1.\" Copyright (c) 2012 The FreeBSD Foundation 2.\" Copyright (c) 2015 Alexander Motin <mav@FreeBSD.org> 3.\" All rights reserved. 4.\" 5.\" This software was developed by Edward Tomasz Napierala under sponsorship 6.\" from the FreeBSD Foundation. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.\" $FreeBSD$ 30.\" 31.Dd October 13, 2020 32.Dt CTL.CONF 5 33.Os 34.Sh NAME 35.Nm ctl.conf 36.Nd CAM Target Layer / iSCSI target daemon configuration file 37.Sh DESCRIPTION 38The 39.Nm 40configuration file is used by the 41.Xr ctld 8 42daemon. 43Lines starting with 44.Ql # 45are interpreted as comments. 46The general syntax of the 47.Nm 48file is: 49.Bd -literal -offset indent 50.No pidfile Ar path 51 52.No auth-group Ar name No { 53.Dl chap Ar user Ar secret 54.Dl ... 55} 56 57.No portal-group Ar name No { 58.Dl listen Ar address 59.\".Dl listen-iser Ar address 60.Dl discovery-auth-group Ar name 61.Dl ... 62} 63 64.No target Ar name { 65.Dl auth-group Ar name 66.Dl portal-group Ar name 67.Dl lun Ar number No { 68.Dl path Ar path 69.Dl } 70.Dl ... 71} 72.Ed 73.Ss Global Context 74.Bl -tag -width indent 75.It Ic auth-group Ar name 76Create an 77.Sy auth-group 78configuration context, 79defining a new auth-group, 80which can then be assigned to any number of targets. 81.It Ic debug Ar level 82The debug verbosity level. 83The default is 0. 84.It Ic maxproc Ar number 85The limit for concurrently running child processes handling 86incoming connections. 87The default is 30. 88A setting of 0 disables the limit. 89.It Ic pidfile Ar path 90The path to the pidfile. 91The default is 92.Pa /var/run/ctld.pid . 93.It Ic portal-group Ar name 94Create a 95.Sy portal-group 96configuration context, 97defining a new portal-group, 98which can then be assigned to any number of targets. 99.It Ic lun Ar name 100Create a 101.Sy lun 102configuration context, defining a LUN to be exported by any number of targets. 103.It Ic target Ar name 104Create a 105.Sy target 106configuration context, which can optionally contain one or more 107.Sy lun 108contexts. 109.It Ic timeout Ar seconds 110The timeout for login sessions, after which the connection 111will be forcibly terminated. 112The default is 60. 113A setting of 0 disables the timeout. 114.It Ic isns-server Ar address 115An IPv4 or IPv6 address and optionally port of iSNS server to register on. 116.It Ic isns-period Ar seconds 117iSNS registration period. 118Registered Network Entity not updated during this period will be unregistered. 119The default is 900. 120.It Ic isns-timeout Ar seconds 121Timeout for iSNS requests. 122The default is 5. 123.El 124.Ss auth-group Context 125.Bl -tag -width indent 126.It Ic auth-type Ar type 127Sets the authentication type. 128Type can be either 129.Qq Ar none , 130.Qq Ar deny , 131.Qq Ar chap , 132or 133.Qq Ar chap-mutual . 134In most cases it is not necessary to set the type using this clause; 135it is usually used to disable authentication for a given 136.Sy auth-group . 137.It Ic chap Ar user Ar secret 138A set of CHAP authentication credentials. 139Note that for any 140.Sy auth-group , 141the configuration may only contain either 142.Sy chap 143or 144.Sy chap-mutual 145entries; it is an error to mix them. 146.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret 147A set of mutual CHAP authentication credentials. 148Note that for any 149.Sy auth-group , 150the configuration may only contain either 151.Sy chap 152or 153.Sy chap-mutual 154entries; it is an error to mix them. 155.It Ic initiator-name Ar initiator-name 156An iSCSI initiator name. 157Only initiators with a name matching one of the defined 158names will be allowed to connect. 159If not defined, there will be no restrictions based on initiator 160name. 161.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen 162An iSCSI initiator portal: an IPv4 or IPv6 address, optionally 163followed by a literal slash and a prefix length. 164Only initiators with an address matching one of the defined 165addresses will be allowed to connect. 166If not defined, there will be no restrictions based on initiator 167address. 