1.\" Copyright (c) 2012 The FreeBSD Foundation 2.\" All rights reserved. 3.\" 4.\" This software was developed by Edward Tomasz Napierala under sponsorship 5.\" from the FreeBSD Foundation. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $FreeBSD$ 29.\" 30.Dd November 24, 2014 31.Dt CTL.CONF 5 32.Os 33.Sh NAME 34.Nm ctl.conf 35.Nd CAM Target Layer / iSCSI target daemon configuration file 36.Sh DESCRIPTION 37The 38.Nm 39configuration file is used by the 40.Xr ctld 8 41daemon. 42Lines starting with 43.Ql # 44are interpreted as comments. 45The general syntax of the 46.Nm 47file is: 48.Bd -literal -offset indent 49.No pidfile Ar path 50 51.No auth-group Ar name No { 52.Dl chap Ar user Ar secret 53.Dl ... 54} 55 56.No portal-group Ar name No { 57.Dl listen Ar address 58.\".Dl listen-iser Ar address 59.Dl discovery-auth-group Ar name 60.Dl ... 61} 62 63.No target Ar name { 64.Dl auth-group Ar name 65.Dl portal-group Ar name 66.Dl lun Ar number No { 67.Dl path Ar path 68.Dl } 69.Dl ... 70} 71.Ed 72.Ss Global Context 73.Bl -tag -width indent 74.It Ic auth-group Ar name 75Create an 76.Sy auth-group 77configuration context, 78defining a new auth-group, 79which can then be assigned to any number of targets. 80.It Ic debug Ar level 81The debug verbosity level. 82The default is 0. 83.It Ic maxproc Ar number 84The limit for concurrently running child processes handling 85incoming connections. 86The default is 30. 87A setting of 0 disables the limit. 88.It Ic pidfile Ar path 89The path to the pidfile. 90The default is 91.Pa /var/run/ctld.pid . 92.It Ic portal-group Ar name 93Create a 94.Sy portal-group 95configuration context, 96defining a new portal-group, 97which can then be assigned to any number of targets. 98.It Ic target Ar name 99Create a 100.Sy target 101configuration context, which can contain one or more 102.Sy lun 103contexts. 104.It Ic timeout Ar seconds 105The timeout for login sessions, after which the connection 106will be forcibly terminated. 107The default is 60. 108A setting of 0 disables the timeout. 109.It Ic isns-server Ar address 110An IPv4 or IPv6 address and optionally port of iSNS server to register on. 111.It Ic isns-period Ar seconds 112iSNS registration period. 113Registered Network Entity not updated during this period will be unregistered. 114The default is 900. 115.It Ic isns-timeout Ar seconds 116Timeout for iSNS requests. 117The default is 5. 118.El 119.Ss auth-group Context 120.Bl -tag -width indent 121.It Ic auth-type Ar type 122Sets the authentication type. 123Type can be either 124.Qq Ar none , 125.Qq Ar deny , 126.Qq Ar chap , 127or 128.Qq Ar chap-mutual . 129In most cases it is not necessary to set the type using this clause; 130it is usually used to disable authentication for a given 131.Sy auth-group . 132.It Ic chap Ar user Ar secret 133A set of CHAP authentication credentials. 134Note that for any 135.Sy auth-group , 136the configuration may only contain either 137.Sy chap 138or 139.Sy chap-mutual 140entries; it is an error to mix them. 141.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret 142A set of mutual CHAP authentication credentials. 143Note that for any 144.Sy auth-group , 145the configuration may only contain either 146.Sy chap 147or 148.Sy chap-mutual 149entries; it is an error to mix them. 150.It Ic initiator-name Ar initiator-name 151An iSCSI initiator name. 152Only initiators with a name matching one of the defined 153names will be allowed to connect. 154If not defined, there will be no restrictions based on initiator 155name. 156.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen 157An iSCSI initiator portal: an IPv4 or IPv6 address, optionally 158followed by a literal slash and a prefix length. 159Only initiators with an address matching one of the defined 160addresses will be allowed to connect. 161If not defined, there will be no restrictions based on initiator 162address. 