1.\" Copyright (c) 2012 The FreeBSD Foundation 2.\" Copyright (c) 2015 Alexander Motin <mav@FreeBSD.org> 3.\" All rights reserved. 4.\" 5.\" This software was developed by Edward Tomasz Napierala under sponsorship 6.\" from the FreeBSD Foundation. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.Dd October 13, 2020 30.Dt CTL.CONF 5 31.Os 32.Sh NAME 33.Nm ctl.conf 34.Nd CAM Target Layer / iSCSI target daemon configuration file 35.Sh DESCRIPTION 36The 37.Nm 38configuration file is used by the 39.Xr ctld 8 40daemon. 41Lines starting with 42.Ql # 43are interpreted as comments. 44The general syntax of the 45.Nm 46file is: 47.Bd -literal -offset indent 48.No pidfile Ar path 49 50.No auth-group Ar name No { 51.Dl chap Ar user Ar secret 52.Dl ... 53} 54 55.No portal-group Ar name No { 56.Dl listen Ar address 57.\".Dl listen-iser Ar address 58.Dl discovery-auth-group Ar name 59.Dl ... 60} 61 62.No target Ar name { 63.Dl auth-group Ar name 64.Dl portal-group Ar name 65.Dl lun Ar number No { 66.Dl path Ar path 67.Dl } 68.Dl ... 69} 70.Ed 71.Ss Global Context 72.Bl -tag -width indent 73.It Ic auth-group Ar name 74Create an 75.Sy auth-group 76configuration context, 77defining a new auth-group, 78which can then be assigned to any number of targets. 79.It Ic debug Ar level 80The debug verbosity level. 81The default is 0. 82.It Ic maxproc Ar number 83The limit for concurrently running child processes handling 84incoming connections. 85The default is 30. 86A setting of 0 disables the limit. 87.It Ic pidfile Ar path 88The path to the pidfile. 89The default is 90.Pa /var/run/ctld.pid . 91.It Ic portal-group Ar name 92Create a 93.Sy portal-group 94configuration context, 95defining a new portal-group, 96which can then be assigned to any number of targets. 97.It Ic lun Ar name 98Create a 99.Sy lun 100configuration context, defining a LUN to be exported by any number of targets. 101.It Ic target Ar name 102Create a 103.Sy target 104configuration context, which can optionally contain one or more 105.Sy lun 106contexts. 107.It Ic timeout Ar seconds 108The timeout for login sessions, after which the connection 109will be forcibly terminated. 110The default is 60. 111A setting of 0 disables the timeout. 112.It Ic isns-server Ar address 113An IPv4 or IPv6 address and optionally port of iSNS server to register on. 114.It Ic isns-period Ar seconds 115iSNS registration period. 116Registered Network Entity not updated during this period will be unregistered. 117The default is 900. 118.It Ic isns-timeout Ar seconds 119Timeout for iSNS requests. 120The default is 5. 121.El 122.Ss auth-group Context 123.Bl -tag -width indent 124.It Ic auth-type Ar type 125Sets the authentication type. 126Type can be either 127.Qq Ar none , 128.Qq Ar deny , 129.Qq Ar chap , 130or 131.Qq Ar chap-mutual . 132In most cases it is not necessary to set the type using this clause; 133it is usually used to disable authentication for a given 134.Sy auth-group . 135.It Ic chap Ar user Ar secret 136A set of CHAP authentication credentials. 137Note that for any 138.Sy auth-group , 139the configuration may only contain either 140.Sy chap 141or 142.Sy chap-mutual 143entries; it is an error to mix them. 144.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret 145A set of mutual CHAP authentication credentials. 146Note that for any 147.Sy auth-group , 148the configuration may only contain either 149.Sy chap 150or 151.Sy chap-mutual 152entries; it is an error to mix them. 153.It Ic initiator-name Ar initiator-name 154An iSCSI initiator name. 155Only initiators with a name matching one of the defined 156names will be allowed to connect. 157If not defined, there will be no restrictions based on initiator 158name. 159.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen 160An iSCSI initiator portal: an IPv4 or IPv6 address, optionally 161followed by a literal slash and a prefix length. 162Only initiators with an address matching one of the defined 163addresses will be allowed to connect. 164If not defined, there will be no restrictions based on initiator 165address. 