GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
CTL.CONF(5) FreeBSD File Formats Manual CTL.CONF(5)

ctl.conf
CAM Target Layer / iSCSI target daemon configuration file

The ctl.conf configuration file is used by the ctld(8) daemon. Lines starting with ‘#’ are interpreted as comments. The general syntax of the ctl.conf file is:
pidfile
 path


auth-group
 name
 {

chap user secret
...
} portal-group name {
listen address
discovery-auth-group name
...
} target name {
auth-group name
portal-group name
lun number {
path path
}
...
}

name
Create an auth-group configuration context, defining a new auth-group, which can then be assigned to any number of targets.
level
The debug verbosity level. The default is 0.
number
The limit for concurrently running child processes handling incoming connections. The default is 30. A setting of 0 disables the limit.
path
The path to the pidfile. The default is /var/run/ctld.pid.
name
Create a portal-group configuration context, defining a new portal-group, which can then be assigned to any number of targets.
name
Create a lun configuration context, defining a LUN to be exported by any number of targets.
name
Create a target configuration context, which can optionally contain one or more lun contexts.
seconds
The timeout for login sessions, after which the connection will be forcibly terminated. The default is 60. A setting of 0 disables the timeout.
address
An IPv4 or IPv6 address and optionally port of iSNS server to register on.
seconds
iSNS registration period. Registered Network Entity not updated during this period will be unregistered. The default is 900.
seconds
Timeout for iSNS requests. The default is 5.

type
Sets the authentication type. Type can be either “none”, “deny”, “chap”, or “chap-mutual”. In most cases it is not necessary to set the type using this clause; it is usually used to disable authentication for a given auth-group.
user secret
A set of CHAP authentication credentials. Note that for any auth-group, the configuration may only contain either chap or chap-mutual entries; it is an error to mix them.
user secret mutualuser mutualsecret
A set of mutual CHAP authentication credentials. Note that for any auth-group, the configuration may only contain either chap or chap-mutual entries; it is an error to mix them.
initiator-name
An iSCSI initiator name. Only initiators with a name matching one of the defined names will be allowed to connect. If not defined, there will be no restrictions based on initiator name.
address[/prefixlen]
An iSCSI initiator portal: an IPv4 or IPv6 address, optionally followed by a literal slash and a prefix length. Only initiators with an address matching one of the defined addresses will be allowed to connect. If not defined, there will be no restrictions based on initiator address.

name
Assign a previously defined authentication group to the portal group, to be used for target discovery. By default, portal groups are assigned predefined auth-groupdefault”, which denies discovery. Another predefined auth-group, “no-authentication”, may be used to permit discovery without authentication.
filter
Determines which targets are returned during discovery. Filter can be either “none”, “portal”, “portal-name”, or “portal-name-auth”. When set to “none”, discovery will return all targets assigned to that portal group. When set to “portal”, discovery will not return targets that cannot be accessed by the initiator because of their initiator-portal. When set to “portal-name”, the check will include both initiator-portal and initiator-name. When set to “portal-name-auth”, the check will include initiator-portal, initiator-name, and authentication credentials. The target is returned if it does not require CHAP authentication, or if the CHAP user and secret used during discovery match those used by the target. Note that when using “portal-name-auth”, targets that require CHAP authentication will only be returned if discovery-auth-group requires CHAP. The default is “none”.
address
An IPv4 or IPv6 address and port to listen on for incoming connections.
driver
Define iSCSI hardware offload driver to use for this portal-group. The default is “none”.
name value
The CTL-specific port options passed to the kernel.
address
IPv4 or IPv6 address to redirect initiators to. When configured, all initiators attempting to connect to portal belonging to this portal-group will get redirected using "Target moved temporarily" login response. Redirection happens before authentication and any initiator-name or initiator-portal checks are skipped.
value
Unique 16-bit tag value of this portal-group. If not specified, the value is generated automatically.
Specifies that this portal-group is listened by some other host. This host will announce it on discovery stage, but won't listen.
value
The DiffServ Codepoint used for sending data. The DSCP can be set to numeric, or hexadecimal values directly, as well as the well-defined “CSx” and “AFxx” codepoints.
value
The 802.1Q Priority CodePoint used for sending packets. The PCP can be set to a value in the range between “0” to “7”. When omitted, the default for the outgoing interface is used.

