| iSCSI SCST target driver |
| ======================== |
| |
| ISCSI-SCST is a deeply reworked fork of iSCSI Enterprise Target (IET) |
| (http://iscsitarget.sourceforge.net). Reasons of the fork were: |
| |
| - To be able to use full power of SCST core. |
| |
| - To fix all the problems, corner cases issues and iSCSI standard |
| violations which IET has. |
| |
| See for more info http://iscsi-scst.sourceforge.net. |
| |
| Usage |
| ----- |
| |
| See in http://iscsi-scst.sourceforge.net/iscsi-scst-howto.txt how to |
| configure iSCSI-SCST. |
| |
| If you want to use Intel CRC32 offload and have corresponding hardware, |
| you should load crc32c-intel module. Then iSCSI-SCST will do all digest |
| calculations using this facility. |
| |
| In 2.0.0 usage of iscsi-scstd.conf as well as iscsi-scst-adm utility is |
| obsolete. Use the sysfs interface facilities instead. |
| |
| The flow of iSCSI-SCST inialization should be as the following: |
| |
| 1. Load of SCST and iSCSI-SCST kernel modules with necessary module |
| parameters, if needed. |
| |
| 2. Start iSCSI-SCST service. |
| |
| 3. Configure targets, devices, LUNs, etc. either using scstadmin |
| (recommended), or using the sysfs interface directly as described below. |
| |
| It is recommended to use TEST UNIT READY ("tur") command to check if |
| iSCSI-SCST target is alive in MPIO configurations. |
| |
| Also see SCST README file how to tune for the best performance. |
| |
| CAUTION: Working of target and initiator on the same host isn't fully |
| ======= supported. See SCST README file for details. |
| |
| |
| Sysfs interface |
| --------------- |
| |
| Root of SCST sysfs interface is /sys/kernel/scst_tgt. Root of iSCSI-SCST |
| is /sys/kernel/scst_tgt/targets/iscsi. It has the following entries: |
| |
| - None, one or more subdirectories for targets with name equal to names |
| of the corresponding targets. |
| |
| - IncomingUser[num] - optional one or more attributes containing user |
| name and password for incoming discovery user name. Not exist by |
| default and can be added through "mgmt" entry, see below. |
| |
| - OutgoingUser - optional attribute containing user name and password |
| for outgoing discovery user name. Not exist by default and can be |
| added through "mgmt" entry, see below. |
| |
| - iSNSServer - contains name or IP address of iSNS server with optional |
| "AccessControl" attribute, which allows to enable iSNS access |
| control. Empty by default. |
| |
| - allowed_portal[num] - optional attribute, which specifies, on which |
| portals (target's IP addresses) this target will be available. If not |
| specified (default) the target will be available on all all portals. |
| As soon as at least one allowed_portal specified, the target will be |
| accessible for initiators only on the specified portals. There might |
| be any number of the allowed_portal attributes. The portals |
| specification in the allowed_portal attributes can be a simple |
| DOS-type patterns, containing '*' and '?' symbols. '*' means match |
| all any symbols, '?' means match only any single symbol. For |
| instance, "10.170.77.2" will match "10.170.7?.*". Additionally, you |
| can use negative sign '!' to revert the value of the pattern. For |
| instance, "10.170.67.2" will match "!10.170.7?.*". See examples |
| below. |
| |
| - enabled - using this attribute you can enable or disable iSCSI-SCST |
| accept new connections. It allows to finish configuring global |
| iSCSI-SCST attributes before it starts accepting new connections. 0 |
| by default. |
| |
| - open_state - read-only attribute, which allows to see if the user |
| space part of iSCSI-SCST connected to the kernel part. |
| |
| - per_portal_acl - if set, makes iSCSI-SCST work in the per-portal |
| access control mode. In this mode iSCSI-SCST registers all initiators |