163.El 164.Ss portal-group Context 165.Bl -tag -width indent 166.It Ic discovery-auth-group Ar name 167Assign a previously defined authentication group to the portal group, 168to be used for target discovery. 169By default, portal groups are assigned predefined 170.Sy auth-group 171.Qq Ar default , 172which denies discovery. 173Another predefined 174.Sy auth-group , 175.Qq Ar no-authentication , 176may be used 177to permit discovery without authentication. 178.It Ic discovery-filter Ar filter 179Determines which targets are returned during discovery. 180Filter can be either 181.Qq Ar none , 182.Qq Ar portal , 183.Qq Ar portal-name , 184or 185.Qq Ar portal-name-auth . 186When set to 187.Qq Ar none , 188discovery will return all targets assigned to that portal group. 189When set to 190.Qq Ar portal , 191discovery will not return targets that cannot be accessed by the 192initiator because of their 193.Sy initiator-portal . 194When set to 195.Qq Ar portal-name , 196the check will include both 197.Sy initiator-portal 198and 199.Sy initiator-name . 200When set to 201.Qq Ar portal-name-auth , 202the check will include 203.Sy initiator-portal , 204.Sy initiator-name , 205and authentication credentials. 206The target is returned if it does not require CHAP authentication, 207or if the CHAP user and secret used during discovery match those 208used by the target. 209Note that when using 210.Qq Ar portal-name-auth , 211targets that require CHAP authentication will only be returned if 212.Sy discovery-auth-group 213requires CHAP. 214The default is 215.Qq Ar none . 216.It Ic listen Ar address 217An IPv4 or IPv6 address and port to listen on for incoming connections. 218.\".It Ic listen-iser Ar address 219.\"An IPv4 or IPv6 address and port to listen on for incoming connections 220.\"using iSER (iSCSI over RDMA) protocol. 221.It Ic redirect Aq Ar address 222IPv4 or IPv6 address to redirect initiators to. 223When configured, all initiators attempting to connect to portal 224belonging to this 225.Sy portal-group 226will get redirected using "Target moved temporarily" login response. 227Redirection happens before authentication and any 228.Sy initiator-name 229or 230.Sy initiator-portal 231checks are skipped. 232.El 233.Ss target Context 234.Bl -tag -width indent 235.It Ic alias Ar text 236Assign a human-readable description to the target. 237There is no default. 238.It Ic auth-group Ar name 239Assign a previously defined authentication group to the target. 240By default, targets that do not specify their own auth settings, 241using clauses such as 242.Sy chap 243or 244.Sy initiator-name , 245are assigned 246predefined 247.Sy auth-group 248.Qq Ar default , 249which denies all access. 250Another predefined 251.Sy auth-group , 252.Qq Ar no-authentication , 253may be used to permit access 254without authentication. 255Note that targets must only use one of 256.Sy auth-group , chap , No or Sy chap-mutual ; 257it is a configuration error to mix multiple types in one target. 258.It Ic auth-type Ar type 259Sets the authentication type. 260Type can be either 261.Qq Ar none , 262.Qq Ar deny , 263.Qq Ar chap , 264or 265.Qq Ar chap-mutual . 266In most cases it is not necessary to set the type using this clause; 267it is usually used to disable authentication for a given 268.Sy target . 269This clause is mutually exclusive with 270.Sy auth-group ; 271one cannot use 272both in a single target. 273.It Ic chap Ar user Ar secret 274A set of CHAP authentication credentials. 275Note that targets must only use one of 276.Sy auth-group , chap , No or Sy chap-mutual ; 277it is a configuration error to mix multiple types in one target. 278.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret 279A set of mutual CHAP authentication credentials. 280Note that targets must only use one of 281.Sy auth-group , chap , No or Sy chap-mutual ; 282it is a configuration error to mix multiple types in one target. 