1 .\" Copyright (c) 2012 The FreeBSD Foundation
2 .\" All rights reserved.
4 .\" This software was developed by Edward Tomasz Napierala under sponsorship
5 .\" from the FreeBSD Foundation.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .Nd CAM Target Layer / iSCSI target daemon configuration file
39 configuration file is used by the
44 are interpreted as comments.
45 The general syntax of the
48 .Bd -literal -offset indent
51 .No auth-group Ar name No {
52 .Dl chap Ar user Ar secret
56 .No portal-group Ar name No {
58 .\".Dl listen-iser Ar address
59 .Dl discovery-auth-group Ar name
64 .Dl auth-group Ar name
65 .Dl portal-group Ar name
66 .Dl lun Ar number No {
73 .Bl -tag -width indent
74 .It Ic auth-group Ar name
77 configuration context,
78 defining a new auth-group,
79 which can then be assigned to any number of targets.
81 The debug verbosity level.
83 .It Ic maxproc Ar number
84 The limit for concurrently running child processes handling
87 A setting of 0 disables the limit.
88 .It Ic pidfile Ar path
89 The path to the pidfile.
91 .Pa /var/run/ctld.pid .
92 .It Ic portal-group Ar name
95 configuration context,
96 defining a new portal-group,
97 which can then be assigned to any number of targets.
101 configuration context, defining a LUN to be exported by any number of targets.
102 .It Ic target Ar name
105 configuration context, which can optionally contain one or more
108 .It Ic timeout Ar seconds
109 The timeout for login sessions, after which the connection
110 will be forcibly terminated.
112 A setting of 0 disables the timeout.
113 .It Ic isns-server Ar address
114 An IPv4 or IPv6 address and optionally port of iSNS server to register on.
115 .It Ic isns-period Ar seconds
116 iSNS registration period.
117 Registered Network Entity not updated during this period will be unregistered.
119 .It Ic isns-timeout Ar seconds
120 Timeout for iSNS requests.
123 .Ss auth-group Context
124 .Bl -tag -width indent
125 .It Ic auth-type Ar type
126 Sets the authentication type.
133 In most cases it is not necessary to set the type using this clause;
134 it is usually used to disable authentication for a given
136 .It Ic chap Ar user Ar secret
137 A set of CHAP authentication credentials.
140 the configuration may only contain either
144 entries; it is an error to mix them.
145 .It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret
146 A set of mutual CHAP authentication credentials.
149 the configuration may only contain either
153 entries; it is an error to mix them.
154 .It Ic initiator-name Ar initiator-name
155 An iSCSI initiator name.
156 Only initiators with a name matching one of the defined
157 names will be allowed to connect.
158 If not defined, there will be no restrictions based on initiator
160 .It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen
161 An iSCSI initiator portal: an IPv4 or IPv6 address, optionally
162 followed by a literal slash and a prefix length.
163 Only initiators with an address matching one of the defined
164 addresses will be allowed to connect.
165 If not defined, there will be no restrictions based on initiator
168 .Ss portal-group Context
169 .Bl -tag -width indent
170 .It Ic discovery-auth-group Ar name
171 Assign a previously defined authentication group to the portal group,
172 to be used for target discovery.
173 By default, portal groups are assigned predefined
176 which denies discovery.
179 .Qq Ar no-authentication ,
181 to permit discovery without authentication.
182 .It Ic discovery-filter Ar filter
183 Determines which targets are returned during discovery.
189 .Qq Ar portal-name-auth .
192 discovery will return all targets assigned to that portal group.
195 discovery will not return targets that cannot be accessed by the
196 initiator because of their
197 .Sy initiator-portal .
200 the check will include both
205 .Qq Ar portal-name-auth ,
206 the check will include
207 .Sy initiator-portal ,
209 and authentication credentials.
210 The target is returned if it does not require CHAP authentication,
211 or if the CHAP user and secret used during discovery match those
214 .Qq Ar portal-name-auth ,
215 targets that require CHAP authentication will only be returned if
216 .Sy discovery-auth-group
220 .It Ic listen Ar address
221 An IPv4 or IPv6 address and port to listen on for incoming connections.
222 .\".It Ic listen-iser Ar address
223 .\"An IPv4 or IPv6 address and port to listen on for incoming connections
224 .\"using iSER (iSCSI over RDMA) protocol.
225 .It Ic offload Ar driver
226 Define iSCSI hardware offload driver to use for this
228 .It Ic redirect Ar address
229 IPv4 or IPv6 address to redirect initiators to.
230 When configured, all initiators attempting to connect to portal
233 will get redirected using "Target moved temporarily" login response.
234 Redirection happens before authentication and any
241 .Bl -tag -width indent
243 Assign a human-readable description to the target.
245 .It Ic auth-group Ar name
246 Assign a previously defined authentication group to the target.
247 By default, targets that do not specify their own auth settings,
248 using clauses such as
256 which denies all access.
259 .Qq Ar no-authentication ,
260 may be used to permit access
261 without authentication.