| in SCST core as "initiator_name#portal_IP_address" pattern, like |
| "iqn.2006-10.net.vlnb:ini#10.170.77.2" for initiator |
| iqn.2006-10.net.vlnb connected through portal 10.170.77.2. This mode |
| allows to make particular initiators be able to use only particular |
| portals on the target and don't see/be able to connect through |
| others. See below for more details. |
| |
| - trace_level - allows to enable and disable various tracing |
| facilities. See content of this file for help how to use it. |
| |
| - version - read-only attribute, which allows to see version of |
| iSCSI-SCST and enabled optional features. |
| |
| - mgmt - main management entry, which allows to configure iSCSI-SCST. |
| Namely, add/delete targets as well as add/delete optional global and |
| per-target attributes. See content of this file for help how to use |
| it. |
| |
| Each iSCSI-SCST sysfs file (attribute) can contain in the last line mark |
| "[key]". It is automatically added mark used to allow scstadmin to see |
| which attributes it should save in the config file. You can ignore it. |
| |
| Each target subdirectory contains the following entries: |
| |
| - ini_groups - subdirectory defining initiator groups for this target, |
| used to define per-initiator access control. See SCST core README for |
| more details. |
| |
| - luns - subdirectory defining LUNs of this target. See SCST core |
| README for more details. |
| |
| - sessions - subdirectory containing connected to this target sessions. |
| |
| - IncomingUser[num] - optional one or more attributes containing user |
| name and password for incoming user name. Not exist by default and can |
| be added through the "mgmt" entry, see above. |
| |
| - OutgoingUser - optional attribute containing user name and password |
| for outgoing user name. Not exist by default and can be added through |
| the "mgmt" entry, see above. |
| |
| - Entries defining default iSCSI parameters values used during iSCSI |
| parameters negotiation. Only entries which can be changed or make |
| sense are listed there. |
| |
| - QueuedCommands - defines maximum number of commands queued to any |
| session of this target. Default is 32 commands. |
| |
| - NopInInterval - defines interval between NOP-In requests, which the |
| target will send on idle connections to check if the initiator is |
| still alive. If there is no NOP-Out reply from the initiator in |
| NopInTimeout seconds, the corresponding connection will be closed. Default |
| is 30 seconds. If it's set to 0, then NOP-In requests are disabled. |
| |
| - NopInTimeout - defines the maximum time in seconds a NOP-In request |
| can wait for response from initiator, otherwise the corresponding |
| connection will be closed. Default is 30 seconds. |
| |
| - RspTimeout - defines the maximum time in seconds a command can wait for |
| response from initiator, otherwise the corresponding connection will |
| be closed. Default is 90 seconds. |
| |
| - enabled - using this attribute you can enable or disable iSCSI-SCST |
| accept new connections to this target. It allows to finish |
| configuring it before it starts accepting new connections. 0 by |
| default. |
| |
| - redirect - allows to temporarily or permanently redirect login to the |
| target to another portal. Discovery sessions will not be impacted, |
| but normal sessions will be redirected before security negotiation. |
| The destination should be specified using format "<ip_addr>[:port] temp|perm". |
| IPv6 addresses need to be enclosed in [] brackets. To remove |
| redirection, provide an empty string. For example: |
| echo "10.170.77.2:32600 temp" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/redirect |
| will temporarily redirect login to portal 10.170.77.2 and port 32600. |
| |
| - tid - TID of this target. |
| |
| Subdirectory "sessions" contains one subdirectory for each connected |
