CSI (Container Storage Interface) drivers are used to integrate external storage solutions with the platform. They provide a standardized way for OpenShift to manage persistent storage across different storage backends. They allow to dynamically provision and manage persistent volumes (PVs), support native storage functions such like snapshots, expansions and cloning and work with various storage backends such like Ceph, NFS, iSCSI, FC, etc. <\/p>\n\n\n\n
The benefit of using iSCSI and NFS<\/strong> in this lab is their familiarity to those experienced with traditional virtualization environments. This makes them especially valuable when showcasing OpenShift Virtualization to those exploring alternatives following the VMware\/Broadcom changes.<\/p>\n\n\n\n Before you jump in, keep these two things in mind:<\/p>\n\n\n\n You\u2019ve been warned!<\/strong> <\/p>\n\n\n\n To provide a clearer picture of my lab setup, let\u2019s start with a simplified environment diagram. All nodes in this setup are fully virtualized<\/strong>, even though, as of writing, Red Hat does not officially support nested virtualization<\/strong>. While it works, it does so without official endorsement.<\/p>\n\n\n\n The environment consists of:<\/p>\n\n\n\n With this setup in place, let\u2019s explore how everything integrates and functions together.<\/p>\n\n\n\n I need to configure VLAN 10<\/strong> on bond1<\/strong> for OpenShift nodes to ensure that storage traffic runs on a dedicated network, just as it would in a real-world scenario, preventing interference between OpenShift workloads and storage traffic. <\/p>\n\n\n\n I assume that bond1<\/strong>, VLAN 10<\/strong>, and the configuration for the enp3s0<\/strong> and enp4s0<\/strong> interfaces are not present on the nodes, allowing me to configure them directly using NodeNetworkConfigurationPolicy<\/em>. Additionally, since VLAN 10<\/strong> lacks a DHCP server, I must assign unique IP addresses to each node manually. The NNCP<\/em> configuration files are as follows:<\/p>\n\n\n\n Once applied I verified if it was successful (spoiler warning: it was successful \ud83d\ude09 )<\/p>\n\n\n\n At this stage my OpenShift cluster is ready from the network configuration perspective so I can move to TrueNAS installation and configuration.<\/p>\n\n\n\n Installation of TrueNAS CORE is described in detail in the relevant documentation available here: https:\/\/www.truenas.com\/docs\/core\/13.3\/gettingstarted\/install\/<\/a>. Just please note that for the sake of saving resources I’ve configured only single disk for data which is suboptimal configuration from the data redundancy point of view. TrueNAS will warn you about it during pool configuration process.<\/p>\n\n\n\n I have downloaded the ISO file with TrueNAS installator from https:\/\/www.truenas.com\/download-truenas-core\/<\/a> and saved it in \/var\/lib\/libvirt\/images\/ folder on my host system where all virtual machines are running.<\/p>\n\n\n\n I have created VM for TrueNAS using the following command. Please note that some of the parameters have to be modified accordingly to your environment, especially paths to qcow2 files, iso file and network configuration which in my case is based on OpenVSwitch.<\/p>\n\n\n\n Once created the VM should boot up and enter the installator – at this stage it can be only accessed through the VM console:<\/p>\n\n\n\n The installation process is pretty straightforward, just ensure the system is installed on the smaller disk as bellow since the big one will remain for data:<\/p>\n\n\n\n Since my MachineNetwork<\/em> has DHCP configured to provide IP configuration, it was automatically picked up by TrueNAS:<\/p>\n\n\n\n With that IP address I could immediately access TrueNAS CORE WebUI using credentials configured during installation:<\/p>\n\n\n\n Once I got TrueNAS CORE up and running I need to configure it