168.El 169.Ss portal-group Context 170.Bl -tag -width indent 171.It Ic discovery-auth-group Ar name 172Assign a previously defined authentication group to the portal group, 173to be used for target discovery. 174By default, portal groups are assigned predefined 175.Sy auth-group 176.Qq Ar default , 177which denies discovery. 178Another predefined 179.Sy auth-group , 180.Qq Ar no-authentication , 181may be used 182to permit discovery without authentication. 183.It Ic discovery-filter Ar filter 184Determines which targets are returned during discovery. 185Filter can be either 186.Qq Ar none , 187.Qq Ar portal , 188.Qq Ar portal-name , 189or 190.Qq Ar portal-name-auth . 191When set to 192.Qq Ar none , 193discovery will return all targets assigned to that portal group. 194When set to 195.Qq Ar portal , 196discovery will not return targets that cannot be accessed by the 197initiator because of their 198.Sy initiator-portal . 199When set to 200.Qq Ar portal-name , 201the check will include both 202.Sy initiator-portal 203and 204.Sy initiator-name . 205When set to 206.Qq Ar portal-name-auth , 207the check will include 208.Sy initiator-portal , 209.Sy initiator-name , 210and authentication credentials. 211The target is returned if it does not require CHAP authentication, 212or if the CHAP user and secret used during discovery match those 213used by the target. 214Note that when using 215.Qq Ar portal-name-auth , 216targets that require CHAP authentication will only be returned if 217.Sy discovery-auth-group 218requires CHAP. 219The default is 220.Qq Ar none . 221.It Ic listen Ar address 222An IPv4 or IPv6 address and port to listen on for incoming connections. 223.\".It Ic listen-iser Ar address 224.\"An IPv4 or IPv6 address and port to listen on for incoming connections 225.\"using iSER (iSCSI over RDMA) protocol. 226.It Ic offload Ar driver 227Define iSCSI hardware offload driver to use for this 228.Sy portal-group . 229The default is 230.Qq Ar none . 231.It Ic option Ar name Ar value 232The CTL-specific port options passed to the kernel. 233.It Ic redirect Ar address 234IPv4 or IPv6 address to redirect initiators to. 235When configured, all initiators attempting to connect to portal 236belonging to this 237.Sy portal-group 238will get redirected using "Target moved temporarily" login response. 239Redirection happens before authentication and any 240.Sy initiator-name 241or 242.Sy initiator-portal 243checks are skipped. 244.It Ic tag Ar value 245Unique 16-bit tag value of this 246.Sy portal-group . 247If not specified, the value is generated automatically. 248.It Ic foreign 249Specifies that this 250.Sy portal-group 251is listened by some other host. 252This host will announce it on discovery stage, but won't listen. 253.It Ic dscp Ar value 254The DiffServ Codepoint used for sending data. The DSCP can be 255set to numeric, or hexadecimal values directly, as well as the 256well-defined 257.Qq Ar CSx 258and 259.Qq Ar AFxx 260codepoints. 261.It Ic pcp Ar value 262The 802.1Q Priority CodePoint used for sending packets. 263The PCP can be set to a value in the range between 264.Qq Ar 0 265to 266.Qq Ar 7 . 267When omitted, the default for the outgoing interface is used. 268.El 269.Ss target Context 270.Bl -tag -width indent 271.It Ic alias Ar text 272Assign a human-readable description to the target. 273There is no default. 274.It Ic auth-group Ar name 275Assign a previously defined authentication group to the target. 276By default, targets that do not specify their own auth settings, 277using clauses such as 278.Sy chap 279or 280.Sy initiator-name , 281are assigned 282predefined 283.Sy auth-group 284.Qq Ar default , 285which denies all access. 286Another predefined 287.Sy auth-group , 288.Qq Ar no-authentication , 289may be used to permit access 290without authentication. 291Note that this clause can be overridden using the second argument 292to a 293.Sy portal-group 294clause. 295.It Ic auth-type Ar type 296Sets the authentication type. 297Type can be either 298.Qq Ar none , 299.Qq Ar deny , 300.Qq Ar chap , 301or 302.Qq Ar chap-mutual . 303In most cases it is not necessary to set the type using this clause; 304it is usually used to disable authentication for a given 305.Sy target . 