166.El 167.Ss portal-group Context 168.Bl -tag -width indent 169.It Ic discovery-auth-group Ar name 170Assign a previously defined authentication group to the portal group, 171to be used for target discovery. 172By default, portal groups are assigned predefined 173.Sy auth-group 174.Qq Ar default , 175which denies discovery. 176Another predefined 177.Sy auth-group , 178.Qq Ar no-authentication , 179may be used 180to permit discovery without authentication. 181.It Ic discovery-filter Ar filter 182Determines which targets are returned during discovery. 183Filter can be either 184.Qq Ar none , 185.Qq Ar portal , 186.Qq Ar portal-name , 187or 188.Qq Ar portal-name-auth . 189When set to 190.Qq Ar none , 191discovery will return all targets assigned to that portal group. 192When set to 193.Qq Ar portal , 194discovery will not return targets that cannot be accessed by the 195initiator because of their 196.Sy initiator-portal . 197When set to 198.Qq Ar portal-name , 199the check will include both 200.Sy initiator-portal 201and 202.Sy initiator-name . 203When set to 204.Qq Ar portal-name-auth , 205the check will include 206.Sy initiator-portal , 207.Sy initiator-name , 208and authentication credentials. 209The target is returned if it does not require CHAP authentication, 210or if the CHAP user and secret used during discovery match those 211used by the target. 212Note that when using 213.Qq Ar portal-name-auth , 214targets that require CHAP authentication will only be returned if 215.Sy discovery-auth-group 216requires CHAP. 217The default is 218.Qq Ar none . 219.It Ic listen Ar address 220An IPv4 or IPv6 address and port to listen on for incoming connections. 221.\".It Ic listen-iser Ar address 222.\"An IPv4 or IPv6 address and port to listen on for incoming connections 223.\"using iSER (iSCSI over RDMA) protocol. 224.It Ic offload Ar driver 225Define iSCSI hardware offload driver to use for this 226.Sy portal-group . 227The default is 228.Qq Ar none . 229.It Ic option Ar name Ar value 230The CTL-specific port options passed to the kernel. 231.It Ic redirect Ar address 232IPv4 or IPv6 address to redirect initiators to. 233When configured, all initiators attempting to connect to portal 234belonging to this 235.Sy portal-group 236will get redirected using "Target moved temporarily" login response. 237Redirection happens before authentication and any 238.Sy initiator-name 239or 240.Sy initiator-portal 241checks are skipped. 242.It Ic tag Ar value 243Unique 16-bit tag value of this 244.Sy portal-group . 245If not specified, the value is generated automatically. 246.It Ic foreign 247Specifies that this 248.Sy portal-group 249is listened by some other host. 250This host will announce it on discovery stage, but won't listen. 251.It Ic dscp Ar value 252The DiffServ Codepoint used for sending data. The DSCP can be 253set to numeric, or hexadecimal values directly, as well as the 254well-defined 255.Qq Ar CSx 256and 257.Qq Ar AFxx 258codepoints. 259.It Ic pcp Ar value 260The 802.1Q Priority CodePoint used for sending packets. 261The PCP can be set to a value in the range between 262.Qq Ar 0 263to 264.Qq Ar 7 . 265When omitted, the default for the outgoing interface is used. 266.El 267.Ss target Context 268.Bl -tag -width indent 269.It Ic alias Ar text 270Assign a human-readable description to the target. 271There is no default. 272.It Ic auth-group Ar name 273Assign a previously defined authentication group to the target. 274By default, targets that do not specify their own auth settings, 275using clauses such as 276.Sy chap 277or 278.Sy initiator-name , 279are assigned 280predefined 281.Sy auth-group 282.Qq Ar default , 283which denies all access. 284Another predefined 285.Sy auth-group , 286.Qq Ar no-authentication , 287may be used to permit access 288without authentication. 289Note that this clause can be overridden using the second argument 290to a 291.Sy portal-group 292clause. 293.It Ic auth-type Ar type 294Sets the authentication type. 295Type can be either 296.Qq Ar none , 297.Qq Ar deny , 298.Qq Ar chap , 299or 300.Qq Ar chap-mutual . 301In most cases it is not necessary to set the type using this clause; 302it is usually used to disable authentication for a given 303.Sy target . 