SOA_EN

Introduction to Tape Gateway Type Storage Gateway

スポンサーリンク
Introduction to Tape Gateway of Storage Gateway SOA_EN
スポンサーリンク
スポンサーリンク

Storage Gateway Tape Gateway Configuration

The content is related to reliability and business continuity, which is also part of the scope of AWS SOA.

There are four types of Storage Gateways, and we will introduce the Tape Gateway.
Tape gateways provide VTL (Virtual Tape Library) and tape archiving functions.

Tape Gateway enables you to replace using physical tapes on premises with virtual tapes in AWS without changing existing backup workflows…

Tape Gateway stores virtual tapes in Amazon S3, Amazon S3 Glacier Flexible Retrieval, and Amazon S3 Glacier Deep Archive, protected by 99.999999999% of durability.

Tape Gateway

You can also choose from the following five tape gateway platforms

  • VMware ESXi
  • Microsoft Hyper-V
  • Linux KVM
  • Amazon EC2
  • Hardware Appliance
  • Snowball Edge

This time, the EC2 instance will act as a tape gateway.

The goal of this project is to operate the VTL through the tape gateway.

Environment

Diagram of introduction to Tape Gateway of Storage Gateway

Create two EC2 instances in a private subnet.

The first will act as a tape gateway.
It will be created using the AMI for the tape gateway.

The second will act as a client to operate the VTL.
Through the aforementioned tape gateway, access to the VTL.

Create a Storage Gateway endpoint for the Tape Gateway instance.
This instance will be used to connect to the VTL outside the VPC.

Create SSM and S3 endpoints for the client instance.
The former is used to access this instance via SSM Session Manager.
The latter is used to install packages for tape device operation via yum repository built on the S3 bucket.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation templates are located at the following URL

awstut-soa/02/001 at main · awstut-an-r/awstut-soa
Contribute to awstut-an-r/awstut-soa development by creating an account on GitHub.

Explanation of key points of the template file

Tape Gateway Instance

Instance

Resources: StorageGatewayInstance: Type: AWS::EC2::Instance Properties: ImageId: !Ref ImageId InstanceType: !Ref InstanceType NetworkInterfaces: - DeviceIndex: 0 SubnetId: !Ref PrivateSubnet GroupSet: - !Ref StorageGatewaySecurityGroup
Code language: YAML (yaml)

Specify the AMI with the ImageId property.
This time, specify the following value to obtain the latest AMI ID for the tape gateway stored in the SSM parameter store.

  • /aws/service/storagegateway/ami/VTL/latest

Specify the instance class in the InstanceType property.
One of the requirements for an EC2 instance to act as a tape gateway is the instance class.

Storage Gateway is supported on instance types that meet certain minimum requirements. We recommend starting with the m4xlarge instance type, which meets the minimum requirements for your gateway to function properly.

Deploying a Volume or Tape Gateway on an Amazon EC2 Host

In this case, we will specify m5a.xlarge.

EBS

Resources: StorageGatewayInstanceEBS1: Type: AWS::EC2::Volume Properties: AvailabilityZone: !Ref AZ Size: !Ref EBSSize VolumeType: gp3 EBSAttachment1: Type: AWS::EC2::VolumeAttachment Properties: Device: /dev/sdf InstanceId: !Ref StorageGatewayInstance VolumeId: !Ref StorageGatewayInstanceEBS1 StorageGatewayInstanceEBS2: Type: AWS::EC2::Volume Properties: AvailabilityZone: !Ref AZ Size: !Ref EBSSize VolumeType: gp3 EBSAttachment2: Type: AWS::EC2::VolumeAttachment Properties: Device: /dev/sdg InstanceId: !Ref StorageGatewayInstance VolumeId: !Ref StorageGatewayInstanceEBS2
Code language: YAML (yaml)

One of the requirements for an EC2 instance to act as a tape gateway is the specification of an additional disk.
The official website states that two disks must be provided as follows

Cache (Minimum): 150GiB

Upload Buffer (Minimum): 150GiB

Deploying a file gateway on an Amazon EC2 host

Create an EBS for each and attach it to the tape gateway instance.
However, this time, since this is an action verification, we specify the size of the EBS to be 8GB.
Although it does not meet the minimum requirement, it will act as a tape gateway.