further:<\/p>\n\n\n\n This is not really necessary as I could use MachineNetwork for storage configuration, however I do believe it is more realistic approach to get the dedicated network for this purpose. For that reason I need to configure TrueNAS to tag VLAN 10 over em1 interface. To do so I have to:<\/p>\n\n\n\n In TrueNAS, storage pools are groups of physical disks combined into a single logical storage unit using ZFS. They provide redundancy, performance, and scalability by distributing data across multiple drives. In my case I have single drive only but the pool is still necessary to be created.<\/p>\n\n\n\n iSCSI (Internet Small Computer Systems Interface) is a block-level storage protocol<\/strong> that allows clients (initiators) to connect to storage devices (targets) over a network. On the other hand NFS (Network File System) is a file-level storage protocol<\/strong> that allows multiple clients to access shared files over a network. Among these two TrueNAS CORE can also support Apple Filing Protocol (AFP), Web-based Distributed Authoring and Versioning (WebDAV) and Server Message Block (SMB) but they’re out of the scope for this exercise. <\/p>\n\n\n\n No specific NFS configuration is needed on the TrueNAS CORE side\u2014it just needs to be enabled. The CSI drivers will automatically create DataSets as required, following the settings defined in the freenas-nfs.yaml configuration file mentioned later in this post. Below is a screenshot showing the openshift storage pool along with the nfs-vols and vols DataSets, which were created automatically during storage usage:<\/p>\n\n\n\n Democratic-csi drivers needs both SSH and API access<\/strong> to manage storage resources provided by TrueNAS CORE. This probably isn’t the most elegant solution but for demo purposes it just works. Just as a side note, TrueNAS SCALE which is more modern version of TrueNAS CORE can be managed only using API, without a need to configure SSH access.<\/p>\n\n\n\n So I can configure SSH access either with login\/password<\/strong> or login\/ssh-key<\/strong>, the second is more appealing to me so I will generate new SSH key pair just for that purpose:<\/p>\n\n\n\n I paste content of the public key (in my case stored as .ssh\/ocp-truenas-csi.pub) to TrueNAS CORE root user by edditing it in Accounts > Users > root<\/strong>:<\/p>\n\n\n\n and confirming whether it work properly, just to safe some troubleshooting time later:<\/p>\n\n\n\n To obtain API key<\/strong> from TrueNAS CORE to configure it with democratic-csi drivers I have to go to Settings<\/strong> by clicking the cog icon in the upper right screen corner<\/strong>, then selecting API Keys<\/strong> from the menu, pressing ADD<\/strong> and providing the name for the key. Please note that the key will be shown only once and I won’t be able to retrieve it again, so it is better to save it in safe place for the future use when configuring CSI drivers.<\/p>\n\n\n\n In order to make OpenShift being able to automatically provision and manage storage resources from TrueNAS I need to install and configure CSI drivers. Fortunately it is quite easy as they’re provided as Helm Charts available from https:\/\/democratic-csi.github.io\/charts\/<\/a>. Following instructions I have added them and upgraded my Helm repository:<\/p>\n\n\n\n To install the driver, I need to provide configuration files tailored to my environment. Fortunately, the Helm charts include several example files, available here: https:\/\/github.com\/democratic-csi\/charts\/tree\/master\/stable\/democratic-csi\/examples<\/a>. In my case, the most relevant example is freenas-iscsi.yaml<\/a><\/strong>. However, it’s important to note that the driver:<\/em><\/strong> section in this file is just a placeholder and lacks the necessary details for proper configuration.