Skip to main content
ONTAP SAN Host Utilities

Configure RHEL 9.3 for NVMe-oF with ONTAP storage

Contributors netapp-sarajane
PDFs

Red Hat Enterpirse Linux (RHEL) hosts support the NVMe over Fibre Channel (NVMe/FC) and NVMe over TCP (NVMe/TCP) protocols with Asymmetric Namespace Access (ANA). ANA provides multipathing functionality equivalent to asymmetric logical unit access (ALUA) in iSCSI and FCP environments.

Learn how to configure NVMe over Fabrics (NVMe-oF) hosts for RHEL 9.3. For more support and feature information, see NVME-oF Overview.

NVMe-oF with RHEL 9.3 has the following known limitations:

  • SAN booting using the NVMe-oF protocol is not currently supported.

Step 1: Optionally, enable SAN booting

You can configure your host to use SAN booting to simplify deployment and improve scalability. Use the Interoperability Matrix Tool to verify that your Linux OS, host bus adapter (HBA), HBA firmware, HBA boot BIOS, and ONTAP version support SAN booting.

Steps

  1. Create a NVMe namespace and map it to the host.

  2. Enable SAN booting in the server BIOS for the ports to which the SAN boot namespace is mapped.

    For information on how to enable the HBA BIOS, see your vendor-specific documentation.

  3. Reboot the host and verify that the OS is up and running.

Step 2: Verify the software version and NVMe configuration

Check that your system meets software requirements and verify NVMe package installations and host configuration.

Steps

  1. Install RHEL 9.3 on the server. After the installation is complete, verify that you are running the required RHEL 9.3 kernel:

    uname -r

    Example RHEL kernel version:

    5.14.0-362.8.1.el9_3.x86_64

  2. Install the nvme-cli package:

    rpm -qa|grep nvme-cli

    The following example shows an nvme-cli package version:

    nvme-cli-2.4-10.el9.x86_64

  3. Install the libnvme package:

    rpm -qa|grep libnvme

    The following example shows an libnvme package version:

    libnvme-1.4-7.el9.x86_64

  4. On the host, check the hostnqn string at /etc/nvme/hostnqn:

    cat /etc/nvme/hostnqn

    The following example shows an hostnqn version:

    nqn.2014-08.org.nvmexpress:uuid:060fd513-83be-4c3e-aba1-52e169056dcf

  5. Verify that the hostnqn string matches the hostnqn string for the corresponding subsystem on the ONTAP array:

    ::> vserver nvme subsystem host show -vserver vs_nvme147
    Show example 
    Vserver     Subsystem          Host NQN
----------- --------------- ----------------------------------------------------------
vs_nvme147   rhel_147_LPe32002    nqn.2014-08.org.nvmexpress:uuid:060fd513-83be-4c3e-aba1-52e169056dcf
Note If the hostnqn strings do not match, use the vserver modify command to update the hostnqn string on your corresponding ONTAP storage system subsystem to match the hostnqn string from /etc/nvme/hostnqn on the host.

Step 3: Configure NVMe/FC and NVMe/TCP

Configure NVMe/FC with Broadcom/Emulex or Marvell/QLogic adapters, or configure NVMe/TCP using manual discovery and connect operations.

FC - Broadcom/Emulex

Configure NVMe/FC for a Broadcom/Emulex adapter.

Steps

  1. Verify that you are using the supported adapter model:

    1. Display the model names:

      cat /sys/class/scsi_host/host*/modelname

      You should see the following output:

      LPe32002-M2
LPe32002-M2

    2. Display the model descriptions:

      cat /sys/class/scsi_host/host*/modeldesc

      You should see output similar to the following example:

      Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter
Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter

  2. Verify that you are using the recommended Broadcom lpfc firmware and inbox driver:

    1. Display the firmware version:

      cat /sys/class/scsi_host/host*/fwrev

      The command returns the firmware versions:

      14.2.539.16, sli-4:2:c
14.2.539.16, sli-4:2:c

    2. Display the inbox driver version:

      cat /sys/module/lpfc/version

      The following example shows a driver version:

      0:14.2.0.12

      For the current list of supported adapter driver and firmware versions, see the Interoperability Matrix Tool.

