简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。
使用 ONTAP 存储为 NVMe-oF 配置 SUSE Linux Enterprise Server 16
贡献者
建议更改
PDF
目录
SUSE Linux Enterprise Server 16 主机支持具有非对称命名空间访问 (ANA) 的 NVMe over Fibre Channel (NVMe/FC) 和 NVMe over TCP (NVMe/TCP) 协议。ANA 提供多路径功能,相当于 iSCSI 和 FCP 环境中的非对称逻辑单元访问 (ALUA)。
了解如何为 SUSE Linux Enterprise Server 16 配置 NVMe over Fabrics (NVMe-oF) 主机。有关更多支持和功能信息,请参见"ONTAP支持和功能"。
NVMe-oF 与 SUSE Linux Enterprise Server 16 具有以下已知限制:
-
这 `nvme disconnect-all`该命令会断开根文件系统和数据文件系统,可能会导致系统不稳定。请勿在通过 NVMe-TCP 或 NVMe-FC 命名空间从 SAN 启动的系统上执行此操作。
-
NetApp sanlun 主机实用程序不支持 NVMe-oF。或者,您可以依赖原生产品中包含的NetApp插件。
nvme-cli适用于所有 NVMe-oF 传输的软件包。
第1步:(可选)启用SAN启动
您可以配置主机以使用 SAN 启动来简化部署并提高可扩展性。使用"互操作性表工具"验证您的 Linux 操作系统、主机总线适配器 (HBA)、HBA 固件、HBA 启动 BIOS 和ONTAP版本是否支持 SAN 启动。
步骤
-
在服务器 BIOS 中为 SAN 启动命名空间映射到的端口启用 SAN 启动。
有关如何启用 HBA BIOS 的信息,请参见供应商专用文档。
-
重新启动主机并验证操作系统是否已启动并正在运行。
步骤 2:安装 SUSE Linux Enterprise Server 和 NVMe 软件,并验证您的配置
要为 NVMe-oF 配置主机,您需要安装主机和 NVMe 软件包,启用多路径,并验证主机 NQN 配置。
步骤
-
在服务器上安装 SUSE Linux Enterprise Server 16。安装完成后,验证您正在运行指定的 SUSE Linux Enterprise Server 16 内核:
uname -rSUSE Linux Enterprise Server 内核版本示例:
6.12.0-160000.6-default
-
安装
NVMe-CLI软件包:rpm -qa|grep nvme-cli下面的例子展示了 `nvme-cli`软件包版本:
nvme-cli-2.11+29.g35e62868-160000.1.1.x86_64
-
安装
libnvme软件包:rpm -qa|grep libnvme下面的例子展示了 `libnvme`软件包版本:
libnvme1-1.11+17.g6d55624d-160000.1.1.x86_64
-
在主机上,检查 hostnqn 字符串
/etc/nvme/hostnqn:cat /etc/nvme/hostnqn下面的例子展示了 `hostnqn`版本:
nqn.2014-08.org.nvmexpress:uuid:d3b5xxxx-c975-xxxx-8425-089xxxx1a074
-
在ONTAP系统中,验证以下信息: `hostnqn`字符串匹配 `hostnqn`ONTAP数组中对应子系统的字符串:
::> vserver nvme subsystem host show -vserver vs_coexistence_emulex显示示例
Vserver Subsystem Priority Host NQN ------- --------- -------- ------------------------------------------------ vs_coexistence_emulex nvme1 regular nqn.2014-08.org.nvmexpress:uuid:d3b5xxxx-c975-xxxx-8425-089xxxx1a074 nvme10 regular nqn.2014-08.org.nvmexpress:uuid:d3b5xxxx-c975-xxxx-8425-089xxxx1a074 nvme11 regular nqn.2014-08.org.nvmexpress:uuid:d3b5xxxx-c975-xxxx-8425-089xxxx1a074 nvme12 regular nqn.2014-08.org.nvmexpress:uuid:d3b5xxxx-c975-xxxx-8425-089xxxx1a074 4 entries were displayed.