262 Note that this clause can be overridden using the second argument
266 .It Ic auth-type Ar type
267 Sets the authentication type.
274 In most cases it is not necessary to set the type using this clause;
275 it is usually used to disable authentication for a given
277 This clause is mutually exclusive with
280 both in a single target.
281 .It Ic chap Ar user Ar secret
282 A set of CHAP authentication credentials.
283 Note that targets must only use one of
284 .Sy auth-group , chap , No or Sy chap-mutual ;
285 it is a configuration error to mix multiple types in one target.
286 .It Ic chap-mutual Ar user Ar secret Ar mutualuser Ar mutualsecret
287 A set of mutual CHAP authentication credentials.
288 Note that targets must only use one of
289 .Sy auth-group , chap , No or Sy chap-mutual ;
290 it is a configuration error to mix multiple types in one target.
291 .It Ic initiator-name Ar initiator-name
292 An iSCSI initiator name.
293 Only initiators with a name matching one of the defined
294 names will be allowed to connect.
295 If not defined, there will be no restrictions based on initiator
297 This clause is mutually exclusive with
300 both in a single target.
301 .It Ic initiator-portal Ar address Ns Op / Ns Ar prefixlen
302 An iSCSI initiator portal: an IPv4 or IPv6 address, optionally
303 followed by a literal slash and a prefix length.
304 Only initiators with an address matching one of the defined
305 addresses will be allowed to connect.
306 If not defined, there will be no restrictions based on initiator
308 This clause is mutually exclusive with
311 both in a single target.
320 clauses in the target context provide an alternative to assigning an
322 defined separately, useful in the common case of authentication settings
323 specific to a single target.
324 .It Ic portal-group Ar name Op Ar ag-name
325 Assign a previously defined portal group to the target.
326 The default portal group is
328 which makes the target available
329 on TCP port 3260 on all configured IPv4 and IPv6 addresses.
330 Optional second argument specifies
332 for connections to this specific portal group.
333 If second argument is not specified, target
337 .It Ic port Ar name/pp
338 .It Ic port Ar name/pp/vp
339 Assign specified CTL port (such as "isp0" or "isp2/1") to the target.
340 This is used to export the target through a specific physical - eg Fibre
341 Channel - port, in addition to portal-groups configured for the target.
343 .Cm "ctladm portlist"
344 command to retrieve the list of available ports.
347 configures LUN mapping and enables all assigned ports.
348 Each port can be assigned to only one target.
349 .It Ic redirect Ar address
350 IPv4 or IPv6 address to redirect initiators to.
351 When configured, all initiators attempting to connect to this target
352 will get redirected using "Target moved temporarily" login response.
353 Redirection happens after successful authentication.
354 .It Ic lun Ar number Ar name
355 Export previously defined
357 by the parent target.
361 configuration context, defining a LUN exported by the parent target.
363 This is an alternative to defining the LUN separately, useful in the common
364 case of a LUN being exported by a single target.
367 .Bl -tag -width indent
368 .It Ic backend Ar block No | Ar ramdisk
369 The CTL backend to use for a given LUN.
374 block is used for LUNs backed
375 by files or disk device nodes; ramdisk is a bitsink device, used mostly for
377 The default backend is block.
378 .It Ic blocksize Ar size
379 The blocksize visible to the initiator.
380 The default blocksize is 512.
381 .It Ic device-id Ar string
382 The SCSI Device Identification string presented to the initiator.
383 .It Ic option Ar name Ar value
384 The CTL-specific options passed to the kernel.
385 All CTL-specific options are documented in the
390 The path to the file, device node, or
392 volume used to back the LUN.
393 For optimal performance, create the volume with the
396 .It Ic serial Ar string
397 The SCSI serial number presented to the initiator.
399 The LUN size, in bytes.
402 .Bl -tag -width ".Pa /etc/ctl.conf" -compact
404 The default location of the
411 chap-mutual "user" "secret" "mutualuser" "mutualsecret"
412 chap-mutual "user2" "secret2" "mutualuser" "mutualsecret"
413 initiator-portal 192.168.1.1/16
418 initiator-name "iqn.2012-06.com.example:initiatorhost1"
419 initiator-name "iqn.2012-06.com.example:initiatorhost2"
420 initiator-portal 192.168.1.1/24
421 initiator-portal [2001:db8::de:ef]
425 discovery-auth-group no-authentication
428 listen [fe80::be:ef]:3261
431 target iqn.2012-06.com.example:target0 {
432 alias "Example target"
433 auth-group no-authentication
435 path /dev/zvol/tank/example_0
442 path /dev/zvol/tank/example_1
443 option naa 0x50015178f369f093
446 target iqn.2012-06.com.example:target1 {
451 path /dev/zvol/tank/example_2
452 option vendor "FreeBSD"
456 target naa.50015178f369f092 {
470 configuration file functionality for
473 .An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org
474 under sponsorship from the FreeBSD Foundation.