| session with name equal to name of the connected initiator. |
| |
| Each session subdirectory contains the following entries: |
| |
| - One subdirectory for each TCP connection in this session. ISCSI-SCST |
| supports 1 connection per session, but the session subdirectory can |
| contain several connections: one active and other being closed. |
| |
| - Entries defining negotiated iSCSI parameters. Only parameters which |
| can be changed or make sense are listed there. |
| |
| - initiator_name - contains initiator name |
| |
| - sid - contains SID of this session |
| |
| - reinstating - contains reinstatement state of this session |
| |
| - force_close - write-only attribute, which allows to force close this |
| session. This is the only writable session attribute. |
| |
| - active_commands - contains number of active, i.e. not yet or being |
| executed, SCSI commands in this session. |
| |
| - commands - contains overall number of SCSI commands in this session. |
| |
| - thread_pid - Process IDs (PIDs) of the iscsi{wr,rd} kernel threads that |
| process the SCSI commands for this session. |
| |
| Each connection subdirectory contains the following entries: |
| |
| - cid - contains CID of this connection. |
| |
| - ip - contains IP address of the connected initiator. |
| |
| - state - contains processing state of this connection. |
| |
| Each initiator group subdirectory contains: |
| |
| - per_sess_dedicated_tgt_threads - if set, each iSCSI session has |
| dedicated, i.e. not shared with other sessions, pool of the |
| iscsi{wr,rd} kernel threads. Useful to control per-session CPU |
| affinity to improve performance. Default: not set. |
| |
| See SCST README for info about other attributes. |
| |
| Below is a sample script, which configures 1 virtual disk "disk1" using |
| /disk1 image and one target iqn.2006-10.net.vlnb:tgt with all default |
| parameters: |
| |
| #!/bin/bash |
| |
| modprobe scst |
| modprobe scst_vdisk |
| |
| echo "add_device disk1 filename=/disk1; nv_cache=1" >/sys/kernel/scst_tgt/handlers/vdisk_fileio/mgmt |
| |
| service iscsi-scst start |
| |
| echo "add_target iqn.2006-10.net.vlnb:tgt" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo "add disk1 0" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/luns/mgmt |
| |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/enabled |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/enabled |
| |
| Below is another sample script, which configures 1 real local SCSI disk |
| 0:0:1:0 and one target iqn.2006-10.net.vlnb:tgt with all default parameters: |
| |
| #!/bin/bash |
| |
| modprobe scst |
| modprobe scst_disk |
| |
| echo "add_device 0:0:1:0" >/sys/kernel/scst_tgt/handlers/dev_disk/mgmt |
| |
| service iscsi-scst start |
| |
| echo "add_target iqn.2006-10.net.vlnb:tgt" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo "add 0:0:1:0 0" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/luns/mgmt |
| |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/enabled |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/enabled |
| |
| Below is an advanced sample script, which configures more virtual |
| devices of various types, including virtual CDROM and 2 targets, one |
| with all default parameters, another one with some not default |
| parameters, incoming and outgoing user names for CHAP authentication, |
| and special permissions for initiator iqn.2005-03.org.open-iscsi:cacdcd2520, |
| which will see another set of devices. Also this sample configures CHAP |
| authentication for discovery sessions and iSNS server with access |
| control. |
| |
| #!/bin/bash |
| |
| modprobe scst |
| modprobe scst_vdisk |
| |
| echo "add_device disk1 filename=/disk1; nv_cache=1" >/sys/kernel/scst_tgt/handlers/vdisk_fileio/mgmt |
| echo "add_device disk2 filename=/disk2; blocksize=4096; nv_cache=1" >/sys/kernel/scst_tgt/handlers/vdisk_fileio/mgmt |