  3. Verify that lpfc_enable_fc4_type is set to 3:

    cat /sys/module/lpfc/parameters/lpfc_enable_fc4_type

  4. Verify that you can view your initiator ports:

    cat /sys/class/fc_host/host*/port_name

    You should see output similar to:

    0x100000109b3c081f
0x100000109b3c0820

  5. Verify that your initiator ports are online:

    cat /sys/class/fc_host/host*/port_state

    You should see the following output:

    Online
Online

  6. Verify that the NVMe/FC initiator ports are enabled and that the target ports are visible:

    cat /sys/class/scsi_host/host*/nvme_info
    Show example 
    NVME Initiator Enabled
XRI Dist lpfc0 Total 6144 IO 5894 ELS 250
NVME LPORT lpfc0 WWPN x100000109b3c081f WWNN x200000109b3c081f DID x062300 ONLINE
NVME RPORT       WWPN x2143d039ea165877 WWNN x2142d039ea165877 DID x061b15 TARGET DISCSRVC ONLINE
NVME RPORT       WWPN x2145d039ea165877 WWNN x2142d039ea165877 DID x061115 TARGET DISCSRVC ONLINE

NVME Statistics
LS: Xmt 000000040b Cmpl 000000040b Abort 00000000
LS XMIT: Err 00000000  CMPL: xb 00000000 Err 00000000
Total FCP Cmpl 000000001f5c4538 Issue 000000001f58da22 OutIO fffffffffffc94ea
abort 00000630 noxri 00000000 nondlp 00001071 qdepth 00000000 wqerr 00000000 err 00000000
FCP CMPL: xb 00000630 Err 0001bd4a

NVME Initiator Enabled
XRI Dist lpfc1 Total 6144 IO 5894 ELS 250
NVME LPORT lpfc1 WWPN x100000109b3c0820 WWNN x200000109b3c0820 DID x062c00 ONLINE
NVME RPORT       WWPN x2144d039ea165877 WWNN x2142d039ea165877 DID x060215 TARGET DISCSRVC ONLINE
NVME RPORT       WWPN x2146d039ea165877 WWNN x2142d039ea165877 DID x061815 TARGET DISCSRVC ONLINE

NVME Statistics
LS: Xmt 000000040b Cmpl 000000040b Abort 00000000
LS XMIT: Err 00000000  CMPL: xb 00000000 Err 00000000
Total FCP Cmpl 000000001f5c3618 Issue 000000001f5967a4 OutIO fffffffffffd318c
abort 00000629 noxri 00000000 nondlp 0000044e qdepth 00000000 wqerr 00000000 err 00000000
FCP CMPL: xb 00000629 Err 0001bd3d
FC - Marvell/QLogic

Configure NVMe/FC for a Marvell/QLogic adapter.

Steps

  1. Verify that you are using the supported adapter driver and firmware versions:

    cat /sys/class/fc_host/host*/symbolic_name

    The following example shows driver and firmware versions:

    QLE2772 FW:v9.10.11 DVR:v10.02.08.200-k
QLE2772 FW:v9.10.11 DVR:v10.02.08.200-k

  2. Verify that ql2xnvmeenable is set. This enables the Marvell adapter to function as an NVMe/FC initiator:

    cat /sys/module/qla2xxx/parameters/ql2xnvmeenable

    The expected output is 1.

TCP

The NVMe/TCP protocol doesn't support the auto-connect operation. Instead, you can discover the NVMe/TCP subsystems and namespaces by performing the NVMe/TCP connect or connect-all operations manually.