306This clause is mutually exclusive with 307.Sy auth-group ; 308one cannot use 309both in a single target. 310.It Ic chap Ar user Ar secret 311A set of CHAP authentication credentials. 312Note that targets must only use one of 313.Sy auth-group , chap , No or Sy chap-mutual ; 314it is a configuration error to mix multiple types in one target. 315.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret 316A set of mutual CHAP authentication credentials. 317Note that targets must only use one of 318.Sy auth-group , chap , No or Sy chap-mutual ; 319it is a configuration error to mix multiple types in one target. 320.It Ic initiator-name Ar initiator-name 321An iSCSI initiator name. 322Only initiators with a name matching one of the defined 323names will be allowed to connect. 324If not defined, there will be no restrictions based on initiator 325name. 326This clause is mutually exclusive with 327.Sy auth-group ; 328one cannot use 329both in a single target. 330.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen 331An iSCSI initiator portal: an IPv4 or IPv6 address, optionally 332followed by a literal slash and a prefix length. 333Only initiators with an address matching one of the defined 334addresses will be allowed to connect. 335If not defined, there will be no restrictions based on initiator 336address. 337This clause is mutually exclusive with 338.Sy auth-group ; 339one cannot use 340both in a single target. 341.Pp 342The 343.Sy auth-type , 344.Sy chap , 345.Sy chap-mutual , 346.Sy initiator-name , 347and 348.Sy initiator-portal 349clauses in the target context provide an alternative to assigning an 350.Sy auth-group 351defined separately, useful in the common case of authentication settings 352specific to a single target. 353.It Ic portal-group Ar name Op Ar ag-name 354Assign a previously defined portal group to the target. 355The default portal group is 356.Qq Ar default , 357which makes the target available 358on TCP port 3260 on all configured IPv4 and IPv6 addresses. 359Optional second argument specifies 360.Sy auth-group 361for connections to this specific portal group. 362If second argument is not specified, target 363.Sy auth-group 364is used. 365.It Ic port Ar name 366.It Ic port Ar name/pp 367.It Ic port Ar name/pp/vp 368Assign specified CTL port (such as "isp0" or "isp2/1") to the target. 369This is used to export the target through a specific physical - eg Fibre 370Channel - port, in addition to portal-groups configured for the target. 371Use 372.Cm "ctladm portlist" 373command to retrieve the list of available ports. 374On startup 375.Xr ctld 8 376configures LUN mapping and enables all assigned ports. 377Each port can be assigned to only one target. 378.It Ic redirect Ar address 379IPv4 or IPv6 address to redirect initiators to. 380When configured, all initiators attempting to connect to this target 381will get redirected using "Target moved temporarily" login response. 382Redirection happens after successful authentication. 383.It Ic lun Ar number Ar name 384Export previously defined 385.Sy lun 386by the parent target. 387.It Ic lun Ar number 388Create a 389.Sy lun 390configuration context, defining a LUN exported by the parent target. 391.Pp 392This is an alternative to defining the LUN separately, useful in the common 393case of a LUN being exported by a single target. 394.El 395.Ss lun Context 396.Bl -tag -width indent 397.It Ic backend Ar block No | Ar ramdisk 398The CTL backend to use for a given LUN. 399Valid choices are 400.Qq Ar block 401and 402.Qq Ar ramdisk ; 403block is used for LUNs backed 404by files or disk device nodes; ramdisk is a bitsink device, used mostly for 405testing. 406The default backend is block. 407.It Ic blocksize Ar size 408The blocksize visible to the initiator. 409The default blocksize is 512 for disks, and 2048 for CD/DVDs. 410.It Ic ctl-lun Ar lun_id 411Global numeric identifier to use for a given LUN inside CTL. 412By default CTL allocates those IDs dynamically, but explicit specification 413may be needed for consistency in HA configurations. 414.It Ic device-id Ar string 415The SCSI Device Identification string presented to the initiator. 