| echo "add_device blockio filename=/dev/sda5" >/sys/kernel/scst_tgt/handlers/vdisk_blockio/mgmt |
| echo "add_device nullio" >/sys/kernel/scst_tgt/handlers/vdisk_nullio/mgmt |
| echo "add_device cdrom" >/sys/kernel/scst_tgt/handlers/vcdrom/mgmt |
| |
| service iscsi-scst start |
| |
| echo "192.168.1.16 AccessControl" >/sys/kernel/scst_tgt/targets/iscsi/iSNSServer |
| echo "add_attribute IncomingUser joeD 12charsecret" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo "add_attribute OutgoingUser jackD 12charsecret1" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| |
| echo "add_target iqn.2006-10.net.vlnb:tgt" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| |
| echo "add disk1 0" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/luns/mgmt |
| echo "add cdrom 1" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/luns/mgmt |
| |
| echo "add_target iqn.2006-10.net.vlnb:tgt1" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo "add_target_attribute iqn.2006-10.net.vlnb:tgt1 IncomingUser1 joe2 12charsecret2" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo "add_target_attribute iqn.2006-10.net.vlnb:tgt1 IncomingUser joe 12charsecret" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo "add_target_attribute iqn.2006-10.net.vlnb:tgt1 OutgoingUser jim1 12charpasswd" >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo "No" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/InitialR2T |
| echo "Yes" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/ImmediateData |
| echo "8192" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/MaxRecvDataSegmentLength |
| echo "8192" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/MaxXmitDataSegmentLength |
| echo "131072" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/MaxBurstLength |
| echo "32768" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/FirstBurstLength |
| echo "1" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/MaxOutstandingR2T |
| echo "CRC32C,None" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/HeaderDigest |
| echo "CRC32C,None" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/DataDigest |
| echo "32" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/QueuedCommands |
| |
| echo "add disk2 0" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/luns/mgmt |
| echo "add nullio 26" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/luns/mgmt |
| |
| echo "create special_ini" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/ini_groups/mgmt |
| echo "add blockio 0 read_only=1" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/ini_groups/special_ini/luns/mgmt |
| echo "add iqn.2005-03.org.open-iscsi:cacdcd2520" >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/ini_groups/special_ini/initiators/mgmt |
| |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/enabled |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt1/enabled |
| |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/enabled |
| |
| The resulting overall SCST sysfs hierarchy with an initiator connected to |
| both iSCSI-SCST targets will look like: |
| |
| /sys/kernel/scst_tgt |
| |-- devices |
| | |-- blockio |
| | | |-- blocksize |
| | | |-- exported |
| | | | `-- export0 -> ../../../targets/iscsi/iqn.2006-10.net.vlnb:tgt1/ini_groups/special_ini/luns/0 |
| | | |-- filename |
| | | |-- handler -> ../../handlers/vdisk_blockio |
| | | |-- nv_cache |
| | | |-- read_only |
| | | |-- removable |
| | | |-- resync_size |
| | | |-- size_mb |
| | | |-- t10_dev_id |
| | | |-- threads_num |
| | | |-- threads_pool_type |
| | | |-- type |
| | | `-- usn |
| | |-- cdrom |
| | | |-- exported |
| | | | `-- export0 -> ../../../targets/iscsi/iqn.2006-10.net.vlnb:tgt/luns/1 |
| | | |-- filename |
| | | |-- handler -> ../../handlers/vcdrom |
| | | |-- size_mb |
| | | |-- t10_dev_id |
| | | |-- threads_num |
| | | |-- threads_pool_type |