Steps

  1. Check that the initiator port can get the discovery log page data across the supported NVMe/TCP LIFs:

    nvme discover -t tcp -w host-traddr -a traddr
    Show example 
    nvme discover -t tcp -w 192.168.167.1 -a 192.168.167.16

Discovery Log Number of Records 8, Generation counter 10
=====Discovery Log Entry 0======
trtype:  tcp
adrfam:  ipv4
subtype: current discovery subsystem
treq:    not specified
portid:  0
trsvcid: 8009
subnqn:  nqn.1992-08.com.netapp:sn.bbfb4ee8dfb611edbd07d039ea165590:discovery
traddr:  192.168.166.17
eflags:  explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 1======
trtype:  tcp
adrfam:  ipv4
subtype: current discovery subsystem
treq:    not specified
portid:  1
trsvcid: 8009
subnqn:  nqn.1992-08.com.netapp:sn.bbfb4ee8dfb611edbd07d039ea165590:discovery
traddr:  192.168.167.17
eflags:  explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 2======
trtype:  tcp
adrfam:  ipv4
subtype: current discovery subsystem
treq:    not specified
portid:  2
trsvcid: 8009
subnqn:  nqn.1992-
08.com.netapp:sn.bbfb4ee8dfb611edbd07d039ea165590:discovery
traddr:  192.168.166.16
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 3======
trtype:  tcp
adrfam:  ipv4
subtype: current discovery subsystem
treq:    not specified
portid:  3
trsvcid: 8009
subnqn:  nqn.1992-08.com.netapp:sn.bbfb4ee8dfb611edbd07d039ea165590:discovery
traddr:  192.168.167.16
eflags:  explicit discovery connections, duplicate discovery information
sectype: none

  2. Verify that the other NVMe/TCP initiator-target LIF combinations can successfully retrieve discovery log page data:

    nvme discover -t tcp -w host-traddr -a traddr
    Show example 
    nvme discover -t tcp -w 192.168.166.5 -a 192.168.166.22
nvme discover -t tcp -w 192.168.166.5 -a 192.168.166.23
nvme discover -t tcp -w 192.168.167.5 -a 192.168.167.22
nvme discover -t tcp -w 192.168.167.5 -a 192.168.167.23

  3. Run the nvme connect-all command across all the supported NVMe/TCP initiator-target LIFs across the nodes:

    nvme connect-all -t tcp -w host-traddr -a traddr
    Show example 
    nvme	connect-all	-t	tcp	-w	192.168.166.1	-a	192.168.166.16 -l	1800
nvme	connect-all	-t	tcp	-w	192.168.166.1	-a	192.168.166.17 -l	1800
nvme	connect-all	-t	tcp	-w	192.168.167.1	-a	192.168.167.16 -l	1800
nvme	connect-all	-t	tcp	-w	192.168.167.1	-a	192.168.167.17 -l	1800

Step 4: Optionally, enable 1MB I/O for NVMe/FC

ONTAP reports a Max Data Transfer Size (MDTS) of 8 in the Identify Controller data. This means the maximum I/O request size can be up to 1MB. To issue I/O requests of size 1MB for a Broadcom NVMe/FC host, you should increase the lpfc value of the lpfc_sg_seg_cnt parameter to 256 from the default value of 64.

Note These steps don't apply to Qlogic NVMe/FC hosts.
Steps

  1. Set the lpfc_sg_seg_cnt parameter to 256:

    cat /etc/modprobe.d/lpfc.conf

    You should see an output similar to the following example:

    options lpfc lpfc_sg_seg_cnt=256

  2. Run the dracut -f command, and reboot the host.

  3. Verify that the value for lpfc_sg_seg_cnt is 256:

    cat /sys/module/lpfc/parameters/lpfc_sg_seg_cnt

Step 5: Verify the multipathing configuration

Verify that the in-kernel NVMe multipath status, ANA status, and ONTAP namespaces are correct for the NVMe-oF configuration.