304This clause is mutually exclusive with 305.Sy auth-group ; 306one cannot use 307both in a single target. 308.It Ic chap Ar user Ar secret 309A set of CHAP authentication credentials. 310Note that targets must only use one of 311.Sy auth-group , chap , No or Sy chap-mutual ; 312it is a configuration error to mix multiple types in one target. 313.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret 314A set of mutual CHAP authentication credentials. 315Note that targets must only use one of 316.Sy auth-group , chap , No or Sy chap-mutual ; 317it is a configuration error to mix multiple types in one target. 318.It Ic initiator-name Ar initiator-name 319An iSCSI initiator name. 320Only initiators with a name matching one of the defined 321names will be allowed to connect. 322If not defined, there will be no restrictions based on initiator 323name. 324This clause is mutually exclusive with 325.Sy auth-group ; 326one cannot use 327both in a single target. 328.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen 329An iSCSI initiator portal: an IPv4 or IPv6 address, optionally 330followed by a literal slash and a prefix length. 331Only initiators with an address matching one of the defined 332addresses will be allowed to connect. 333If not defined, there will be no restrictions based on initiator 334address. 335This clause is mutually exclusive with 336.Sy auth-group ; 337one cannot use 338both in a single target. 339.Pp 340The 341.Sy auth-type , 342.Sy chap , 343.Sy chap-mutual , 344.Sy initiator-name , 345and 346.Sy initiator-portal 347clauses in the target context provide an alternative to assigning an 348.Sy auth-group 349defined separately, useful in the common case of authentication settings 350specific to a single target. 351.It Ic portal-group Ar name Op Ar ag-name 352Assign a previously defined portal group to the target. 353The default portal group is 354.Qq Ar default , 355which makes the target available 356on TCP port 3260 on all configured IPv4 and IPv6 addresses. 357Optional second argument specifies 358.Sy auth-group 359for connections to this specific portal group. 360If second argument is not specified, target 361.Sy auth-group 362is used. 363.It Ic port Ar name 364.It Ic port Ar name/pp 365.It Ic port Ar name/pp/vp 366Assign specified CTL port (such as "isp0" or "isp2/1") to the target. 367This is used to export the target through a specific physical - eg Fibre 368Channel - port, in addition to portal-groups configured for the target. 369Use 370.Cm "ctladm portlist" 371command to retrieve the list of available ports. 372On startup 373.Xr ctld 8 374configures LUN mapping and enables all assigned ports. 375Each port can be assigned to only one target. 376.It Ic redirect Ar address 377IPv4 or IPv6 address to redirect initiators to. 378When configured, all initiators attempting to connect to this target 379will get redirected using "Target moved temporarily" login response. 380Redirection happens after successful authentication. 381.It Ic lun Ar number Ar name 382Export previously defined 383.Sy lun 384by the parent target. 385.It Ic lun Ar number 386Create a 387.Sy lun 388configuration context, defining a LUN exported by the parent target. 389.Pp 390This is an alternative to defining the LUN separately, useful in the common 391case of a LUN being exported by a single target. 392.El 393.Ss lun Context 394.Bl -tag -width indent 395.It Ic backend Ar block No | Ar ramdisk 396The CTL backend to use for a given LUN. 397Valid choices are 398.Qq Ar block 399and 400.Qq Ar ramdisk ; 401block is used for LUNs backed 402by files or disk device nodes; ramdisk is a bitsink device, used mostly for 403testing. 404The default backend is block. 405.It Ic blocksize Ar size 406The blocksize visible to the initiator. 407The default blocksize is 512 for disks, and 2048 for CD/DVDs. 408.It Ic ctl-lun Ar lun_id 409Global numeric identifier to use for a given LUN inside CTL. 410By default CTL allocates those IDs dynamically, but explicit specification 411may be needed for consistency in HA configurations. 412.It Ic device-id Ar string 413The SCSI Device Identification string presented to the initiator. 