text
Assign a human-readable description to the target. There is no default.
name
Assign a previously defined authentication group to the target. By default, targets that do not specify their own auth settings, using clauses such as chap or initiator-name, are assigned predefined auth-groupdefault”, which denies all access. Another predefined auth-group, “no-authentication”, may be used to permit access without authentication. Note that this clause can be overridden using the second argument to a portal-group clause.
type
Sets the authentication type. Type can be either “none”, “deny”, “chap”, or “chap-mutual”. In most cases it is not necessary to set the type using this clause; it is usually used to disable authentication for a given target. This clause is mutually exclusive with auth-group; one cannot use both in a single target.
user secret
A set of CHAP authentication credentials. Note that targets must only use one of auth-group, chap, or chap-mutual; it is a configuration error to mix multiple types in one target.
user secret mutualuser mutualsecret
A set of mutual CHAP authentication credentials. Note that targets must only use one of auth-group, chap, or chap-mutual; it is a configuration error to mix multiple types in one target.
initiator-name
An iSCSI initiator name. Only initiators with a name matching one of the defined names will be allowed to connect. If not defined, there will be no restrictions based on initiator name. This clause is mutually exclusive with auth-group; one cannot use both in a single target.
address[/prefixlen]
An iSCSI initiator portal: an IPv4 or IPv6 address, optionally followed by a literal slash and a prefix length. Only initiators with an address matching one of the defined addresses will be allowed to connect. If not defined, there will be no restrictions based on initiator address. This clause is mutually exclusive with auth-group; one cannot use both in a single target.

The auth-type, chap, chap-mutual, initiator-name, and initiator-portal clauses in the target context provide an alternative to assigning an auth-group defined separately, useful in the common case of authentication settings specific to a single target.

name [ag-name]
Assign a previously defined portal group to the target. The default portal group is “default”, which makes the target available on TCP port 3260 on all configured IPv4 and IPv6 addresses. Optional second argument specifies auth-group for connections to this specific portal group. If second argument is not specified, target auth-group is used.
name
 
name/pp
 
name/pp/vp
Assign specified CTL port (such as "isp0" or "isp2/1") to the target. This is used to export the target through a specific physical - eg Fibre Channel - port, in addition to portal-groups configured for the target. Use ctladm portlist command to retrieve the list of available ports. On startup ctld(8) configures LUN mapping and enables all assigned ports. Each port can be assigned to only one target.
address
IPv4 or IPv6 address to redirect initiators to. When configured, all initiators attempting to connect to this target will get redirected using "Target moved temporarily" login response. Redirection happens after successful authentication.
number name
Export previously defined lun by the parent target.
number
Create a lun configuration context, defining a LUN exported by the parent target.

This is an alternative to defining the LUN separately, useful in the common case of a LUN being exported by a single target.

block | ramdisk
The CTL backend to use for a given LUN. Valid choices are “block” and “ramdisk”; block is used for LUNs backed by files or disk device nodes; ramdisk is a bitsink device, used mostly for testing. The default backend is block.
size
The blocksize visible to the initiator. The default blocksize is 512 for disks, and 2048 for CD/DVDs.
lun_id
Global numeric identifier to use for a given LUN inside CTL. By default CTL allocates those IDs dynamically, but explicit specification may be needed for consistency in HA configurations.
string
The SCSI Device Identification string presented to the initiator.
type
Specify the SCSI device type to use when creating the LUN. Currently CTL supports Direct Access (type 0), Processor (type 3) and CD/DVD (type 5) LUNs.
name value
The CTL-specific options passed to the kernel. All CTL-specific options are documented in the OPTIONS section of ctladm(8).
path
The path to the file, device node, or zfs(8) volume used to back the LUN. For optimal performance, create the volume with the “volmode=dev” property set.
string
The SCSI serial number presented to the initiator.
size
The LUN size, in bytes or by number with a suffix of K, M, G, T (for kilobytes, megabytes, gigabytes, or terabytes). When the configuration is in UCL format, use the suffix format kKmMgG|bB, (i.e., 4GB, 4gb, and 4Gb are all equivalent).