Security Group

Resources: StorageGatewaySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub "${Prefix}-StorageGatewaySecurityGroup" GroupDescription: Allow Storage Gateway Traffic. VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref HTTPPort ToPort: !Ref HTTPPort SourceSecurityGroupId: !Ref InstanceSecurityGroup - IpProtocol: tcp FromPort: !Ref iSCSIPort ToPort: !Ref iSCSIPort SourceSecurityGroupId: !Ref InstanceSecurityGroup
Code language: YAML (yaml)

According to AWS officials, there are two inbound communications that should be allowed in the security group when an EC2 instance is acting as a tape gateway.

  • iSCSI (3260/tcp): Used by the instance to operate the VTL.
  • HTTP (80/tcp): used to activate the EC2 instance as a tape gateway.

Specify the security group for the client instance, described below, as the source of the two communications.

Client Instance

Instance

Resources: Instance: Type: AWS::EC2::Instance Properties: IamInstanceProfile: !Ref InstanceProfile ImageId: !Ref ImageId InstanceType: !Ref InstanceType NetworkInterfaces: - DeviceIndex: 0 SubnetId: !Ref PrivateSubnet GroupSet: - !Ref InstanceSecurityGroup UserData: !Base64 | #!/bin/bash -xe yum update -y yum install -y iscsi-initiator-utils yum install -y mt-st yum install -y mtx
Code language: PHP (php)

The key point is the UserData property.
This function, called UserData, allows you to specify the process to be executed when an instance is created.
For more information on user data, please refer to the following page

This time, we will define a command to be executed as an initialization process in this property.
The content to be executed is the process of installing the packages required to operate the tape device.
Install the following packages

  • iscsi-initiator-utils
  • mt-st
  • mtx

Install these packages from the yum repository built on the S3 bucket.
For more information, please refer to the following page

Security Group

Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub "${Prefix}-InstanceSecurityGroup" GroupDescription: Deny All. VpcId: !Ref VPC
Code language: YAML (yaml)

Nothing in particular is set.
In this requirement, there will be no inbound communication to this instance.
Only outbound communication from this instance to the tape gateway.

VPC Endpoints for Storage Gateway

VPC Endpoint

Resources: StorageGatewayEndpoint: Type: AWS::EC2::VPCEndpoint Properties: PrivateDnsEnabled: true SecurityGroupIds: - !Ref StorageGatewayEndpointSecurityGroup ServiceName: !Sub "com.amazonaws.${AWS::Region}.storagegateway" SubnetIds: - !Ref PrivateSubnet VpcEndpointType: Interface VpcId: !Ref VPC
Code language: YAML (yaml)

The VpcEndpointType property specifies “Interface”.
There are two types of VPC endpoint types: gateway type and interface type.
The former is used to communicate with S3 and DynamoDB.
The latter is used to communicate with other AWS services.
Therefore, since we will be communicating with Storage Gateway, it will be “Interface” which means interface type.