414.It Ic device-type Ar type 415Specify the SCSI device type to use when creating the LUN. 416Currently CTL supports Direct Access (type 0), Processor (type 3) 417and CD/DVD (type 5) LUNs. 418.It Ic option Ar name Ar value 419The CTL-specific options passed to the kernel. 420All CTL-specific options are documented in the 421.Sx OPTIONS 422section of 423.Xr ctladm 8 . 424.It Ic path Ar path 425The path to the file, device node, or 426.Xr zfs 8 427volume used to back the LUN. 428For optimal performance, create the volume with the 429.Qq Ar volmode=dev 430property set. 431.It Ic serial Ar string 432The SCSI serial number presented to the initiator. 433.It Ic size Ar size 434The LUN size, in bytes or by number with a suffix of 435.Sy K , M , G , T 436(for kilobytes, megabytes, gigabytes, or terabytes). 437When the configuration is in UCL format, use the suffix format 438.Sy kKmMgG Ns | Ns Sy bB , 439(i.e., 4GB, 4gb, and 4Gb are all equivalent). 440.El 441.Sh FILES 442.Bl -tag -width ".Pa /etc/ctl.conf" -compact 443.It Pa /etc/ctl.conf 444The default location of the 445.Xr ctld 8 446configuration file. 447.El 448.Sh EXAMPLES 449.Bd -literal 450auth-group ag0 { 451 chap-mutual "user" "secret" "mutualuser" "mutualsecret" 452 chap-mutual "user2" "secret2" "mutualuser" "mutualsecret" 453 initiator-portal 192.168.1.1/16 454} 455 456auth-group ag1 { 457 auth-type none 458 initiator-name "iqn.2012-06.com.example:initiatorhost1" 459 initiator-name "iqn.2012-06.com.example:initiatorhost2" 460 initiator-portal 192.168.1.1/24 461 initiator-portal [2001:db8::de:ef] 462} 463 464portal-group pg0 { 465 discovery-auth-group no-authentication 466 listen 0.0.0.0:3260 467 listen [::]:3260 468 listen [fe80::be:ef]:3261 469} 470 471target iqn.2012-06.com.example:target0 { 472 alias "Example target" 473 auth-group no-authentication 474 lun 0 { 475 path /dev/zvol/tank/example_0 476 blocksize 4096 477 size 4G 478 } 479} 480 481lun example_1 { 482 path /dev/zvol/tank/example_1 483 option naa 0x50015178f369f093 484} 485 486target iqn.2012-06.com.example:target1 { 487 auth-group ag0 488 portal-group pg0 489 lun 0 example_1 490 lun 1 { 491 path /dev/zvol/tank/example_2 492 option vendor "FreeBSD" 493 } 494} 495 496target naa.50015178f369f092 { 497 port isp0 498 port isp1 499 lun 0 example_1 500} 501.Ed 502.Pp 503An equivalent configuration in UCL format, for use with 504.Fl u : 505.Bd -literal 506auth-group { 507 ag0 { 508 chap-mutual = [ 509 { 510 user = "user" 511 secret = "secretsecret" 512 mutual-user = "mutualuser" 513 mutual-secret = "mutualsecret" 514 }, 515 { 516 user = "user2" 517 secret = "secret2secret2" 518 mutual-user = "mutualuser" 519 mutual-secret = "mutualsecret" 520 } 521 ] 522 } 523 524 ag1 { 525 auth-type = none 526 initiator-name = [ 527 "iqn.2012-06.com.example:initiatorhost1", 528 "iqn.2012-06.com.example:initiatorhost2" 529 ] 530 initiator-portal = [192.168.1.1/24, "[2001:db8::de:ef]"] 531 } 532} 533 534portal-group { 535 pg0 { 536 discovery-auth-group = no-authentication 537 listen = [ 538 0.0.0.0:3260, 539 "[::]:3260", 540 "[fe80::be:ef]:3261" 541 ] 542 } 543} 544 545lun { 546 example_0 { 547 path = /dev/zvol/tank/example_0 548 blocksize = 4096 549 size = 4GB 550 } 551 552 example_1 { 553 path = /dev/zvol/tank/example_1 554 options { 555 naa = "0x50015178f369f093" 556 } 557 } 558 559 example_2 { 560 path = /dev/zvol/tank/example_2 561 options { 562 vendor = "FreeBSD" 563 } 564 } 565} 566 567target { 568 "iqn.2012-06.com.example:target0" { 569 alias = "Example target" 570 auth-group = no-authentication 571 lun = [ 572 { number = 0, name = example_0 }, 573 ] 574 } 575 576 "iqn.2012-06.com.example:target1" { 577 auth-group = ag0 578 portal-group { name = pg0 } 579 lun = [ 580 { number = 0, name = example_1 }, 581 { number = 1, name = example_2 } 582 ] 583 } 584 585 naa.50015178f369f092 { 586 port = isp0 587 lun = [ 588 { number = 0, name = example_1 } 589 ] 590 } 591} 592.Ed 593.Sh SEE ALSO 594.Xr ctl 4 , 595.Xr ctladm 8 , 596.Xr ctld 8 , 597.Xr zfs 8 598.Sh AUTHORS 599The 600.Nm 601configuration file functionality for 602.Xr ctld 8 603was developed by 604.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org 605under sponsorship from the FreeBSD Foundation. 606