| | | |-- type |
| | | `-- usn |
| | |-- disk1 |
| | | |-- blocksize |
| | | |-- exported |
| | | | `-- export0 -> ../../../targets/iscsi/iqn.2006-10.net.vlnb:tgt/luns/0 |
| | | |-- filename |
| | | |-- handler -> ../../handlers/vdisk_fileio |
| | | |-- nv_cache |
| | | |-- o_direct |
| | | |-- read_only |
| | | |-- removable |
| | | |-- resync_size |
| | | |-- size_mb |
| | | |-- t10_dev_id |
| | | |-- type |
| | | |-- usn |
| | | `-- write_through |
| | |-- disk2 |
| | | |-- blocksize |
| | | |-- exported |
| | | | `-- export0 -> ../../../targets/iscsi/iqn.2006-10.net.vlnb:tgt1/luns/0 |
| | | |-- filename |
| | | |-- handler -> ../../handlers/vdisk_fileio |
| | | |-- nv_cache |
| | | |-- o_direct |
| | | |-- read_only |
| | | |-- removable |
| | | |-- resync_size |
| | | |-- size_mb |
| | | |-- t10_dev_id |
| | | |-- threads_num |
| | | |-- threads_pool_type |
| | | |-- threads_num |
| | | |-- threads_pool_type |
| | | |-- type |
| | | |-- usn |
| | | `-- write_through |
| | `-- nullio |
| | |-- blocksize |
| | |-- exported |
| | | `-- export0 -> ../../../targets/iscsi/iqn.2006-10.net.vlnb:tgt1/luns/26 |
| | |-- handler -> ../../handlers/vdisk_nullio |
| | |-- read_only |
| | |-- removable |
| | |-- size_mb |
| | |-- t10_dev_id |
| | |-- threads_num |
| | |-- threads_pool_type |
| | |-- type |
| | `-- usn |
| |-- handlers |
| | |-- vcdrom |
| | | |-- cdrom -> ../../devices/cdrom |
| | | |-- mgmt |
| | | |-- trace_level |
| | | `-- type |
| | |-- vdisk_blockio |
| | | |-- blockio -> ../../devices/blockio |
| | | |-- mgmt |
| | | |-- trace_level |
| | | `-- type |
| | |-- vdisk_fileio |
| | | |-- disk1 -> ../../devices/disk1 |
| | | |-- disk2 -> ../../devices/disk2 |
| | | |-- mgmt |
| | | |-- trace_level |
| | | `-- type |
| | `-- vdisk_nullio |
| | |-- mgmt |
| | |-- nullio -> ../../devices/nullio |
| | |-- trace_level |
| | `-- type |
| |-- sgv |
| | |-- global_stats |
| | |-- sgv |
| | | `-- stats |
| | |-- sgv-clust |
| | | `-- stats |
| | `-- sgv-dma |
| | `-- stats |
| |-- targets |
| | `-- iscsi |
| | |-- IncomingUser |
| | |-- OutgoingUser |
| | |-- enabled |
| | |-- iSNSServer |
| | |-- iqn.2006-10.net.vlnb:tgt |
| | | |-- DataDigest |
| | | |-- FirstBurstLength |
| | | |-- HeaderDigest |
| | | |-- ImmediateData |
| | | |-- InitialR2T |
| | | |-- MaxBurstLength |
| | | |-- MaxOutstandingR2T |
| | | |-- MaxRecvDataSegmentLength |
| | | |-- MaxXmitDataSegmentLength |
| | | |-- NopInInterval |
| | | |-- QueuedCommands |
| | | |-- RspTimeout |
| | | |-- enabled |
| | | |-- ini_groups |
| | | | `-- mgmt |
| | | |-- luns |
| | | | |-- 0 |
| | | | | |-- device -> ../../../../../devices/disk1 |
| | | | | `-- read_only |
| | | | |-- 1 |
| | | | | |-- device -> ../../../../../devices/cdrom |
| | | | | `-- read_only |
| | | | `-- mgmt |
| | | |-- per_portal_acl |
| | | |-- redirect |
| | | |-- rel_tgt_id |
| | | |-- sessions |
| | | | `-- iqn.2005-03.org.open-iscsi:cacdcd2520 |
| | | | |-- 10.170.75.2 |
| | | | | |-- cid |
| | | | | |-- ip |
| | | | | `-- state |
| | | | |-- DataDigest |
| | | | |-- FirstBurstLength |
| | | | |-- HeaderDigest |
| | | | |-- ImmediateData |
| | | | |-- InitialR2T |
| | | | |-- MaxBurstLength |
| | | | |-- MaxOutstandingR2T |
| | | | |-- MaxRecvDataSegmentLength |
| | | | |-- MaxXmitDataSegmentLength |
| | | | |-- active_commands |
| | | | |-- commands |
| | | | |-- force_close |
| | | | |-- initiator_name |
| | | | |-- luns -> ../../luns |
| | | | |-- reinstating |
| | | | `-- sid |
| | | `-- tid |
| | |-- iqn.2006-10.net.vlnb:tgt1 |
| | | |-- DataDigest |
| | | |-- FirstBurstLength |
| | | |-- HeaderDigest |
| | | |-- ImmediateData |
| | | |-- IncomingUser |
| | | |-- IncomingUser1 |
| | | |-- InitialR2T |
| | | |-- MaxBurstLength |
| | | |-- MaxOutstandingR2T |
| | | |-- MaxRecvDataSegmentLength |
| | | |-- MaxXmitDataSegmentLength |
| | | |-- OutgoingUser |
| | | |-- NopInInterval |