Security Group

Resources: StorageGatewayEndpointSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${Prefix}-StorageGatewayEndpointSecurityGroup GroupDescription: Allow Storage Gateway Traffic. VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref HTTPSPort ToPort: !Ref HTTPSPort SourceSecurityGroupId: !Ref StorageGatewaySecurityGroup - IpProtocol: tcp FromPort: !Ref StorageGatewayPort1 ToPort: !Ref StorageGatewayPort1 SourceSecurityGroupId: !Ref StorageGatewaySecurityGroup - IpProtocol: tcp FromPort: !Ref StorageGatewayPort2 ToPort: !Ref StorageGatewayPort2 SourceSecurityGroupId: !Ref StorageGatewaySecurityGroup - IpProtocol: tcp FromPort: !Ref StorageGatewayPort3 ToPort: !Ref StorageGatewayPort3 SourceSecurityGroupId: !Ref StorageGatewaySecurityGroup - IpProtocol: tcp FromPort: !Ref StorageGatewayPort4 ToPort: !Ref StorageGatewayPort4 SourceSecurityGroupId: !Ref StorageGatewaySecurityGroup - IpProtocol: tcp FromPort: !Ref StorageGatewayPort5 ToPort: !Ref StorageGatewayPort5 SourceSecurityGroupId: !Ref StorageGatewaySecurityGroup
Code language: YAML (yaml)

Allow inbound communication for a total of 6 ports according to the following AWS official site.

Verify that all of the following TCP ports are allowed in your security group:

TCP 443
TCP 1026
TCP 1027
TCP 1028
TCP 1031
TCP 2222

Activating a gateway in a virtual private cloud

Specify the security group for the gateway instance described earlier as the source of the communication to be allowed.

Architecting

We will use CloudFormation to build this environment and check its actual behavior.

Create CloudFormation stack and check resources in stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources of each stack, the following is the information on the main resources created in this case.

  • ID of client instance: i-0205370d5c210e708
  • ID of the tape gateway instance: i-0f2d46c571fdd8b22
  • Private DNS name of the tape gateway instance: ip-10-0-2-143.ap-northeast-1.compute.internal
  • VPC endpoint for Storage Gateway: vpce-02536f2b50d39f32a-inqvg1ig.storagegateway.ap-northeast-1.vpce.amazonaws.com

You can also check the resource from the AWS Management Console.
Tape gateway instance.

Details of the EC2 instance acting as a Tape Gateway.

You can see that there are indeed two EBSs attached.

Obtaining Activation Key from Tape Gateway

CloudFormation has completed the creation of the EC2 instance that will serve as the tape gateway itself.
However, the instance is not currently acting as a tape gateway.
According to the official AWS website, you need to obtain an activation key in order for the instance to act as a gateway.

To connect to your gateway, first get the IP address or activation key of your gateway VM. You use the IP address or activation key to activate your gateway…

For gateways deployed and activated on an Amazon EC2 instance, you can get the IP address or activation key from the Amazon EC2 console.

Connecting to Your Gateway

The activation key can be obtained by making an HTTP request to a specific URL of the target instance.

To get an activation key for your gateway, you make a web request to the gateway VM and it returns a redirect that contains the activation key.

Getting an Activation Key for Your Gateway

Now that the points for obtaining an activation key have been organized, we will actually obtain one.
Follow the steps below to obtain an activation key. 1.

  1. Access the client instance.
  2. Make an HTTP request from the client instance to the tape gateway instance to obtain the activation key.

Access to the client instance is through SSM Session Manager.
For details on SSM Session Manager, please refer to the following page.

% aws ssm start-session --target i-0205370d5c210e708 Starting session with SessionId: root-0b4a067cd35e64034 sh-4.2$
Code language: Bash (bash)

The client instance is now accessible.

Referring to the official AWS page, send an HTTP request from the client instance to the tape gateway instance.

sh-4.2$ curl 'http://ip-10-0-2-143.ap-northeast-1.compute.internal/?gatewayType=VTL&activationRegion=ap-northeast-1&vpcEndpoint=vpce-02536f2b50d39f32a-inqvg1ig.storagegateway.ap-northeast-1.vpce.amazonaws.com&no_redirect' Q229E-KD8FM-FFHRR-6IU8I-K0VPU
Code language: Bash (bash)

Response.
‘Q229E-KD8FM-FFHRR-6IU8I-K0VPU’ is the activation key.

Activating Tape Gateway

Now that you have obtained the activation key in the previous section, activate the instance for the tape gateway.
Activation is performed on a local machine that has been granted permissions related to the Storage Gateway.