Steps

  1. Verify that the in-kernel NVMe multipath is enabled:

    cat /sys/module/nvme_core/parameters/multipath

    You should see the following output:

    Y

  2. Verify that the appropriate NVMe-oF settings (such as, model set to NetApp ONTAP Controller and load balancing iopolicy set to round-robin) for the respective ONTAP namespaces correctly reflect on the host:

    1. Display the subsystems:

      cat /sys/class/nvme-subsystem/nvme-subsys*/model

      You should see the following output:

      NetApp ONTAP Controller
NetApp ONTAP Controller

    2. Display the policy:

      cat /sys/class/nvme-subsystem/nvme-subsys*/iopolicy

      You should see the following output:

      round-robin
round-robin

  3. Verify that the namespaces are created and correctly discovered on the host:

    nvme list
    Show example 
    Node         SN                   Model
---------------------------------------------------------
/dev/nvme4n1 81Ix2BVuekWcAAAAAAAB	NetApp ONTAP Controller


Namespace Usage    Format             FW             Rev
-----------------------------------------------------------
1                 21.47 GB / 21.47 GB	4 KiB + 0 B   FFFFFFFF

  4. Verify that the controller state of each path is live and has the correct ANA status:

    NVMe/FC
    nvme list-subsys /dev/nvme4n5
    Show example 
    nvme-subsys4 - NQN=nqn.1992-08.com.netapp:sn.e80cc121ca6911ed8cbdd039ea165590:subsystem.rhel_
147_LPE32002
\
 +- nvme2 fc traddr=nn-0x2142d039ea165877:pn-0x2144d039ea165877,host_traddr=nn-0x200000109b3c0820:pn-0x100000109b3c0820 live optimized
 +- nvme3 fc traddr=nn-0x2142d039ea165877:pn-0x2145d039ea165877,host_traddr=nn-0x200000109b3c081f:pn-0x100000109b3c081f live non-optimized
 +- nvme4 fc traddr=nn-0x2142d039ea165877:pn-0x2146d039ea165877,host_traddr=nn-0x200000109b3c0820:pn-0x100000109b3c0820 live non-optimized
 +- nvme6 fc traddr=nn-0x2142d039ea165877:pn-0x2143d039ea165877,host_traddr=nn-0x200000109b3c081f:pn-0x100000109b3c081f live optimized
    NVMe/TCP
    nvme list-subsys /dev/nvme1n1
    Show example 
    nvme-subsys1 - NQN=nqn.1992- 08.com.netapp:sn. bbfb4ee8dfb611edbd07d039ea165590:subsystem.rhel_tcp_95
+- nvme1 tcp traddr=192.168.167.16,trsvcid=4420,host_traddr=192.168.167.1,src_addr=192.168.167.1 live
+- nvme2 tcp traddr=192.168.167.17,trsvcid=4420,host_traddr=192.168.167.1,src_addr=192.168.167.1 live
+- nvme3 tcp traddr=192.168.167.17,trsvcid=4420,host_traddr=192.168.166.1,src_addr=192.168.166.1 live
+- nvme4 tcp traddr=192.168.166.16,trsvcid=4420,host_traddr=192.168.166.1,src_addr=192.168.166.1 live

  5. Verify that the NetApp plug-in displays the correct values for each ONTAP namespace device:

    Column
    nvme netapp ontapdevices -o column
    Show example 
    Device        Vserver   Namespace Path
----------------------- ------------------------------
/dev/nvme0n1 vs_tcp           /vol/vol1/ns1



NSID       UUID                                   Size
------------------------------------------------------------
1          6fcb8ea0-dc1e-4933-b798-8a62a626cb7f	21.47GB
    JSON
    nvme netapp ontapdevices -o json
    Show example 
    {

"ONTAPdevices" : [
{

"Device" : "/dev/nvme1n1",
"Vserver" : "vs_tcp_95",
"Namespace_Path" : "/vol/vol1/ns1",
"NSID" : 1,
"UUID" : "6fcb8ea0-dc1e-4933-b798-8a62a626cb7f",
"Size" : "21.47GB",
"LBA_Data_Size" : 4096,
"Namespace_Size" : 5242880
},

]
}

Step 6: Set up secure in-band authentication

Beginning with ONTAP 9.12.1, secure in-band authentication is supported over NVMe/TCP between a RHEL 9.3 host and an ONTAP controller.