| | | |-- QueuedCommands |
| | | |-- RspTimeout |
| | | |-- enabled |
| | | |-- ini_groups |
| | | | |-- mgmt |
| | | | `-- special_ini |
| | | | |-- initiators |
| | | | | |-- iqn.2005-03.org.open-iscsi:cacdcd2520 |
| | | | | `-- mgmt |
| | | | `-- luns |
| | | | |-- 0 |
| | | | | |-- device -> ../../../../../../../devices/blockio |
| | | | | `-- read_only |
| | | | `-- mgmt |
| | | |-- luns |
| | | | |-- 0 |
| | | | | |-- device -> ../../../../../devices/disk2 |
| | | | | `-- read_only |
| | | | |-- 26 |
| | | | | |-- device -> ../../../../../devices/nullio |
| | | | | `-- read_only |
| | | | `-- mgmt |
| | | |-- per_portal_acl |
| | | |-- redirect |
| | | |-- rel_tgt_id |
| | | |-- sessions |
| | | | `-- iqn.2005-03.org.open-iscsi:cacdcd2520 |
| | | | |-- 10.170.75.2 |
| | | | | |-- cid |
| | | | | |-- ip |
| | | | | `-- state |
| | | | |-- DataDigest |
| | | | |-- FirstBurstLength |
| | | | |-- HeaderDigest |
| | | | |-- ImmediateData |
| | | | |-- InitialR2T |
| | | | |-- MaxBurstLength |
| | | | |-- MaxOutstandingR2T |
| | | | |-- MaxRecvDataSegmentLength |
| | | | |-- MaxXmitDataSegmentLength |
| | | | |-- active_commands |
| | | | |-- commands |
| | | | |-- force_close |
| | | | |-- initiator_name |
| | | | |-- luns -> ../../ini_groups/special_ini/luns |
| | | | |-- reinstating |
| | | | `-- sid |
| | | `-- tid |
| | |-- mgmt |
| | |-- open_state |
| | |-- trace_level |
| | `-- version |
| |-- threads |
| |-- trace_level |
| `-- version |
| |
| |
| Advanced initiators access control |
| ---------------------------------- |
| |
| ISCSI-SCST allows you to optionally control visibility and accessibility |
| of your target and its portals (IP addresses) to remote initiators. This |
| control includes both the target's portals SendTargets discovery as well |
| as regular LUNs access. |
| |
| This facility supersedes the obsolete initiators.[allow,deny] method, |
| which is going to be removed in one of the future versions. |
| |
| This facility is available only in the sysfs build of iSCSI-SCST. |
| |
| By default, all portals are available for the initiators. |
| |
| 1. If you want to enable/disable one or more target's portals for all |
| initiators, you should define one ore more allowed_portal attributes. |
| For example: |
| |
| echo 'add_target_attribute iqn.2006-10.net.vlnb:tgt allowed_portal 10.170.77.2' >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| |
| will enable only portal 10.170.77.2 and disable all other portals |
| |
| echo 'add_target_attribute iqn.2006-10.net.vlnb:tgt allowed_portal 10.170.77.2' >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo 'add_target_attribute iqn.2006-10.net.vlnb:tgt allowed_portal 10.170.75.2' >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| |
| will enable only portals 10.170.77.2 and 10.170.75.2 and disable all |
| other portals. |
| |
| echo 'add_target_attribute iqn.2006-10.net.vlnb:tgt allowed_portal 10.170.7?.2' >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| |
| will enable only portals 10.170.7x.2 and disable all other portals. |
| |
| echo 'add_target_attribute iqn.2006-10.net.vlnb:tgt allowed_portal !*' >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| |
| will disable all portals. |
| |
| 2. If you want to want to allow only only specific set of initiators be |
| able to connect to your target, you should don't add any default LUNs |
| for the target and create for allowed initiators a security group to |
| which they will be assigned. |
| |
| For example, we want initiator iqn.2005-03.org.vlnb:cacdcd2520 and only |
| it be able to access target iqn.2006-10.net.vlnb:tgt: |
| |
| echo 'add_target iqn.2006-10.net.vlnb:tgt' >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo 'create allowed_ini' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/mgmt |
| echo 'add dev1 0' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/allowed_ini/luns/mgmt |