$ aws storagegateway activate-gateway \ --activation-key Q229E-KD8FM-FFHRR-6IU8I-K0VPU \ --gateway-name soa-02-001 \ --gateway-timezone "GMT+9:00" \ --gateway-region ap-northeast-1 \ --gateway-type VTL \ --tape-drive-type IBM-ULT3580-TD5 \ --medium-changer-type AWS-Gateway-VTL
Code language: Bash (bash)

We will cover the important parameters.
For activation-key, specify the activation key obtained earlier.
For gateway-type, specify “VTL,” meaning tape gateway.
For tape-drive-type and medium-changer-type, specify the default values “IBM-ULT3580-TD5” and “AWS-Gateway-VTL”.

Check the creation status of the tape gateway in the AWS Management Console.

Details of Tape Gateway 1.

The gateway instance has been activated and the tape gateway has been created.

Cache/Upload buffer settings

Configure disk settings for the activated tape gateway instance.
There are two disks that need to be configured to act as a tape gateway: one for the cache and one for the upload buffer.
The target storage itself is an EBS created with CloudFormation and already attached to the instance.

Configure the cache and buffer settings from the AWS Management Console.

Details of Tape Gateway 2.

Click “Configure cache storage”.

Details of Tape Gateway 3.

Specify “Cache” and “Upload buffer” for the two disks respectively.
After specifying, click “Save changes”.

Create Tape

Finally, define a virtual tape to store the data.
In this case, we will create a 100 GiB (107374182400 bytes) tape, which is the minimum configuration, for the purpose of action verification.

Create a tape from the AWS Management Console.
Access the Tapes page.

Details of Tape Gateway 4.

Click “Create tapes”.

Details of Tape Gateway 5.

Select the tape gateway you just created for “Gateway” and set it so that one tape will be created.
For “Pool,” select “Clacier Flexible Retrieval Pool” so that the tapes will be stored in Glacier as usual.

Details of Tape Gateway 6.

Sure enough, one tape has been created.

Operating Virtual Tape

Now that we are ready, we can access the client instance again.

Check the installation status of the packages required to operate the virtual tape.

sh-4.2$ yum list installed | grep mtx mtx.aarch64 1.3.12-14.amzn2.0.2 @amzn2-core sh-4.2$ yum list installed | grep mt-st mt-st.aarch64 1.1-14.amzn2.0.2 @amzn2-core sh-4.2$ yum list installed | grep iscsi iscsi-initiator-utils.aarch64 6.2.0.874-7.amzn2 @amzn2-core iscsi-initiator-utils-iscsiuio.aarch64
Code language: Bash (bash)

It has been successfully installed.
Continue to access the VTL through the tape gateway.
The following steps are to be performed according to the instructions presented in the official AWS

First, start iscsid.

sh-4.2$ sudo systemctl start iscsid sh-4.2$ sudo systemctl status iscsid ● iscsid.service - Open-iSCSI Loaded: loaded (/usr/lib/systemd/system/iscsid.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2022-06-11 02:14:22 UTC; 3s ago Docs: man:iscsid(8) man:iscsiadm(8) Process: 972 ExecStart=/usr/sbin/iscsid (code=exited, status=0/SUCCESS) Main PID: 974 (iscsid) CGroup: /system.slice/iscsid.service ├─973 /usr/sbin/iscsid └─974 /usr/sbin/iscsid Jun 11 02:14:22 ip-10-0-2-11.ap-northeast-1.compute.internal systemd[1]: Starting Open-iSCSI... Jun 11 02:14:22 ip-10-0-2-11.ap-northeast-1.compute.internal iscsid[972]: iSCSI logger with pid=973 started! Jun 11 02:14:22 ip-10-0-2-11.ap-northeast-1.compute.internal systemd[1]: Failed to parse PID from file /var/run/iscsid.pid: Invalid argument Jun 11 02:14:22 ip-10-0-2-11.ap-northeast-1.compute.internal systemd[1]: Started Open-iSCSI. Jun 11 02:14:23 ip-10-0-2-11.ap-northeast-1.compute.internal iscsid[973]: iSCSI daemon with pid=974 started!
Code language: Bash (bash)

It says “active (running)”, so it started successfully.