Each host or controller must be associated with a DH-HMAC-CHAP key to set up secure authentication. A DH-HMAC-CHAP key is a combination of the NQN of the NVMe host or controller and an authentication secret configured by the administrator. To authenticate its peer, an NVMe host or controller must recognize the key associated with the peer.

Set up secure in-band authentication using the CLI or a config JSON file. If you need to specify different dhchap keys for different subsystems, you must use a config JSON file.

CLI

Set up secure in-band authentication using the CLI.

Steps

  1. Obtain the host NQN:

    cat /etc/nvme/hostnqn

  2. Generate the dhchap key for the RHEL 9.3 host.

    The following output describes the gen-dhchap-key command parameters:

    nvme gen-dhchap-key -s optional_secret -l key_length {32|48|64} -m HMAC_function {0|1|2|3} -n host_nqn
•	-s secret key in hexadecimal characters to be used to initialize the host key
•	-l length of the resulting key in bytes
•	-m HMAC function to use for key transformation
0 = none, 1- SHA-256, 2 = SHA-384, 3=SHA-512
•	-n host NQN to use for key transformation

    In the following example, a random dhchap key with HMAC set to 3 (SHA-512) is generated.

    nvme gen-dhchap-key -m 3 -n nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-c2c04f444d33
DHHC-1:03:7zf8I9gaRcDWH3tCH5vLGaoyjzPIvwNWusBfKdpJa+hia1aKDKJQ2o53pX3wYM9xdv5DtKNNhJInZ7X8wU2RQpQIngc=:

  3. On the ONTAP controller, add the host and specify both dhchap keys:

    vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -dhchap-host-secret <authentication_host_secret> -dhchap-controller-secret <authentication_controller_secret> -dhchap-hash-function {sha-256|sha-512} -dhchap-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit}

  4. A host supports two types of authentication methods, unidirectional and bidirectional. On the host, connect to the ONTAP controller and specify dhchap keys based on the chosen authentication method:

    nvme connect -t tcp -w <host-traddr> -a <tr-addr> -n <host_nqn> -S <authentication_host_secret> -C <authentication_controller_secret>

  5. Validate the nvme connect authentication command by verifying the host and controller dhchap keys:

    1. Verify the host dhchap keys:

      cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_secret
      Show example output for a unidirectional configuration 
      cat /sys/class/nvme-subsystem/nvme-subsys1/nvme*/dhchap_secret
DHHC- 1:03:fMCrJharXUOqRoIsOEaG6m2PH1yYvu5+z3jTmzEKUbcWu26I33b93b
il2WR09XDho/ld3L45J+0FeCsStBEAfhYgkQU=:
DHHC- 1:03:fMCrJharXUOqRoIsOEaG6m2PH1yYvu5+z3jTmzEKUbcWu26I33b93b
il2WR09XDho/ld3L45J+0FeCsStBEAfhYgkQU=:
DHHC- 1:03:fMCrJharXUOqRoIsOEaG6m2PH1yYvu5+z3jTmzEKUbcWu26I33b93b
il2WR09XDho/ld3L45J+0FeCsStBEAfhYgkQU=:
DHHC- 1:03:fMCrJharXUOqRoIsOEaG6m2PH1yYvu5+z3jTmzEKUbcWu26I33b93b
il2WR09XDho/ld3L45J+0FeCsStBEAfhYgkQU=:

    2. Verify the controller dhchap keys:

      cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_ctrl_secret
      Show example output for a bidirectional configuration 
      cat /sys/class/nvme-subsystem/nvme-subsys6/nvme*/dhchap_ctrl_secret
DHHC- 1:03:7zf8I9gaRcDWH3tCH5vLGaoyjzPIvwNWusBfKdpJa+hia
1aKDKJQ2o53pX3wYM9xdv5DtKNNhJInZ7X8wU2RQpQIngc=:

