI devices (like hard drives and tape changers), an
iSCSI initiator sends SCSI commands over an IP network. An initiator falls
into two broad types:
Software initiator
A software initiator uses code to implement iSCSI. Typically, this happens
in a kernel-resident device driver that uses the existing network card (NIC)
and network stack to emulate SCSI devices for a computer by speaking the
iSCSI protocol. Software initiators are available for most mainstream
operating systems, and this type is the most common mode of deploying iSCSI
on computers.
Host Bus Adapter
An iSCSI host bus adapter (more commonly, HBA) implements a
hardware initiator. A typical HBA is packaged as a combination of a Gigabit
(or 10 Gigabit) Ethernet NIC, some kind of TCP/IP offload engine (TOE)
technology and a SCSI bus adapter, which is how it appears to the operating
system.
TCP Offload Engine
A TCP Offload Engine, or "TOE Card", offers an alternative to a full iSCSI
HBA. A TOE "offloads" the TCP/IP operations for this particular network
interface from the host processor, freeing up CPU cycles for the main host
applications. When a TOE is used rather than an HBA, the host processor
still has to perform the processing of the iSCSI protocol layer itself, but
the CPU overhead for that task is low.
Target
iSCSI specification refers to a storage resource located on an iSCSI server
(more generally, one of potentially many instances of iSCSI storage nodes
running on that server) as a target. An iSCSI target usually represents hard
disk storage that works over the IP or Ethernet networks.
Logical Unit Number
In SCSI terminology, LUN stands for logical unit number. A LUN represents an
individually addressable (logical) SCSI device that is part of a physical
SCSI device (target). In an iSCSI environment, LUNs are essentially numbered
disk drives. An initiator negotiates with a target to establish connectivity
to a LUN; the result is an iSCSI connection that emulates a connection to a
SCSI hard disk. Initiators treat iSCSI LUNs the same way as they would a raw
SCSI or IDE hard drive; for instance, rather than mounting remote
directories as would be done in NFS or CIFS environments, iSCSI systems
format and directly manage file systems on iSCSI LUNs.
In enterprise deployments, LUNs usually represent slices of large RAID disk
arrays, often allocated one per client. iSCSI imposes no rules or
restrictions on multiple computers sharing individual LUNs; it leaves shared
access to a single underlying file system as a task for the operating system.
Addressing
Special names refer to both iSCSI initiators and targets. iSCSI provides
three name-formats:
iSCSI Qualified Name (IQN)
Format: iqn.yyyy-mm.{reversed domain name} (e.g.
iqn.2001-04.com.acme:storage.tape.sys1.xyz) (Note: There is an optional
colon with arbitrary text afterwards. This text is there to help better
organize or label resources.)
Extended Unique Identifier (EUI)
Format: eui.{EUI-64 bit address} (e.g. eui.02004567A425678D)
T11 Network Address Authority (NAA)
Format: naa.{NAA 64 or 128 bit identifier} (e.g. naa.52004567BA64678D)
IQN format addresses occur most commonly. They are qualified by a date (yyyy-mm)
because domain names can expire or be acquired by another entity.
The IEEE Registration authority provides EUI in accordance with the
EUI-64 standard. NAA is part OUI which is provided by the IEEE Registration
Authority. NAA name formats were added to iSCSI in RFC 3980, to provide
compatibility with naming conventions used in Fibre Channel and Serial
Attached SCSI (SAS) storage technologies.
Usually an iSCSI participant can be defined by three or four fields:
Hostname or IP Address (e.g., "iscsi.example.com")
Port Number (e.g., 3260)
iSCSI Name (e.g., the IQN "iqn.2003-01.com.ibm:00.fcd0ab21.shark128")
An optional CHAP Secret (e.g., "secretsarefun")
iSNS
iSCSI initiators can locate appropriate storage resources using the Internet
Storage Name Service (iSNS) protocol. In theory, iSNS provides iSCSI SANs
with the same management model as dedicated Fibre Channel SANs. In practice,
administrators can satisfy many deployment goals for iSCSI without using
iSNS.
Security
Authentication
iSCSI initiators and targets prove their identity to each other using the
CHAP protocol, which includes a mechanism to prevent clear text passwords
from appearing on the wire. By itself, the CHAP protocol is vulnerable to
dictionary attacks, spoofing, or reflection attacks. If followed carefully,
the rules for using CHAP within iSCSI prevent most of these attacks.
Additionally, as with all IP-based protocols, IPsec can operate at the
network layer. The iSCSI negotiation protocol is designed to accommodate
other authentication schemes, though interoperability issues limit their
deployment.
To ensure that only valid initiators connect to storage arrays,
administrators most commonly run iSCSI only over logically-isolated
backchannel networks. In this deployment architecture, only the management
ports of storage arrays are exposed to the general-purpose internal network,
and the iSCSI protocol itself is run over dedicated network segments or
virtual LANs (VLAN). This mitigates authentication concerns; unauthorized
users aren't physically provisioned for iSCSI, and thus can't talk to
storage arrays. However, it also creates a transitive trust problem, in that
a single compromised host with an iSCSI disk can be used to attack storage
resources for other hosts.
Authorization
Because iSCSI aims to consolidate storage for many servers into a single
storage array, iSCSI deployments require strategies to prevent unrelated
initiators from accessing storage resources. As a pathological example, a
single enterprise storage array could hold data for servers variously
regulated by the Sarbanes-Oxley Act for corporate accounting, HIPAA for
health benefits information, and PCI DSS for credit card processing. During
an audit, storage systems must demonstrate controls to ensure that a server
under one regime cannot access the storage assets of a server under another.
Typically, iSCSI storage arrays explicitly map initiators to specific target
LUNs; an initiator authenticates not to the storage array, but to the
specific storage asset it intends to use. However, because the target LUNs
for SCSI commands are expressed both in the iSCSI negotiation protocol and
in the underlying SCSI protocol, care must be taken to ensure that access
control is provided consistently. |
