xref: /freebsd/usr.sbin/ctld/ctl.conf.5 (revision b3e7694832e81d7a904a10f525f8797b753bf0d3)
1.\" Copyright (c) 2012 The FreeBSD Foundation
2.\" Copyright (c) 2015 Alexander Motin <mav@FreeBSD.org>
3.\" All rights reserved.
4.\"
5.\" This software was developed by Edward Tomasz Napierala under sponsorship
6.\" from the FreeBSD Foundation.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\"    notice, this list of conditions and the following disclaimer in the
15.\"    documentation and/or other materials provided with the distribution.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.\" $FreeBSD$
30.\"
31.Dd October 13, 2020
32.Dt CTL.CONF 5
33.Os
34.Sh NAME
35.Nm ctl.conf
36.Nd CAM Target Layer / iSCSI target daemon configuration file
37.Sh DESCRIPTION
38The
39.Nm
40configuration file is used by the
41.Xr ctld 8
42daemon.
43Lines starting with
44.Ql #
45are interpreted as comments.
46The general syntax of the
47.Nm
48file is:
49.Bd -literal -offset indent
50.No pidfile Ar path
51
52.No auth-group Ar name No {
53.Dl chap Ar user Ar secret
54.Dl ...
55}
56
57.No portal-group Ar name No {
58.Dl listen Ar address
59.\".Dl listen-iser Ar address
60.Dl discovery-auth-group Ar name
61.Dl ...
62}
63
64.No target Ar name {
65.Dl auth-group Ar name
66.Dl portal-group Ar name
67.Dl lun Ar number No {
68.Dl 	path Ar path
69.Dl }
70.Dl ...
71}
72.Ed
73.Ss Global Context
74.Bl -tag -width indent
75.It Ic auth-group Ar name
76Create an
77.Sy auth-group
78configuration context,
79defining a new auth-group,
80which can then be assigned to any number of targets.
81.It Ic debug Ar level
82The debug verbosity level.
83The default is 0.
84.It Ic maxproc Ar number
85The limit for concurrently running child processes handling
86incoming connections.
87The default is 30.
88A setting of 0 disables the limit.
89.It Ic pidfile Ar path
90The path to the pidfile.
91The default is
92.Pa /var/run/ctld.pid .
93.It Ic portal-group Ar name
94Create a
95.Sy portal-group
96configuration context,
97defining a new portal-group,
98which can then be assigned to any number of targets.
99.It Ic lun Ar name
100Create a
101.Sy lun
102configuration context, defining a LUN to be exported by any number of targets.
103.It Ic target Ar name
104Create a
105.Sy target
106configuration context, which can optionally contain one or more
107.Sy lun
108contexts.
109.It Ic timeout Ar seconds
110The timeout for login sessions, after which the connection
111will be forcibly terminated.
112The default is 60.
113A setting of 0 disables the timeout.
114.It Ic isns-server Ar address
115An IPv4 or IPv6 address and optionally port of iSNS server to register on.
116.It Ic isns-period Ar seconds
117iSNS registration period.
118Registered Network Entity not updated during this period will be unregistered.
119The default is 900.
120.It Ic isns-timeout Ar seconds
121Timeout for iSNS requests.
122The default is 5.
123.El
124.Ss auth-group Context
125.Bl -tag -width indent
126.It Ic auth-type Ar type
127Sets the authentication type.
128Type can be either
129.Qq Ar none ,
130.Qq Ar deny ,
131.Qq Ar chap ,
132or
133.Qq Ar chap-mutual .
134In most cases it is not necessary to set the type using this clause;
135it is usually used to disable authentication for a given
136.Sy auth-group .
137.It Ic chap Ar user Ar secret
138A set of CHAP authentication credentials.
139Note that for any
140.Sy auth-group ,
141the configuration may only contain either
142.Sy chap
143or
144.Sy chap-mutual
145entries; it is an error to mix them.
146.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret
147A set of mutual CHAP authentication credentials.
148Note that for any
149.Sy auth-group ,
150the configuration may only contain either
151.Sy chap
152or
153.Sy chap-mutual
154entries; it is an error to mix them.
155.It Ic initiator-name Ar initiator-name
156An iSCSI initiator name.
157Only initiators with a name matching one of the defined
158names will be allowed to connect.
159If not defined, there will be no restrictions based on initiator
160name.
161.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen
162An iSCSI initiator portal: an IPv4 or IPv6 address, optionally
163followed by a literal slash and a prefix length.
164Only initiators with an address matching one of the defined
165addresses will be allowed to connect.