<\/p>\n\n\n\n To get the full set of options, I need to refer to the democratic-csi repository:<\/strong> https:\/\/github.com\/democratic-csi\/democratic-csi\/tree\/master\/examples<\/a>, where another freenas-iscsi.yaml<\/a><\/strong> file contains the required settings.<\/p>\n\n\n\n This part can be a bit confusing because the final configuration requires merging the contents of the second file into the driver:<\/em> section of the first one<\/strong> to ensure everything is set up correctly. For my environment the following freenas-iscsi.yaml values file has been used:<\/p>\n\n\n\n For detailed information on specific options, please refer to the example configuration files, which contain comments with explanations.<\/p>\n\n\n\n Now since I have all necessary bits I can run helm install to get democratic-csi drivers installed and configured to manage my TrueNAS CORE storage backend:<\/p>\n\n\n\n Just to verify that all containers are up and running and I got expected StorageClass<\/em> and VolumeSnapshotClass<\/em> created:<\/p>\n\n\n\nImportant Considerations<\/h3>\n\n\n\n
\n
Understanding my setup – a simplified(?) environment diagram<\/h3>\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Untitled-2025-03-05-1206-1024x879.png\")
<\/figure>\n\n\n\n\n
\n
\n
\n
\n
\n
\n
OpenShift Cluster – storage network configuration<\/h2>\n\n\n\n
\n
apiVersion: nmstate.io\/v1\nkind: NodeNetworkConfigurationPolicy\nmetadata:\n name: master-0-bond1-vlan10\n<\/strong>spec:\n nodeSelector:\n kubernetes.io\/hostname: \"master-0\"\n<\/strong> desiredState:\n interfaces:\n - name: bond1\n type: bond\n state: up\n link-aggregation:\n mode: active-backup\n options:\n primary: enp3s0\n port:\n - enp3s0\n - enp4s0\n ipv4:\n dhcp: false\n enabled: false\n - name: bond1.10\n type: vlan\n state: up\n vlan:\n base-iface: bond1\n id: 10\n ipv4:\n dhcp: false\n enabled: true\n address:\n - ip: 10.0.0.100\n<\/strong> prefix-length: 24<\/code><\/pre>\n\n\n\n\n
apiVersion: nmstate.io\/v1\nkind: NodeNetworkConfigurationPolicy\nmetadata:\n name: master-1-bond1-vlan10\n<\/strong>spec:\n nodeSelector:\n kubernetes.io\/hostname: \"master-1\"\n<\/strong> desiredState:\n interfaces:\n - name: bond1\n type: bond\n state: up\n link-aggregation:\n mode: active-backup\n options:\n primary: enp3s0\n port:\n - enp3s0\n - enp4s0\n ipv4:\n dhcp: false\n enabled: false\n - name: bond1.10\n type: vlan\n state: up\n vlan:\n base-iface: bond1\n id: 10\n ipv4:\n dhcp: false\n enabled: true\n address:\n - ip: 10.0.0.101\n<\/strong> prefix-length: 24<\/code><\/pre>\n\n\n\n\n
apiVersion: nmstate.io\/v1\nkind: NodeNetworkConfigurationPolicy\nmetadata:\n name: master-2-bond1-vlan10\n<\/strong>spec:\n nodeSelector:\n kubernetes.io\/hostname: \"master-2\"\n<\/strong> desiredState:\n interfaces:\n - name: bond1\n type: bond\n state: up\n link-aggregation:\n mode: active-backup\n options:\n primary: enp3s0\n port:\n - enp3s0\n - enp4s0\n ipv4:\n dhcp: false\n enabled: false\n - name: bond1.10\n type: vlan\n state: up\n vlan:\n base-iface: bond1\n id: 10\n ipv4:\n dhcp: false\n enabled: true\n address:\n - ip: 10.0.0.102\n<\/strong> prefix-length: 24<\/code><\/pre>\n\n\n\n# oc get nnce\nNAME STATUS STATUS AGE REASON\nmaster-0.master-0-bond1-vlan10 Available 20s SuccessfullyConfigured\nmaster-1.master-1-bond1-vlan10 Available 20s SuccessfullyConfigured\nmaster-2.master-2-bond1-vlan10 Available 20s SuccessfullyConfigured\n\n\n# oc debug node\/master-0\nTemporary namespace openshift-debug-28lnr is created for debugging node...\nStarting pod\/master-0-debug-s6v8z ...\nTo use host binaries, run `chroot \/host`\nPod IP: 192.168.232.100\nIf you don't see a command prompt, try pressing enter.