| echo 'add iqn.2005-03.org.vlnb:cacdcd2520' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/allowed_ini/initiators/mgmt |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/enabled |
| |
| Since there will be no default LUNs for the target, all initiators other |
| than iqn.2005-03.org.vlnb:cacdcd2520 will be blocked from accessing it. |
| |
| Alternatively, you can create an empty security group and filter out in |
| it all initiators except the allowed one: |
| |
| echo 'add_target iqn.2006-10.net.vlnb:tgt' >/sys/kernel/scst_tgt/targets/iscsi/mgmt |
| echo 'add dev1 0' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/luns/mgmt |
| echo 'create denied_inis' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/mgmt |
| echo 'add !iqn.2005-03.org.vlnb:cacdcd2520' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/denied_inis/initiators/mgmt |
| echo 1 >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/enabled |
| |
| 3. If you want to enable/disable one or more target's portals for |
| particular initiators, you should set per_portal_acl attribute to 1 and |
| specify SCST access control to those initiators. If an SCST security |
| group doesn't have any LUNs, all the initiator, which should be assigned |
| to it, will not see this target and/or its portal. For example: |
| |
| (We assume that an empty group "BLOCKING_GROUP" is already created by for |
| target iqn.2006-10.net.vlnb:tgt by command (see above for more information): |
| "echo 'create BLOCKING_GROUP' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/mgmt) |
| |
| echo 'add iqn.2005-03.org.vlnb:cacdcd2520#10.170.77.2' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/BLOCKING_GROUP/initiators/mgmt |
| |
| will block access of initiator iqn.2005-03.org.vlnb:cacdcd2520 to |
| target iqn.2006-10.net.vlnb:tgt portal 10.170.77.2. |
| |
| Another example: |
| |
| echo 'add iqn.2005-03.org.vlnb:cacdcd2520*' >/sys/kernel/scst_tgt/targets/iscsi/iqn.2006-10.net.vlnb:tgt/ini_groups/BLOCKING_GROUP/initiators/mgmt |
| |
| will block access of initiator iqn.2005-03.org.vlnb:cacdcd2520 to |
| all target iqn.2006-10.net.vlnb:tgt portals. |
| |
| |
| Troubleshooting |
| --------------- |
| |
| If you have any problems, start troubleshooting from looking at the |
| kernel and system logs. In the kernel log iSCSI-SCST and SCST core send |
| their messages, in the system log iscsi-scstd sends its messages. In |
| most Linux distributions both those logs are put to /var/log/messages |
| file. |
| |
| Then, it might be helpful to increase level of logging. For kernel |
| modules you should make the debug build by enabling CONFIG_SCST_DEBUG. |
| |
| If after looking on the logs the reason of your problem is still unclear |
| for you, report to SCST mailing list scst-devel@lists.sourceforge.net. |
| |
| |
| Work if target's backstorage or link is too slow |
| ------------------------------------------------ |
| |
| In some cases you can experience I/O stalls or see in the kernel log |
| abort or reset messages. It can happen under high I/O load, when your |
| target's backstorage gets overloaded, or working over a slow link, when |
| the link can't serve all the queued commands on time, |
| |
| To workaround it you can reduce QueuedCommands parameter for the |
| corresponding target to some lower value, like 8 (default is 32). |
| |
| Also see SCST README file for more details about that issue and ways to |
| prevent it. |
| |
| |
| Performance advices |
| ------------------- |
| |
| 1. If you use Windows XP or Windows 2003+ as initiators, you can |
| consider to decrease TcpAckFrequency parameter to 1. See |
| http://support.microsoft.com/kb/328890/ or google for "TcpAckFrequency" |
| for more details. |
| |
| 2. See how to get the maximum throughput from iSCSI, for instance, at |