416.It Ic device-type Ar type 417Specify the SCSI device type to use when creating the LUN. 418Currently CTL supports Direct Access (type 0), Processor (type 3) 419and CD/DVD (type 5) LUNs. 420.It Ic option Ar name Ar value 421The CTL-specific options passed to the kernel. 422All CTL-specific options are documented in the 423.Sx OPTIONS 424section of 425.Xr ctladm 8 . 426.It Ic path Ar path 427The path to the file, device node, or 428.Xr zfs 8 429volume used to back the LUN. 430For optimal performance, create the volume with the 431.Qq Ar volmode=dev 432property set. 433.It Ic serial Ar string 434The SCSI serial number presented to the initiator. 435.It Ic size Ar size 436The LUN size, in bytes or by number with a suffix of 437.Sy K , M , G , T 438(for kilobytes, megabytes, gigabytes, or terabytes). 439When the configuration is in UCL format, use the suffix format 440.Sy kKmMgG Ns | Ns Sy bB , 441(i.e., 4GB, 4gb, and 4Gb are all equivalent). 442.El 443.Sh FILES 444.Bl -tag -width ".Pa /etc/ctl.conf" -compact 445.It Pa /etc/ctl.conf 446The default location of the 447.Xr ctld 8 448configuration file. 449.El 450.Sh EXAMPLES 451.Bd -literal 452auth-group ag0 { 453 chap-mutual "user" "secret" "mutualuser" "mutualsecret" 454 chap-mutual "user2" "secret2" "mutualuser" "mutualsecret" 455 initiator-portal 192.168.1.1/16 456} 457 458auth-group ag1 { 459 auth-type none 460 initiator-name "iqn.2012-06.com.example:initiatorhost1" 461 initiator-name "iqn.2012-06.com.example:initiatorhost2" 462 initiator-portal 192.168.1.1/24 463 initiator-portal [2001:db8::de:ef] 464} 465 466portal-group pg0 { 467 discovery-auth-group no-authentication 468 listen 0.0.0.0:3260 469 listen [::]:3260 470 listen [fe80::be:ef]:3261 471} 472 473target iqn.2012-06.com.example:target0 { 474 alias "Example target" 475 auth-group no-authentication 476 lun 0 { 477 path /dev/zvol/tank/example_0 478 blocksize 4096 479 size 4G 480 } 481} 482 483lun example_1 { 484 path /dev/zvol/tank/example_1 485 option naa 0x50015178f369f093 486} 487 488target iqn.2012-06.com.example:target1 { 489 auth-group ag0 490 portal-group pg0 491 lun 0 example_1 492 lun 1 { 493 path /dev/zvol/tank/example_2 494 option vendor "FreeBSD" 495 } 496} 497 498target naa.50015178f369f092 { 499 port isp0 500 port isp1 501 lun 0 example_1 502} 503.Ed 504.Pp 505An equivalent configuration in UCL format, for use with 506.Fl u : 507.Bd -literal 508auth-group { 509 ag0 { 510 chap-mutual = [ 511 { 512 user = "user" 513 secret = "secretsecret" 514 mutual-user = "mutualuser" 515 mutual-secret = "mutualsecret" 516 }, 517 { 518 user = "user2" 519 secret = "secret2secret2" 520 mutual-user = "mutualuser" 521 mutual-secret = "mutualsecret" 522 } 523 ] 524 } 525 526 ag1 { 527 auth-type = none 528 initiator-name = [ 529 "iqn.2012-06.com.example:initiatorhost1", 530 "iqn.2012-06.com.example:initiatorhost2" 531 ] 532 initiator-portal = [192.168.1.1/24, "[2001:db8::de:ef]"] 533 } 534} 535 536portal-group { 537 pg0 { 538 discovery-auth-group = no-authentication 539 listen = [ 540 0.0.0.0:3260, 541 "[::]:3260", 542 "[fe80::be:ef]:3261" 543 ] 544 } 545} 546 547lun { 548 example_0 { 549 path = /dev/zvol/tank/example_0 550 blocksize = 4096 551 size = 4GB 552 } 553 554 example_1 { 555 path = /dev/zvol/tank/example_1 556 options { 557 naa = "0x50015178f369f093" 558 } 559 } 560 561 example_2 { 562 path = /dev/zvol/tank/example_2 563 options { 564 vendor = "FreeBSD" 565 } 566 } 567} 568 569target { 570 "iqn.2012-06.com.example:target0" { 571 alias = "Example target" 572 auth-group = no-authentication 573 lun = [ 574 { number = 0, name = example_0 }, 575 ] 576 } 577 578 "iqn.2012-06.com.example:target1" { 579 auth-group = ag0 580 portal-group { name = pg0 } 581 lun = [ 582 { number = 0, name = example_1 }, 583 { number = 1, name = example_2 } 584 ] 585 } 586 587 naa.50015178f369f092 { 588 port = isp0 589 lun = [ 590 { number = 0, name = example_1 } 591 ] 592 } 593} 594.Ed 595.Sh SEE ALSO 596.Xr ctl 4 , 597.Xr ctladm 8 , 598.Xr ctld 8 , 599.Xr zfs 8 600.Sh AUTHORS 601The 602.Nm 603configuration file functionality for 604.Xr ctld 8 605was developed by 606.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org 607under sponsorship from the FreeBSD Foundation. 608