166If not defined, there will be no restrictions based on initiator
167address.
168.El
169.Ss portal-group Context
170.Bl -tag -width indent
171.It Ic discovery-auth-group Ar name
172Assign a previously defined authentication group to the portal group,
173to be used for target discovery.
174By default, portal groups are assigned predefined
175.Sy auth-group
176.Qq Ar default ,
177which denies discovery.
178Another predefined
179.Sy auth-group ,
180.Qq Ar no-authentication ,
181may be used
182to permit discovery without authentication.
183.It Ic discovery-filter Ar filter
184Determines which targets are returned during discovery.
185Filter can be either
186.Qq Ar none ,
187.Qq Ar portal ,
188.Qq Ar portal-name ,
189or
190.Qq Ar portal-name-auth .
191When set to
192.Qq Ar none ,
193discovery will return all targets assigned to that portal group.
194When set to
195.Qq Ar portal ,
196discovery will not return targets that cannot be accessed by the
197initiator because of their
198.Sy initiator-portal .
199When set to
200.Qq Ar portal-name ,
201the check will include both
202.Sy initiator-portal
203and
204.Sy initiator-name .
205When set to
206.Qq Ar portal-name-auth ,
207the check will include
208.Sy initiator-portal ,
209.Sy initiator-name ,
210and authentication credentials.
211The target is returned if it does not require CHAP authentication,
212or if the CHAP user and secret used during discovery match those
213used by the target.
214Note that when using
215.Qq Ar portal-name-auth ,
216targets that require CHAP authentication will only be returned if
217.Sy discovery-auth-group
218requires CHAP.
219The default is
220.Qq Ar none .
221.It Ic listen Ar address
222An IPv4 or IPv6 address and port to listen on for incoming connections.
223.\".It Ic listen-iser Ar address
224.\"An IPv4 or IPv6 address and port to listen on for incoming connections
225.\"using iSER (iSCSI over RDMA) protocol.
226.It Ic offload Ar driver
227Define iSCSI hardware offload driver to use for this
228.Sy portal-group .
229The default is
230.Qq Ar none .
231.It Ic option Ar name Ar value
232The CTL-specific port options passed to the kernel.
233.It Ic redirect Ar address
234IPv4 or IPv6 address to redirect initiators to.
235When configured, all initiators attempting to connect to portal
236belonging to this
237.Sy portal-group
238will get redirected using "Target moved temporarily" login response.
239Redirection happens before authentication and any
240.Sy initiator-name
241or
242.Sy initiator-portal
243checks are skipped.
244.It Ic tag Ar value
245Unique 16-bit tag value of this
246.Sy portal-group .
247If not specified, the value is generated automatically.
248.It Ic foreign
249Specifies that this
250.Sy portal-group
251is listened by some other host.
252This host will announce it on discovery stage, but won't listen.
253.It Ic dscp Ar value
254The DiffServ Codepoint used for sending data. The DSCP can be
255set to numeric, or hexadecimal values directly, as well as the
256well-defined
257.Qq Ar CSx
258and
259.Qq Ar AFxx
260codepoints.
261.It Ic pcp Ar value
262The 802.1Q Priority CodePoint used for sending packets.
263The PCP can be set to a value in the range between
264.Qq Ar 0
265to
266.Qq Ar 7 .
267When omitted, the default for the outgoing interface is used.
268.El
269.Ss target Context
270.Bl -tag -width indent
271.It Ic alias Ar text
272Assign a human-readable description to the target.
273There is no default.
274.It Ic auth-group Ar name
275Assign a previously defined authentication group to the target.
276By default, targets that do not specify their own auth settings,
277using clauses such as
278.Sy chap
279or
280.Sy initiator-name ,
281are assigned
282predefined
283.Sy auth-group
284.Qq Ar default ,
285which denies all access.
286Another predefined
287.Sy auth-group ,
288.Qq Ar no-authentication ,
289may be used to permit access
290without authentication.
291Note that this clause can be overridden using the second argument
292to a
293.Sy portal-group
294clause.
295.It Ic auth-type Ar type
296Sets the authentication type.
297Type can be either
298.Qq Ar none ,
299.Qq Ar deny ,
300.Qq Ar chap ,
301or
302.Qq Ar chap-mutual .
303In most cases it is not necessary to set the type using this clause;
304it is usually used to disable authentication for a given
305.Sy target .
306This clause is mutually exclusive with
307.Sy auth-group ;
308one cannot use
309both in a single target.
310.It Ic chap Ar user Ar secret
311A set of CHAP authentication credentials.