\n\n\nsh-5.1# ip -o link | grep bond1 ; ip -o addr | grep bond1.10\n4: enp3s0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1450 qdisc fq_codel master bond1 state UP mode DEFAULT group default qlen 1000\\ link\/ether 52:54:00:c8:cb:00 brd ff:ff:ff:ff:ff:ff\n5: enp4s0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1450 qdisc fq_codel master bond1 state UP mode DEFAULT group default qlen 1000\\ link\/ether 52:54:00:c8:cb:00 brd ff:ff:ff:ff:ff:ff permaddr 52:54:00:f7:27:97\n544: bond1: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000\\ link\/ether 52:54:00:c8:cb:00 brd ff:ff:ff:ff:ff:ff\n545: bond1.10@bond1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000\\ link\/ether 52:54:00:c8:cb:00 brd ff:ff:ff:ff:ff:ff\n545: bond1.10 inet 10.0.0.100\/24 brd 10.0.0.255 scope global noprefixroute bond1.10\\ valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\n\nTrueNAS CORE installation and configuration<\/h2>\n\n\n\n
Getting ISO file with TrueNAS CORE installator<\/h3>\n\n\n\n
Creating virtual machine and installing TrueNAS CORE<\/h3>\n\n\n\n
# virt-install --name truenas \\\n --vcpus 2 \\\n --memory 8192 \\\n --memorybacking hugepages=on \\\n --disk size=16,bus=scsi,path=\/home\/VirtualMachines\/truenas.qcow2 \\\n --disk size=256,bus=scsi,path=\/home\/VirtualMachines\/truenas-data-0.qcow2 \\\n --cdrom \/var\/lib\/libvirt\/images\/TrueNAS-13.3-U1.1.iso \\\n --network model=e1000,bridge=br-ovs-frontend,virtualport_type=openvswitch \\\n --network model=e1000,bridge=br-ovs-ctlplane,virtualport_type=openvswitch \\\n --os-variant freebsd13.1 \\\n --sound none \\\n --import \\\n --boot=hd,cdrom,network,menu=on \\\n --noreboot \\\n --noautoconsole<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-13.31.01-1024x860.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-13.32.02-1024x860.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-14.18.04-1024x860.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-14.23.36-1024x874.png\")
<\/figure>\n\n\n\nTrueNAS CORE post installation configuration<\/h3>\n\n\n\n
\n
Storage VLAN configuration<\/h4>\n\n\n\n
\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-06-at-13.32.06-1024x687.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-06-at-13.33.35-1024x686.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-06-at-13.34.43-1024x686.png\")
<\/figure>\n\n\n\n\n
# oc debug node\/master-1<\/strong>\nTemporary namespace openshift-debug-xp5rn is created for debugging node...\nStarting pod\/master-1-debug-rrp4r ...\nTo use host binaries, run `chroot \/host`\nwarning: Container container-00 is unable to start due to an error: Back-off pulling image \"quay.io\/openshift-release-dev\/ocp-v4.0-art-dev@sha256:6ab858aed98e4fe57e6b144da8e90ad5d6698bb4cc5521206f5c05809f0f9296\"\nPod IP: 192.168.232.101\nIf you don't see a command prompt, try pressing enter.\n\n\nsh-5.1# ping -c 4 10.0.0.254<\/strong>\nPING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.\n64 bytes from 10.0.0.254: icmp_seq=1 ttl=64 time=10.3 ms\n64 bytes from 10.0.0.254: icmp_seq=2 ttl=64 time=1.86 ms\n64 bytes from 10.0.0.254: icmp_seq=3 ttl=64 time=9.98 ms\n64 bytes from 10.0.0.254: icmp_seq=4 ttl=64 time=0.450 ms\n\n--- 10.0.0.254 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3006ms\nrtt min\/avg\/max\/mdev = 0.450\/5.643\/10.277\/4.515 ms<\/code><\/pre>\n\n\n\nStorage pool configuration<\/h4>\n\n\n\n
\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-14.26.05-1024x726.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-14.29.05-1024x715.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-14.39.45-1024x717.png\")
<\/figure>\n\n\n\nConfiguring iSCSI and NFS services on TrueNAS CORE<\/h4>\n\n\n\n
\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-05-at-14.40.27-1024x866.png\")
<\/figure>\n\n\n\niSCSI configuration<\/h4>\n\n\n\n
\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/image-1024x719.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/image-1-1024x719.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/image-2-1024x714.png\")
<\/figure>\n\n\n\nNFS configuration<\/h4>\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/image-6-1024x717.png\")
