1 .\" Copyright (c) 2012 The FreeBSD Foundation
2 .\" All rights reserved.
4 .\" This software was developed by Edward Tomasz Napierala under sponsorship
5 .\" from the FreeBSD Foundation.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .Nd CAM Target Layer / iSCSI target daemon configuration file
39 configuration file is used by the
44 are interpreted as comments.
45 The general syntax of the
48 .Bd -literal -offset indent
51 .No auth-group Ar name No {
52 .Dl chap Ar user Ar secret
56 .No portal-group Ar name No {
58 .\".Dl listen-iser Ar address
59 .Dl discovery-auth-group Ar name
68 .Dl auth-group Ar name
69 .Dl portal-group Ar name Op Ar agname
70 .Dl lun Ar number Ar name
71 .Dl lun Ar number No {
78 .Bl -tag -width indent
79 .It Ic auth-group Ar name
82 configuration context,
83 defining a new auth-group,
84 which can then be assigned to any number of targets.
86 The debug verbosity level.
88 .It Ic maxproc Ar number
89 The limit for concurrently running child processes handling
92 A setting of 0 disables the limit.
93 .It Ic pidfile Ar path
94 The path to the pidfile.
96 .Pa /var/run/ctld.pid .
97 .It Ic portal-group Ar name
100 configuration context,
101 defining a new portal-group,
102 which can then be assigned to any number of targets.
106 configuration context, defining a LUN to be exported by some target(s).
107 .It Ic target Ar name
110 configuration context, which can contain one or more
113 .It Ic timeout Ar seconds
114 The timeout for login sessions, after which the connection
115 will be forcibly terminated.
117 A setting of 0 disables the timeout.
118 .It Ic isns-server Ar address
119 An IPv4 or IPv6 address and optionally port of iSNS server to register on.
120 .It Ic isns-period Ar seconds
121 iSNS registration period.
122 Registered Network Entity not updated during this period will be unregistered.
124 .It Ic isns-timeout Ar seconds
125 Timeout for iSNS requests.
128 .Ss auth-group Context
129 .Bl -tag -width indent
130 .It Ic auth-type Ar type
131 Sets the authentication type.
138 In most cases it is not necessary to set the type using this clause;
139 it is usually used to disable authentication for a given
141 .It Ic chap Ar user Ar secret
142 A set of CHAP authentication credentials.
145 the configuration may only contain either
149 entries; it is an error to mix them.
150 .It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret
151 A set of mutual CHAP authentication credentials.
154 the configuration may only contain either
158 entries; it is an error to mix them.
159 .It Ic initiator-name Ar initiator-name
160 An iSCSI initiator name.
161 Only initiators with a name matching one of the defined
162 names will be allowed to connect.
163 If not defined, there will be no restrictions based on initiator
165 .It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen
166 An iSCSI initiator portal: an IPv4 or IPv6 address, optionally
167 followed by a literal slash and a prefix length.
168 Only initiators with an address matching one of the defined
169 addresses will be allowed to connect.
170 If not defined, there will be no restrictions based on initiator
173 .Ss portal-group Context
174 .Bl -tag -width indent
175 .It Ic discovery-auth-group Ar name
176 Assign a previously defined authentication group to the portal group,
177 to be used for target discovery.
178 By default, portal groups are assigned predefined
181 which denies discovery.
184 .Qq Ar no-authentication ,
186 to permit discovery without authentication.
187 .It Ic discovery-filter Ar filter
188 Determines which targets are returned during discovery.
194 .Qq Ar portal-name-auth .
197 discovery will return all targets assigned to that portal group.
200 discovery will not return targets that cannot be accessed by the
201 initiator because of their
202 .Sy initiator-portal .
205 the check will include both
210 .Qq Ar portal-name-auth ,
211 the check will include
212 .Sy initiator-portal ,
214 and authentication credentials.
215 The target is returned if it does not require CHAP authentication,
216 or if the CHAP user and secret used during discovery match those
219 .Qq Ar portal-name-auth ,
220 targets that require CHAP authentication will only be returned if
221 .Sy discovery-auth-group
225 .It Ic listen Ar address
226 An IPv4 or IPv6 address and port to listen on for incoming connections.
227 .\".It Ic listen-iser Ar address
228 .\"An IPv4 or IPv6 address and port to listen on for incoming connections
229 .\"using iSER (iSCSI over RDMA) protocol.
230 .It Ic redirect Aq Ar address
231 IPv4 or IPv6 address to redirect initiators to.
232 When configured, all initiators attempting to connect to portal
235 will get redirected using "Target moved temporarily" login response.