312Note that targets must only use one of
313.Sy auth-group , chap , No or Sy chap-mutual ;
314it is a configuration error to mix multiple types in one target.
315.It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret
316A set of mutual CHAP authentication credentials.
317Note that targets must only use one of
318.Sy auth-group , chap , No or Sy chap-mutual ;
319it is a configuration error to mix multiple types in one target.
320.It Ic initiator-name Ar initiator-name
321An iSCSI initiator name.
322Only initiators with a name matching one of the defined
323names will be allowed to connect.
324If not defined, there will be no restrictions based on initiator
325name.
326This clause is mutually exclusive with
327.Sy auth-group ;
328one cannot use
329both in a single target.
330.It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen
331An iSCSI initiator portal: an IPv4 or IPv6 address, optionally
332followed by a literal slash and a prefix length.
333Only initiators with an address matching one of the defined
334addresses will be allowed to connect.
335If not defined, there will be no restrictions based on initiator
336address.
337This clause is mutually exclusive with
338.Sy auth-group ;
339one cannot use
340both in a single target.
341.Pp
342The
343.Sy auth-type ,
344.Sy chap ,
345.Sy chap-mutual ,
346.Sy initiator-name ,
347and
348.Sy initiator-portal
349clauses in the target context provide an alternative to assigning an
350.Sy auth-group
351defined separately, useful in the common case of authentication settings
352specific to a single target.
353.It Ic portal-group Ar name Op Ar ag-name
354Assign a previously defined portal group to the target.
355The default portal group is
356.Qq Ar default ,
357which makes the target available
358on TCP port 3260 on all configured IPv4 and IPv6 addresses.
359Optional second argument specifies
360.Sy auth-group
361for connections to this specific portal group.
362If second argument is not specified, target
363.Sy auth-group
364is used.
365.It Ic port Ar name
366.It Ic port Ar name/pp
367.It Ic port Ar name/pp/vp
368Assign specified CTL port (such as "isp0" or "isp2/1") to the target.
369This is used to export the target through a specific physical - eg Fibre
370Channel - port, in addition to portal-groups configured for the target.
371Use
372.Cm "ctladm portlist"
373command to retrieve the list of available ports.
374On startup
375.Xr ctld 8
376configures LUN mapping and enables all assigned ports.
377Each port can be assigned to only one target.
378.It Ic redirect Ar address
379IPv4 or IPv6 address to redirect initiators to.
380When configured, all initiators attempting to connect to this target
381will get redirected using "Target moved temporarily" login response.
382Redirection happens after successful authentication.
383.It Ic lun Ar number Ar name
384Export previously defined
385.Sy lun
386by the parent target.
387.It Ic lun Ar number
388Create a
389.Sy lun
390configuration context, defining a LUN exported by the parent target.
391.Pp
392This is an alternative to defining the LUN separately, useful in the common
393case of a LUN being exported by a single target.
394.El
395.Ss lun Context
396.Bl -tag -width indent
397.It Ic backend Ar block No | Ar ramdisk
398The CTL backend to use for a given LUN.
399Valid choices are
400.Qq Ar block
401and
402.Qq Ar ramdisk ;
403block is used for LUNs backed
404by files or disk device nodes; ramdisk is a bitsink device, used mostly for
405testing.
406The default backend is block.
407.It Ic blocksize Ar size
408The blocksize visible to the initiator.
409The default blocksize is 512 for disks, and 2048 for CD/DVDs.
410.It Ic ctl-lun Ar lun_id
411Global numeric identifier to use for a given LUN inside CTL.
412By default CTL allocates those IDs dynamically, but explicit specification
413may be needed for consistency in HA configurations.
414.It Ic device-id Ar string
415The SCSI Device Identification string presented to the initiator.
416.It Ic device-type Ar type
417Specify the SCSI device type to use when creating the LUN.
418Currently CTL supports Direct Access (type 0), Processor (type 3)
419and CD/DVD (type 5) LUNs.
420.It Ic option Ar name Ar value
421The CTL-specific options passed to the kernel.
422All CTL-specific options are documented in the
423.Sx OPTIONS
424section of
425.Xr ctladm 8 .
426.It Ic path Ar path
427The path to the file, device node, or
428.Xr zfs 8
429volume used to back the LUN.
430For optimal performance, create the volume with the
431.Qq Ar volmode=dev
432property set.
433.It Ic serial Ar string
434The SCSI serial number presented to the initiator.
435.It Ic size Ar size
436The LUN size, in bytes or by number with a suffix of
437.Sy K , M , G , T
438(for kilobytes, megabytes, gigabytes, or terabytes).