283.It Ic initiator-name Ar initiator-name 284An iSCSI initiator name. 285Only initiators with a name matching one of the defined 286names will be allowed to connect. 287If not defined, there will be no restrictions based on initiator 288name. 289This clause is mutually exclusive with 290.Sy auth-group ; 291one cannot use 292both in a single target. 293.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen 294An iSCSI initiator portal: an IPv4 or IPv6 address, optionally 295followed by a literal slash and a prefix length. 296Only initiators with an address matching one of the defined 297addresses will be allowed to connect. 298If not defined, there will be no restrictions based on initiator 299address. 300This clause is mutually exclusive with 301.Sy auth-group ; 302one cannot use 303both in a single target. 304.It Ic portal-group Ar name 305Assign a previously defined portal group to the target. 306The default portal group is 307.Qq Ar default , 308which makes the target available 309on TCP port 3260 on all configured IPv4 and IPv6 addresses. 310.It Ic redirect Aq Ar address 311IPv4 or IPv6 address to redirect initiators to. 312When configured, all initiators attempting to connect to this target 313will get redirected using "Target moved temporarily" login response. 314Redirection happens after successful authentication. 315.It Ic lun Ar number 316Create a 317.Sy lun 318configuration context, defining a LUN exported by the parent target. 319.El 320.Ss lun Context 321.Bl -tag -width indent 322.It Ic backend Ar block No | Ar ramdisk 323The CTL backend to use for a given LUN. 324Valid choices are 325.Qq Ar block 326and 327.Qq Ar ramdisk ; 328block is used for LUNs backed 329by files or disk device nodes; ramdisk is a bitsink device, used mostly for 330testing. 331The default backend is block. 332.It Ic blocksize Ar size 333The blocksize visible to the initiator. 334The default blocksize is 512. 335.It Ic device-id Ar string 336The SCSI Device Identification string presented to the initiator. 337.It Ic option Ar name Ar value 338The CTL-specific options passed to the kernel. 339All CTL-specific options are documented in the 340.Sx OPTIONS 341section of 342.Xr ctladm 8 . 343.It Ic path Ar path 344The path to the file or device node used to back the LUN. 345.It Ic serial Ar string 346The SCSI serial number presented to the initiator. 347.It Ic size Ar size 348The LUN size, in bytes. 349.El 350.Sh FILES 351.Bl -tag -width ".Pa /etc/ctl.conf" -compact 352.It Pa /etc/ctl.conf 353The default location of the 354.Xr ctld 8 355configuration file. 356.El 357.Sh EXAMPLES 358.Bd -literal 359auth-group ag0 { 360 chap-mutual "user" "secret" "mutualuser" "mutualsecret" 361 chap-mutual "user2" "secret2" "mutualuser" "mutualsecret" 362 initiator-portal 192.168.1.1/16 363} 364 365auth-group ag1 { 366 auth-type none 367 initiator-name "iqn.2012-06.com.example:initiatorhost1" 368 initiator-name "iqn.2012-06.com.example:initiatorhost2" 369 initiator-portal 192.168.1.1/24 370 initiator-portal [2001:db8::de:ef] 371} 372 373portal-group pg0 { 374 discovery-auth-group no-authentication 375 listen 0.0.0.0:3260 376 listen [::]:3260 377 listen [fe80::be:ef]:3261 378} 379 380target iqn.2012-06.com.example:target0 { 381 alias "Example target" 382 auth-group no-authentication 383 lun 0 { 384 path /dev/zvol/tank/example_0 385 blocksize 4096 386 size 4G 387 } 388} 389 390target iqn.2012-06.com.example:target1 { 391 chap chapuser chapsecret 392 lun 0 { 393 path /dev/zvol/tank/example_1 394 } 395} 396 397target iqn.2012-06.com.example:target2 { 398 auth-group ag0 399 portal-group pg0 400 lun 0 { 401 path /dev/zvol/tank/example2_0 402 } 403 lun 1 { 404 path /dev/zvol/tank/example2_1 405 option foo bar 406 } 407} 408.Ed 409.Sh SEE ALSO 410.Xr ctl 4 , 411.Xr ctladm 8 , 412.Xr ctld 8 413.Sh AUTHORS 414The 415.Nm 416configuration file functionality for 417.Xr ctld 8 418was developed by 419.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org 420under sponsorship from the FreeBSD Foundation. 421