| http://virtualgeek.typepad.com/virtual_geek/2009/01/a-multivendor-post-to-help-our-mutual-iscsi-customers-using-vmware.html. |
| It's about VMware, but its recommendations apply to other environments |
| as well. |
| |
| 3. ISCSI initiators built in pre-CentOS/RHEL 5 reported to have some |
| performance problems. If you use it, it is strongly advised to upgrade. |
| |
| 4. If you are going to use your target in an VM environment, for |
| instance as a shared storage with VMware, make sure all your VMs |
| connected to the target via *separate* sessions, i.e. each VM has own |
| connection to the target, not all VMs connected using a single |
| connection. You can check it using SCST sysfs interface. If you |
| miss it, you can greatly loose performance of parallel access to your |
| target from different VMs. This isn't related to the case if your VMs |
| are using the same shared storage, like with VMFS, for instance. In this |
| case all your VM hosts will be connected to the target via separate |
| sessions, which is enough. |
| |
| 5. Many dual port network adapters are not able to transfer data |
| simultaneously on both ports, i.e. they transfer data via both ports on |
| the same speed as via any single port. Thus, using such adapters in MPIO |
| configuration can't improve performance. To allow MPIO to have double |
| performance you should either use separate network adapters, or find a |
| dual-port adapter capable to to transfer data simultaneously on both |
| ports. You can check it by running 2 iperf's through both ports in |
| parallel. |
| |
| 6. Since network offload works much better in the write direction, than |
| for reading (simplifying, in the read direction often there's additional |
| data copy) in many cases with 10GbE in a single initiator-target pair |
| the initiator's CPU is a bottleneck, so you can see the initiator can |
| read data on much slower rate, than write. You can check it by watching |
| *each particular* CPU load to find out if any of them is close to 100% |
| load, including IRQ processing load. Note, many tools like vmstat give |
| aggregate load on all CPUs, so with 4 cores 25% corresponds to 100% load |
| of any single CPU. |
| |
| 7. For high speed network adapters it can be better if you configure |
| them to serve connections, e.g., from initiator on CPU0 and from |
| initiator Y on CPU1. Then you can bind threads processing them also to |
| CPU0 and CPU1 correspondingly using cpu_mask attribute of their targets |
| or security groups. In NUMA-like configurations it can signficantly |
| boost IOPS performance. |
| |
| 8. See SCST core's README for more advices. Especially pay attention to |
| have io_grouping_type option set correctly. |
| |
| |
| Compilation options |
| ------------------- |
| |
| There are the following compilation options, that could be commented |
| in/out in the kernel's module Makefile: |
| |
| - CONFIG_SCST_DEBUG - turns on some debugging code, including some logging. |
| Makes the driver considerably bigger and slower, producing large amount of |
| log data. |
| |
| - CONFIG_SCST_TRACING - turns on ability to log events. Makes the driver |
| considerably bigger and leads to some performance loss. |
| |
| - CONFIG_SCST_EXTRACHECKS - adds extra validity checks in the various places. |
| |
| - CONFIG_SCST_ISCSI_DEBUG_DIGEST_FAILURES - simulates digest failures in |
| random places. |
| |
| |
| Credits |
| ------- |
| |
| Thanks to: |
| |
| * Ming Zhang <blackmagic02881@gmail.com> for fixes |
| |
| * Krzysztof Blaszkowski <kb@sysmikro.com.pl> for many fixes |
| |
| * Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> for comments and help in |
| debugging |
| |
| * Tomasz Chmielewski <mangoo@wpkg.org> for testing and suggestions |
| |
| * Bart Van Assche <bvanassche@acm.org> for a lot of help |
| |
| Vladislav Bolkhovitin <vst@vlnb.net>, http://scst.sourceforge.net |
| |