439When the configuration is in UCL format, use the suffix format
440.Sy kKmMgG Ns | Ns Sy bB ,
441(i.e., 4GB, 4gb, and 4Gb are all equivalent).
442.El
443.Sh FILES
444.Bl -tag -width ".Pa /etc/ctl.conf" -compact
445.It Pa /etc/ctl.conf
446The default location of the
447.Xr ctld 8
448configuration file.
449.El
450.Sh EXAMPLES
451.Bd -literal
452auth-group ag0 {
453	chap-mutual "user" "secret" "mutualuser" "mutualsecret"
454	chap-mutual "user2" "secret2" "mutualuser" "mutualsecret"
455	initiator-portal 192.168.1.1/16
456}
457
458auth-group ag1 {
459	auth-type none
460	initiator-name "iqn.2012-06.com.example:initiatorhost1"
461	initiator-name "iqn.2012-06.com.example:initiatorhost2"
462	initiator-portal 192.168.1.1/24
463	initiator-portal [2001:db8::de:ef]
464}
465
466portal-group pg0 {
467	discovery-auth-group no-authentication
468	listen 0.0.0.0:3260
469	listen [::]:3260
470	listen [fe80::be:ef]:3261
471}
472
473target iqn.2012-06.com.example:target0 {
474	alias "Example target"
475	auth-group no-authentication
476	lun 0 {
477		path /dev/zvol/tank/example_0
478		blocksize 4096
479		size 4G
480	}
481}
482
483lun example_1 {
484	path /dev/zvol/tank/example_1
485	option naa 0x50015178f369f093
486}
487
488target iqn.2012-06.com.example:target1 {
489	auth-group ag0
490	portal-group pg0
491	lun 0 example_1
492	lun 1 {
493		path /dev/zvol/tank/example_2
494		option vendor "FreeBSD"
495	}
496}
497
498target naa.50015178f369f092 {
499	port isp0
500	port isp1
501	lun 0 example_1
502}
503.Ed
504.Pp
505An equivalent configuration in UCL format, for use with
506.Fl u :
507.Bd -literal
508auth-group {
509	ag0 {
510		chap-mutual = [
511			{
512				user = "user"
513				secret = "secretsecret"
514				mutual-user = "mutualuser"
515				mutual-secret = "mutualsecret"
516			},
517			{
518				user = "user2"
519				secret = "secret2secret2"
520				mutual-user = "mutualuser"
521				mutual-secret = "mutualsecret"
522			}
523		]
524	}
525
526	ag1 {
527		auth-type = none
528		initiator-name = [
529			"iqn.2012-06.com.example:initiatorhost1",
530			"iqn.2012-06.com.example:initiatorhost2"
531		]
532		initiator-portal = [192.168.1.1/24, "[2001:db8::de:ef]"]
533	}
534}
535
536portal-group {
537	pg0 {
538		discovery-auth-group = no-authentication
539		listen = [
540			0.0.0.0:3260,
541			"[::]:3260",
542			"[fe80::be:ef]:3261"
543		]
544	}
545}
546
547lun {
548	example_0 {
549		path = /dev/zvol/tank/example_0
550		blocksize = 4096
551		size = 4GB
552	}
553
554	example_1 {
555		path = /dev/zvol/tank/example_1
556		options {
557			naa = "0x50015178f369f093"
558		}
559	}
560
561	example_2 {
562		path = /dev/zvol/tank/example_2
563		options {
564			vendor = "FreeBSD"
565		}
566	}
567}
568
569target {
570	"iqn.2012-06.com.example:target0" {
571		alias = "Example target"
572		auth-group = no-authentication
573		lun = [
574			{ number = 0, name = example_0 },
575		]
576	}
577
578	"iqn.2012-06.com.example:target1" {
579		auth-group = ag0
580		portal-group { name = pg0 }
581		lun = [
582			{ number = 0, name = example_1 },
583			{ number = 1, name = example_2 }
584		]
585	}
586
587	naa.50015178f369f092 {
588		port = isp0
589		lun = [
590			{ number = 0, name = example_1 }
591		]
592	}
593}
594.Ed
595.Sh SEE ALSO
596.Xr ctl 4 ,
597.Xr ctladm 8 ,
598.Xr ctld 8 ,
599.Xr zfs 8
600.Sh AUTHORS
601The
602.Nm
603configuration file functionality for
604.Xr ctld 8
605was developed by
606.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org
607under sponsorship from the FreeBSD Foundation.
608