236 Redirection happens before authentication and any
243 .Bl -tag -width indent
245 Assign a human-readable description to the target.
247 .It Ic auth-group Ar name
248 Assign a previously defined authentication group to the target.
249 By default, targets that do not specify their own auth settings,
250 using clauses such as
258 which denies all access.
261 .Qq Ar no-authentication ,
262 may be used to permit access
263 without authentication.
264 Note that targets must only use one of
265 .Sy auth-group , chap , No or Sy chap-mutual ;
266 it is a configuration error to mix multiple types in one target.
267 .It Ic auth-type Ar type
268 Sets the authentication type.
275 In most cases it is not necessary to set the type using this clause;
276 it is usually used to disable authentication for a given
278 This clause is mutually exclusive with
281 both in a single target.
282 .It Ic chap Ar user Ar secret
283 A set of CHAP authentication credentials.
284 Note that targets must only use one of
285 .Sy auth-group , chap , No or Sy chap-mutual ;
286 it is a configuration error to mix multiple types in one target.
287 .It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret
288 A set of mutual CHAP authentication credentials.
289 Note that targets must only use one of
290 .Sy auth-group , chap , No or Sy chap-mutual ;
291 it is a configuration error to mix multiple types in one target.
292 .It Ic initiator-name Ar initiator-name
293 An iSCSI initiator name.
294 Only initiators with a name matching one of the defined
295 names will be allowed to connect.
296 If not defined, there will be no restrictions based on initiator
298 This clause is mutually exclusive with
301 both in a single target.
302 .It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen
303 An iSCSI initiator portal: an IPv4 or IPv6 address, optionally
304 followed by a literal slash and a prefix length.
305 Only initiators with an address matching one of the defined
306 addresses will be allowed to connect.
307 If not defined, there will be no restrictions based on initiator
309 This clause is mutually exclusive with
312 both in a single target.
313 .It Ic portal-group Ar name Op Ar agname
314 Assign a previously defined portal group to the target.
315 The default portal group is
317 which makes the target available
318 on TCP port 3260 on all configured IPv4 and IPv6 addresses.
319 Optional second argument specifies auth group name for connections
320 to this specific portal group.
321 If second argument is not specified, target auth group is used.
322 .It Ic redirect Aq Ar address
323 IPv4 or IPv6 address to redirect initiators to.
324 When configured, all initiators attempting to connect to this target
325 will get redirected using "Target moved temporarily" login response.
326 Redirection happens after successful authentication.
327 .It Ic lun Ar number Ar name
328 Export previously defined
330 by the parent target.
334 configuration context, defining a LUN exported by the parent target.
337 .Bl -tag -width indent
338 .It Ic backend Ar block No | Ar ramdisk
339 The CTL backend to use for a given LUN.
344 block is used for LUNs backed
345 by files or disk device nodes; ramdisk is a bitsink device, used mostly for
347 The default backend is block.
348 .It Ic blocksize Ar size
349 The blocksize visible to the initiator.
350 The default blocksize is 512.
351 .It Ic device-id Ar string
352 The SCSI Device Identification string presented to the initiator.
353 .It Ic option Ar name Ar value
354 The CTL-specific options passed to the kernel.
355 All CTL-specific options are documented in the
360 The path to the file or device node used to back the LUN.
361 .It Ic serial Ar string
362 The SCSI serial number presented to the initiator.
364 The LUN size, in bytes.
367 .Bl -tag -width ".Pa /etc/ctl.conf" -compact
369 The default location of the
376 chap-mutual "user" "secret" "mutualuser" "mutualsecret"
377 chap-mutual "user2" "secret2" "mutualuser" "mutualsecret"
382 initiator-name "iqn.2012-06.com.example:initiatorhost1"
383 initiator-name "iqn.2012-06.com.example:initiatorhost2"
384 initiator-portal 192.168.1.1/24
385 initiator-portal [2001:db8::de:ef]
389 discovery-auth-group no-authentication
392 listen [fe80::be:ef]:3261
395 target iqn.2012-06.com.example:target0 {
396 alias "Example target"
397 auth-group no-authentication
399 path /dev/zvol/tank/example_0
406 path /dev/zvol/tank/example_1
409 target iqn.2012-06.com.example:target1 {
410 chap chapuser chapsecret
414 target iqn.2012-06.com.example:target2 {
419 path /dev/zvol/tank/example_2
431 configuration file functionality for
434 .An Edward Tomasz Napierala Aq trasz@FreeBSD.org
435 under sponsorship from the FreeBSD Foundation.