<\/figure>\n\n\n\nSSH access<\/h4>\n\n\n\n
# ssh-keygen -f .ssh\/ocp-truenas-csi\n<\/strong>Generating public\/private rsa key pair.\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in .ssh\/ocp-truenas-csi\nYour public key has been saved in .ssh\/ocp-truenas-csi.pub\nThe key fingerprint is:\nSHA256:xyz rafal@zyx\nThe key's randomart image is:\n+---[RSA 3072]----+\n| -.-||-.- |\n+----[SHA256]-----+<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/image-3-1024x719.png\")
<\/figure>\n\n\n\n# ssh -i .ssh\/ocp-truenas-csi root@192.168.232.120\n<\/strong>FreeBSD 13.3-RELEASE-p4 n257491-41f6a830f8e TRUENAS\n\n TrueNAS (c) 2009-2025, iXsystems, Inc.\n All rights reserved.\n TrueNAS code is released under the modified BSD license with some\n files copyrighted by (c) iXsystems, Inc.\n\n For more information, documentation, help or support, go here:\n http://truenas.com\nWelcome to TrueNAS<\/code><\/pre>\n\n\n\nAPI access<\/h4>\n\n\n\n
![\"\"](\"https:\/\/blog.openshift.one\/wp-content\/uploads\/2025\/03\/image-5-1024x623.png\")
<\/figure>\n\n\n\nOpenShift CSI driver installation and configuration<\/h2>\n\n\n\n
# helm repo add democratic-csi https:\/\/democratic-csi.github.io\/charts\/\n\"democratic-csi\" has been added to your repositories\n\n# helm repo update\nHang tight while we grab the latest from your chart repositories...\n...Successfully got an update from the \"democratic-csi\" chart repository\nUpdate Complete. \u2388Happy Helming!\u2388\n<\/code><\/pre>\n\n\n\niSCSI<\/h3>\n\n\n\n
csiDriver:\n name: \"org.democratic-csi.iscsi\"\n\nstorageClasses:\n - name: freenas-iscsi-csi\n defaultClass: true\n reclaimPolicy: Delete\n volumeBindingMode: Immediate\n allowVolumeExpansion: true\n parameters:\n fsType: xfs\n mountOptions: []\n secrets:\n provisioner-secret:\n controller-publish-secret:\n node-stage-secret:\n node-publish-secret:\n controller-expand-secret:\n\nvolumeSnapshotClasses:\n - name: freenas-iscsi-csi\n parameters:\n secrets:\n snapshotter-secret:\n\ndriver:\n config:\n driver: freenas-iscsi\n instance_id:\n httpConnection:\n protocol: http\n host: 10.0.0.254\n port: 80\n apiKey: \"1-d ***SNIP*** aS2\"\n allowInsecure: true\n sshConnection:\n host: 10.0.0.254\n port: 22\n username: root\n # use either password or key\n password: \"\"\n privateKey: |\n -----BEGIN OPENSSH PRIVATE KEY-----\n bAABBCCDDEEFFGGGHHIIJJKKLLMMNNOOPPQQQQRRRRSSSTTTUUVVXXXYYZZZZZZZZn\n *** SNIP ***\n qAABBCCDDEEFFGGGHHIIJJKKLLMMNNOOPPQQQQRRRRSSSTTTUUVVXXXYYZZZZZZZZ=\n -----END OPENSSH PRIVATE KEY-----\n zfs:\n datasetParentName: openshift\/vols\n detachedSnapshotsDatasetParentName: openshift\/snaps\n zvolCompression:\n zvolDedup:\n zvolEnableReservation: false\n zvolBlocksize:\n iscsi:\n targetPortal: \"10.0.0.254:3260\"\n targetPortals: []\n interface:\n namePrefix: csi-\n nameSuffix: \"-clustera\"\n\n targetGroups:\n - targetGroupPortalGroup: 1\n targetGroupInitiatorGroup: 1\n targetGroupAuthType: None\n targetGroupAuthGroup:\n\n extentInsecureTpc: true\n extentXenCompat: false\n extentDisablePhysicalBlocksize: true\n extentBlocksize: 512\n extentRpm: \"SSD\"\n extentAvailThreshold: 0\n\ncontroller:\n hostNetwork: true\n enabled: true\n rbac:\n enabled: true\n openshift:\n # set to true if running on openshift *and* you have need\n # ie: hostNetwork, hostIPC, etc are turned on\n privileged: true\n\nnode:\n hostNetwork: true\n driver:\n localtimeHostPath: false\n rbac:\n enabled: true\n openshift:\n # set to true if running on openshift\n privileged: true<\/code><\/pre>\n\n\n\n# helm upgrade --install --values freenas-iscsi.yaml --create-namespace --namespace democratic-csi zfs-iscsi democratic-csi\/democratic-csi\nRelease \"zfs-iscsi\" does not exist. Installing it now.\nNAME: zfs-iscsi\nNAMESPACE: democratic-csi\nSTATUS: deployed\nREVISION: 1\nTEST SUITE: None<\/code><\/pre>\n\n\n\n