Next, search for the VTL device target.

sh-4.2$ sudo /sbin/iscsiadm \ --mode discovery \ --type sendtargets \ --portal ip-10-0-2-143.ap-northeast-1.compute.internal:3260 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-09 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-mediachanger 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-08 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-05 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-04 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-07 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-06 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-01 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-03 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-02 10.0.2.143:3260,1 iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-10

Media changer and tape drive detected successfully.

Continue to connect to the media changer and one of the tape drives (tapedrive-01).

sh-4.2$ sudo /sbin/iscsiadm \ --mode node \ --targetname iqn.1997-05.com.amazon:sgw-3c52bb55-mediachanger \ --portal 10.0.2.143:3260,1 \ --login Logging in to [iface: default, target: iqn.1997-05.com.amazon:sgw-3c52bb55-mediachanger, portal: 10.0.2.143,3260] (multiple) Login to [iface: default, target: iqn.1997-05.com.amazon:sgw-3c52bb55-mediachanger, portal: 10.0.2.143,3260] successful. sh-4.2$ sudo /sbin/iscsiadm \ --mode node \ --targetname iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-01 \ --portal 10.0.2.143:3260,1 \ --login Logging in to [iface: default, target: iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-01, portal: 10.0.2.143,3260] (multiple) Login to [iface: default, target: iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-01, portal: 10.0.2.143,3260] successful.
Code language: JavaScript (javascript)

Check the attachment status of the two devices.

sh-4.2$ ls -l /dev/tape/by-path total 0 lrwxrwxrwx 1 root root 9 Jun 11 02:18 ip-10.0.2.143:3260-iscsi-iqn.1997-05.com.amazon:sgw-3c52bb55-mediachanger-lun-0-changer -> ../../sg0 lrwxrwxrwx 1 root root 9 Jun 11 02:19 ip-10.0.2.143:3260-iscsi-iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-01-lun-0 -> ../../st0 lrwxrwxrwx 1 root root 10 Jun 11 02:19 ip-10.0.2.143:3260-iscsi-iqn.1997-05.com.amazon:sgw-3c52bb55-tapedrive-01-lun-0-nst -> ../../nst0
Code language: Bash (bash)

You can see that it is successfully attached.
You can see that it is symbolic to /dev/sg0, /dev/st0, etc.
You can check the device ID with the following command.

sh-4.2$ ls -l /dev/tape/by-id total 0 lrwxrwxrwx 1 root root 9 Jun 11 02:19 scsi-2334335324242353530310000 -> ../../st0 lrwxrwxrwx 1 root root 10 Jun 11 02:19 scsi-2334335324242353530310000-nst -> ../../nst0 lrwxrwxrwx 1 root root 9 Jun 11 02:18 scsi-2414d5a4e5f5347572d334335 -> ../../sg0
Code language: Bash (bash)

From now on, we will operate the media changer.
The media changer is operated with the mtx command.
First, check the status of the media changer itself.

sh-4.2$ sudo mtx -f /dev/tape/by-id/scsi-2414d5a4e5f5347572d334335 inquiry Product Type: Medium Changer Vendor ID: 'AWS ' Product ID: 'Gateway-VTL ' Revision: '0100' Attached Changer API: No
Code language: Bash (bash)

We can see that it is indeed accessible as if it were a physical device.