DHHC- 1:03:7zf8I9gaRcDWH3tCH5vLGaoyjzPIvwNWusBfKdpJa+hia
1aKDKJQ2o53pX3wYM9xdv5DtKNNhJInZ7X8wU2RQpQIngc=:

DHHC- 1:03:7zf8I9gaRcDWH3tCH5vLGaoyjzPIvwNWusBfKdpJa+hia
1aKDKJQ2o53pX3wYM9xdv5DtKNNhJInZ7X8wU2RQpQIngc=:

DHHC- 1:03:7zf8I9gaRcDWH3tCH5vLGaoyjzPIvwNWusBfKdpJa+hia
1aKDKJQ2o53pX3wYM9xdv5DtKNNhJInZ7X8wU2RQpQIngc=:
JSON

When multiple NVMe subsystems are available on the ONTAP controller, you can use the /etc/nvme/config.json file with the nvme connect-all command.

Use the -o option to generate the JSON file. Refer to the NVMe connect-all man pages for more syntax options.

Steps

  1. Configure the JSON file.

    Note In the following example, dhchap_key corresponds to dhchap_secret and dhchap_ctrl_key corresponds to dhchap_ctrl_secret.
    Show example 
    cat /etc/nvme/config.json
[
{
"hostnqn":"nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-c2c04f444d33",
"hostid":"4c4c4544-0035-5910-804b-c2c04f444d33",
"dhchap_key":"DHHC-1:03:7zf8I9gaRcDWH3tCH5vLGaoyjzPIvwNWusBfKdpJa+hia1aKDKJQ2o53pX3wYM9xdv5DtKNNhJInZ7X8wU2RQpQIngc=:",
"subsystems":[
{
"nqn":"nqn.1992-08.com.netapp:sn.127ade26168811f0a50ed039eab69ad3:subsystem.inband_unidirectional",
"ports":[
{
"transport":"tcp",
"traddr":"192.168.20.17",
"host_traddr":"192.168.20.1",
"trsvcid":"4420"
},
{
"transport":"tcp",
"traddr":"192.168.20.18",
"host_traddr":"192.168.20.1",
"trsvcid":"4420"
},
{
"transport":"tcp",
"traddr":"192.168.21.18",
"host_traddr":"192.168.21.1",
"trsvcid":"4420"
},
{
"transport":"tcp",
"traddr":"192.168.21.17",
"host_traddr":"192.168.21.1",
"trsvcid":"4420"
}]

  2. Connect to the ONTAP controller using the config JSON file:

    nvme connect-all -J /etc/nvme/config.json
    Show example 
    traddr=192.168.20.20 is already connected
traddr=192.168.20.20 is already connected
traddr=192.168.20.20 is already connected
traddr=192.168.20.20 is already connected
traddr=192.168.20.20 is already connected
traddr=192.168.20.20 is already connected
traddr=192.168.20.20 is already connected
traddr=192.168.20.20 is already connected
traddr=192.168.20.21 is already connected
traddr=192.168.20.21 is already connected
traddr=192.168.20.21 is already connected
traddr=192.168.20.21 is already connected
traddr=192.168.20.21 is already connected
traddr=192.168.20.21 is already connected
traddr=192.168.20.21 is already connected
traddr=192.168.20.21 is already connected

  3. Verify that the dhchap secrets have been enabled for the respective controllers for each subsystem.

    1. Verify the host dhchap keys:

      cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_secret

      The following example shows a dhchap key:

      DHHC-1:03:7zf8I9gaRcDWH3tCH5vLGaoyjzPIvwNWusBfKdpJa+hia1
aKDKJQ2o53pX3wYM9xdv5DtKNNhJInZ7X8wU2RQpQIngc=:

    2. Verify the controller dhchap keys:

      cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_ctrl_secret

      You should see output similar to the following example:

      DHHC-1:03:fMCrJharXUOqRoIsOEaG6m2PH1yYvu5+z3jT
mzEKUbcWu26I33b93bil2WR09XDho/ld3L45J+0FeCsStBEAfhYgkQU=:

Step 7: Review the known issues

There are no known issues.