RE: ctl.conf / iscsi docs and best practices

In reply to: mike tancsa : "Re: ctl.conf / iscsi docs and best practices"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Jung <mikej_at_paymentallianceintl.com>
Date: Mon, 14 Mar 2022 19:36:50 UTC
INLINE
-----Original Message-----
From: mike tancsa [mailto:mike@sentex.net]
Sent: Monday, March 14, 2022 3:13 PM
To: Michael Jung <mikej@paymentallianceintl.com>; freebsd-fs <freebsd-fs@freebsd.org>
Subject: Re: ctl.conf / iscsi docs and best practices

On 3/14/2022 3:00 PM, Michael Jung wrote:
> I just started working with the target again about a week ago, here is
> my setup.
>
> For two remote initiators to connect to the same target you need
> option "ha shared" "on"
>
> Maybe this helps you a little.
>
It does, thank you!!  Couple of questions below.


> auth-group "ag0" {
> initiator-name "iqn.1998-01.com.vmware:hv1-3972eaf3"
> initiator-name "iqn.1998-01.com.vmware:esxi2.mikej.local:980613345:64"
> initiator-name "iqn.1998-01.com.vmware:esxi3.mikej.local.:1805690011:64"
> initiator-portal "192.168.6.8"
> initiator-portal "192.168.6.14"
> initiator-portal "192.168.6.5"
> auth-type "none"
> }
>

For the above auth group, for the portal IPs I guess this means those users are only allowed to connect from those IP addresses but you cant restrict a user to a specific IP ?

>>>As far as what I have done in the past with other targets, what I think FreeBSD's target is
>>>easily capable of would be to use CHAP authentication to restrict initiators.  This is my
>>>home lab so I didn't bother with it, spin up truenas and setup up chap and look at >>>/etc/ctl.conf
>>>and that will get you started.  You can then limit by IP/CHAP secret, IP only, CHAP secret only...

>
> option "naa" "0x6589cfc00000079e8a0d223e935440ab"
>
the naa is just a uniq identifier ? Who / what makes use of that ? A quick google says its just used to identify the serial #. Why / when would I want to do that ?

>>>Unique Identifier - To the best of my knowledge that’s all it is - I'm not an expert here.

In the two targets below, why use lun "0" and why lun "1" in the second target ? From the config I generated from TrueNAS, it kept the lun as "0" for each target. Just convention ?

>>> I use two different LUNS because LUN 0 is shared between my three esxi hosts, and they
>>> know how to play nicely on a shared LUN.
>>> Unitrends, which is a backup solution would wipe out everything on LUN 0 if I let it
>>> have access to it.  So, I have two ZFS pools sets as volmode=dev, then I share them as two different LUNS.
>>> --mikej

Thanks again!

     ---Mike


>
>
> target "iqn.2005-10.org.mikej.ctl:esxi-store1" { auth-group "ag0"
> portal-group "pg0"
> alias "esxi-store1"
> lun "0" "esxi-store1"
> }
>
> target "iqn.1994-05.com.unitrends:60e2f1d15e57" { auth-group "ag1"
> portal-group "pg0"
> alias "unitrens11"
> lun "1" "unitrends1"
> }
>




CONFIDENTIALITY NOTE: This message is intended only for the use
of the individual or entity to whom it is addressed and may
contain information that is privileged, confidential, and
exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby
notified that any dissemination, distribution or copying
of this communication is strictly prohibited. If you have
received this transmission in error, please notify us by
telephone at (502) 212-4000 or notify us at PAI, Dept. 99,
2101 High Wickham Place, Suite 101, Louisville, KY 40245

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast, a leader in email security and cyber resilience. Mimecast integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.