/etc/ctl.conf
The default location of the ctld(8) configuration file.

auth-group ag0 {
	chap-mutual "user" "secret" "mutualuser" "mutualsecret"
	chap-mutual "user2" "secret2" "mutualuser" "mutualsecret"
	initiator-portal 192.168.1.1/16
}

auth-group ag1 {
	auth-type none
	initiator-name "iqn.2012-06.com.example:initiatorhost1"
	initiator-name "iqn.2012-06.com.example:initiatorhost2"
	initiator-portal 192.168.1.1/24
	initiator-portal [2001:db8::de:ef]
}

portal-group pg0 {
	discovery-auth-group no-authentication
	listen 0.0.0.0:3260
	listen [::]:3260
	listen [fe80::be:ef]:3261
}

target iqn.2012-06.com.example:target0 {
	alias "Example target"
	auth-group no-authentication
	lun 0 {
		path /dev/zvol/tank/example_0
		blocksize 4096
		size 4G
	}
}

lun example_1 {
	path /dev/zvol/tank/example_1
	option naa 0x50015178f369f093
}

target iqn.2012-06.com.example:target1 {
	auth-group ag0
	portal-group pg0
	lun 0 example_1
	lun 1 {
		path /dev/zvol/tank/example_2
		option vendor "FreeBSD"
	}
}

target naa.50015178f369f092 {
	port isp0
	port isp1
	lun 0 example_1
}

An equivalent configuration in UCL format, for use with -u:

auth-group {
	ag0 {
		chap-mutual = [
			{
				user = "user"
				secret = "secretsecret"
				mutual-user = "mutualuser"
				mutual-secret = "mutualsecret"
			},
			{
				user = "user2"
				secret = "secret2secret2"
				mutual-user = "mutualuser"
				mutual-secret = "mutualsecret"
			}
		]
	}

	ag1 {
		auth-type = none
		initiator-name = [
			"iqn.2012-06.com.example:initiatorhost1",
			"iqn.2012-06.com.example:initiatorhost2"
		]
		initiator-portal = [192.168.1.1/24, "[2001:db8::de:ef]"]
	}
}

portal-group {
	pg0 {
		discovery-auth-group = no-authentication
		listen = [
			0.0.0.0:3260,
			"[::]:3260",
			"[fe80::be:ef]:3261"
		]
	}
}

lun {
	example_0 {
		path = /dev/zvol/tank/example_0
		blocksize = 4096
		size = 4GB
	}

	example_1 {
		path = /dev/zvol/tank/example_1
		options {
			naa = "0x50015178f369f093"
		}
	}

	example_2 {
		path = /dev/zvol/tank/example_2
		options {
			vendor = "FreeBSD"
		}
	}
}

target {
	"iqn.2012-06.com.example:target0" {
		alias = "Example target"
		auth-group = no-authentication
		lun = [
			{ number = 0, name = example_0 },
		]
	}

	"iqn.2012-06.com.example:target1" {
		auth-group = ag0
		portal-group { name = pg0 }
		lun = [
			{ number = 0, name = example_1 },
			{ number = 1, name = example_2 }
		]
	}

	naa.50015178f369f092 {
		port = isp0
		lun = [
			{ number = 0, name = example_1 }
		]
	}
}

ctl(4), ctladm(8), ctld(8), zfs(8)

The ctl.conf configuration file functionality for ctld(8) was developed by Edward Tomasz Napierala <trasz@FreeBSD.org> under sponsorship from the FreeBSD Foundation.
October 13, 2020 FreeBSD 13.1-RELEASE

Search for    or go to Top of page |  Section 5 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.