Next, check the status of the tape drive.

sh-4.2$ sudo mtx -f /dev/tape/by-id/scsi-2414d5a4e5f5347572d334335 status | grep 'Data Transfer Element' Data Transfer Element 0:Empty Data Transfer Element 1:Empty Data Transfer Element 2:Empty Data Transfer Element 3:Empty Data Transfer Element 4:Empty Data Transfer Element 5:Empty Data Transfer Element 6:Empty Data Transfer Element 7:Empty Data Transfer Element 8:Empty Data Transfer Element 9:Empty
Code language: Bash (bash)

You can see that all drives are empty.

Check for unused tapes.

sh-4.2$ sudo mtx -f /dev/tape/by-id/scsi-2414d5a4e5f5347572d334335 status | grep -v Empty Storage Changer /dev/tape/by-id/scsi-2414d5a4e5f5347572d334335:10 Drives, 3200 Slots ( 1600 Import/Export ) Storage Element 1601 IMPORT/EXPORT:Full :VolumeTag=TESTD67E76
Code language: Bash (bash)

You can see that the 1601st tape is unused.
The VolumeTag is “TEST67E76″, which also indicates that this is a tape that was created.

Insert the unused tape into the 0th (tapedrive-01) drive.

sh-4.2$ sudo mtx -f /dev/tape/by-id/scsi-2414d5a4e5f5347572d334335 load 1601 0 Loading media from Storage Element 1601 into drive 0...done
Code language: Bash (bash)

Check the status of the entire drive again.

sh-4.2$ sudo mtx -f /dev/tape/by-id/scsi-2414d5a4e5f5347572d334335 status | grep -v Empty Storage Changer /dev/tape/by-id/scsi-2414d5a4e5f5347572d334335:10 Drives, 3200 Slots ( 1600 Import/Export ) Data Transfer Element 0:Full (Storage Element 1 Loaded):VolumeTag = TESTD67E76
Code language: Bash (bash)

We can see that the 0th drive is indeed “Full” and that the tape we just inserted has been inserted.

Now that the tape has been inserted, the next step is to manipulate the tape.
Access to the tape is done with the mt command.
First, check the current status of the tape. To access the tape, specify the device name of the path that you have just confirmed.
This time, we will access the 0th tape drive (tapedrive-01), so “/dev/st0”.

sh-4.2$ sudo mt -f /dev/st0 status SCSI 2 tape drive: File number=0, block number=0, partition=0. Tape block size 65536 bytes. Density code 0x0 (default). Soft error count since last status=0 General status bits on (41010000): BOT ONLINE IM_REP_EN
Code language: JavaScript (javascript)

Since it is not used, of course nothing is written to it.

Prepare a file for writing.

sh-4.2$ echo 'hogehoge' > /home/ssm-user/test.txt sh-4.2$ cat /home/ssm-user/test.txt hogehoge
Code language: Bash (bash)

Writing/reading data to/from the tape is done with the tar command.
Write the prepared file to the tape.

sh-4.2$ sudo tar -cv --record-size=65536 -f /dev/st0 /home/ssm-user/test.txt tar: Removing leading `/' from member names /home/ssm-user/test.txt
Code language: Bash (bash)

The key to writing is the record-size option. If this is not specified, an error will occur.
The value to be specified is “Tape block size 65536 bytes.
Next, check the files written to the tape.

sh-4.2$ sudo tar -tv --record-size=65536 -f /dev/st0 -rw-r--r-- ssm-user/ssm-user 9 2022-06-11 02:25 home/ssm-user/test.txt
Code language: Bash (bash)

You can see the information of the written file.

Finally, read the data from the tape.

sh-4.2$ sudo tar xvf /dev/nst0 home/ssm-user/test.txt sh-4.2$ cat home/ssm-user/test.txt hogehoge
Code language: Bash (bash)

The data was successfully retrieved.
The virtual tape could be accessed in the same way as operations on physical tapes.

Summary

We have created a tape gateway, which is a type of Storage Gateway.
We have confirmed that you can access the VTL from an EC2 instance through the gateway, and read from and write to the virtual tape in the same way as you do with a physical tape.

タイトルとURLをコピーしました