如果 hostnqn字符串不匹配、请使用vserver modify用于更新的命令hostnqn要匹配的相应ONTAP 阵列子系统上的字符串hostnqn字符串自/etc/nvme/hostnqn在主机上。
步骤 3:配置 NVMe/FC 和 NVMe/TCP
使用 Broadcom/Emulex 或 Marvell/QLogic 适配器配置 NVMe/FC,或使用手动发现和连接操作配置 NVMe/TCP。
NVMe/FC - 博通/Emulex
为Broadcom/Emulex FC适配器配置NVMe/FC。
步骤
-
验证您使用的适配器型号是否受支持:
-
显示模型名称:
cat /sys/class/scsi_host/host*/modelname您应看到以下输出:
SN37A92079 SN37A92079
-
显示模型描述:
cat /sys/class/scsi_host/host*/modeldesc您应看到以下输出:
Emulex SN37A92079 32Gb 2-Port Fibre Channel Adapter Emulex SN37A92079 32Gb 2-Port Fibre Channel Adapter
-
-
确认您使用的是建议的Broadcom
lpfc固件和内置驱动程序:-
显示固件版本:
cat /sys/class/scsi_host/host*/fwrev以下示例显示固件版本:
14.4.393.53, sli-4:6:d 14.4.393.53, sli-4:6:d
-
显示收件箱驱动程序版本:
cat /sys/module/lpfc/version以下示例显示了驱动程序版本:
0:14.4.0.11
有关支持的适配器驱动程序和固件版本的最新列表,请参见"互操作性表工具"。
-
-
验证的预期输出是否
lpfc_enable_fc4_type`设置为 `3:cat /sys/module/lpfc/parameters/lpfc_enable_fc4_type -
验证是否可以查看启动程序端口:
cat /sys/class/fc_host/host*/port_name此时应显示类似于以下内容的输出:
0x100000109bdacc75 0x100000109bdacc76
-
验证启动程序端口是否联机:
cat /sys/class/fc_host/host*/port_state您应看到以下输出:
Online Online
-
验证NVMe/FC启动程序端口是否已启用且目标端口是否可见:
cat /sys/class/scsi_host/host*/nvme_info显示示例输出
NVME Initiator Enabled XRI Dist lpfc0 Total 6144 IO 5894 ELS 250 NVME LPORT lpfc0 WWPN x100000109bdacc75 WWNN x200000109bdacc75 DID x060100 ONLINE NVME RPORT WWPN x2001d039ea951c45 WWNN x2000d039ea951c45 DID x080801 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2003d039ea951c45 WWNN x2000d039ea951c45 DID x080d01 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2024d039eab31e9c WWNN x2023d039eab31e9c DID x020a09 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2026d039eab31e9c WWNN x2023d039eab31e9c DID x020a08 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2003d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061b01 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2012d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061b05 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2005d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061201 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2014d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061205 TARGET DISCSRVC ONLINE NVME Statistics LS: Xmt 0000017242 Cmpl 0000017242 Abort 00000000 LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000 Total FCP Cmpl 0000000000378362 Issue 00000000003783c7 OutIO 0000000000000065 abort 00000409 noxri 00000000 nondlp 0000003a qdepth 00000000 wqerr 00000000 err 00000000 FCP CMPL: xb 00000409 Err 0000040a NVME Initiator Enabled XRI Dist lpfc1 Total 6144 IO 5894 ELS 250 NVME LPORT lpfc1 WWPN x100000109bdacc76 WWNN x200000109bdacc76 DID x062800 ONLINE NVME RPORT WWPN x2002d039ea951c45 WWNN x2000d039ea951c45 DID x080701 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2004d039ea951c45 WWNN x2000d039ea951c45 DID x081501 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2025d039eab31e9c WWNN x2023d039eab31e9c DID x020913 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2027d039eab31e9c WWNN x2023d039eab31e9c DID x020912 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2006d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061401 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2015d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061405 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2004d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061301 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2013d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061305 TARGET DISCSRVC ONLINE NVME Statistics LS: Xmt 0000017428 Cmpl 0000017428 Abort 00000000 LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000 Total FCP Cmpl 00000000003443be Issue 000000000034442a OutIO 000000000000006c abort 00000491 noxri 00000000 nondlp 00000086 qdepth 00000000 wqerr 00000000 err 00000000 FCP CMPL: xb 00000491 Err 00000494
NVMe/FC - Marvell/QLogic
为Marvell/QLogic适配器配置NVMe/FC。
步骤
-
验证您是否正在运行受支持的适配器驱动程序和固件版本:
cat /sys/class/fc_host/host*/symbolic_name以下示例显示了驱动程序和固件版本:
QLE2772 FW:v9.15.06 DVR:v10.02.09.400-k-debug QLE2772 FW:v9.15.06 DVR:v10.02.09.400-k-debug
-
请验证
ql2xnvmeenable已设置。这样、Marvell适配器便可用作NVMe/FC启动程序:cat /sys/module/qla2xxx/parameters/ql2xnvmeenable预期输出为1。
NVMe/TCP
NVMe/TCP 协议不支持自动连接操作。相反,您可以通过执行 NVMe/TCP 来发现 NVMe/TCP 子系统和命名空间 `connect`或者 `connect-all`手动操作。
步骤
-
验证启动程序端口是否可以通过受支持的NVMe/TCP LIF提取发现日志页面数据:
nvme discover -t tcp -w <host-traddr> -a <traddr>
显示示例输出
nvme discover -t tcp -w 192.168.38.20 -a 192.168.38.10 Discovery Log Number of Records 8, Generation counter 42 =====Discovery Log Entry 0====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 4 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.211.71 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 1====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 3 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.111.71 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 2====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 2 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.211.70 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 3====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 1 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.111.70 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 4====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 4 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.211.71 eflags: none sectype: none =====Discovery Log Entry 5====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 3 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.111.71 eflags: none sectype: none =====Discovery Log Entry 6====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 2 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.211.70 eflags: none sectype: none =====Discovery Log Entry 7====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 1 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.111.70 eflags: none sectype: none localhost:~ #
-
验证所有其他NVMe/TCP启动程序-目标LIF组合是否可以成功提取发现日志页面数据:
nvme discover -t tcp -w <host-traddr> -a <traddr>
显示示例
nvme discover -t tcp -w 192.168.38.20 -a 192.168.38.10 nvme discover -t tcp -w 192.168.38.20 -a 192.168.38.11 nvme discover -t tcp -w 192.168.39.20 -a 192.168.39.10 nvme discover -t tcp -w 192.168.39.20 -a 192.168.39.11
-
运行
nvme connect-all在节点中所有受支持的NVMe/TCP启动程序-目标SIP上运行命令:nvme connect-all -t tcp -w <host-traddr> -a <traddr>
显示示例
nvme connect-all -t tcp -w 192.168.38.20 -a 192.168.38.10 nvme connect-all -t tcp -w 192.168.38.20 -a 192.168.38.11 nvme connect-all -t tcp -w 192.168.39.20 -a 192.168.39.10 nvme connect-all -t tcp -w 192.168.39.20 -a 192.168.39.11
NVMe/TCP 的设置 `ctrl_loss_tmo timeout`自动设置为“关闭”。因此:
-
重试次数没有限制(无限重试)。
-
您不需要手动配置特定的 `ctrl_loss_tmo timeout`使用时长 `nvme connect`或者 `nvme connect-all`命令(选项 -l )。
-
如果发生路径故障,NVMe/TCP 控制器不会超时,并且会无限期地保持连接。
步骤 4:(可选)修改 udev 规则中的 iopolicy
从 SUSE Linux Enterprise Server 16 开始,NVMe-oF 的默认 iopolicy 设置为 queue-depth。如果要将 iopolicy 更改为 round-robin,请按如下所示修改 udev 规则文件:
步骤
-
使用 root 权限在文本编辑器中打开 udev 规则文件:
/usr/lib/udev/rules.d/71-nvmf-netapp.rules您应看到以下输出:
vi /usr/lib/udev/rules.d/71-nvmf-netapp.rules
-
找到为NetApp ONTAP控制器设置 iopolicy 的行,如下例所示:
ACTION=="add", SUBSYSTEM=="nvme-subsystem", ATTR{subsystype}=="nvm", ATTR{model}=="NetApp ONTAP Controller", ATTR{iopolicy}="queue-depth" -
修改此规则,使
queue-depth变为round-robin:ACTION=="add", SUBSYSTEM=="nvme-subsystem", ATTR{subsystype}=="nvm", ATTR{model}=="NetApp ONTAP Controller", ATTR{iopolicy}="round-robin" -
重新加载udev规则并应用更改:
udevadm control --reload udevadm trigger --subsystem-match=nvme-subsystem -
请检查子系统的当前 I/O 策略。例如,替换<子系统>
nvme-subsys0。cat /sys/class/nvme-subsystem/<subsystem>/iopolicy您应看到以下输出:
round-robin
|
|
新的 iopolicy 会自动应用于匹配的NetApp ONTAP控制器设备。您无需重启。 |
步骤 5:可选,启用 NVMe/FC 的 1MB I/O。
ONTAP在识别控制器数据中报告最大数据传输大小 (MDTS) 为 8。这意味着最大 I/O 请求大小可达 1MB。要向 Broadcom NVMe/FC 主机发出 1MB 大小的 I/O 请求,您应该增加 `lpfc`的价值 `lpfc_sg_seg_cnt`参数从默认值 64 更改为 256。
|
|
这些步骤不适用于逻辑NVMe/FC主机。 |
步骤
-
将 `lpfc_sg_seg_cnt`参数设置为256:
cat /etc/modprobe.d/lpfc.conf您应该会看到类似于以下示例的输出:
options lpfc lpfc_sg_seg_cnt=256
-
运行 `dracut -f`命令并重新启动主机。
-
验证的值是否 `lpfc_sg_seg_cnt`为256:
cat /sys/module/lpfc/parameters/lpfc_sg_seg_cnt
步骤 6:验证 NVMe 启动服务
这 `nvmefc-boot-connections.service`和 `nvmf-autoconnect.service`NVMe/FC 中包含的启动服务 `nvme-cli`系统启动时,软件包会自动启用。
启动完成后,验证 `nvmefc-boot-connections.service`和 `nvmf-autoconnect.service`启动服务已启用。
步骤
-
验证是否 `nvmf-autoconnect.service`已启用:
systemctl status nvmf-autoconnect.service显示示例输出
nvmf-autoconnect.service - Connect NVMe-oF subsystems automatically during boot Loaded: loaded (/usr/lib/systemd/system/nvmf-autoconnect.service; enabled; vendor preset: disabled) Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago Process: 2108 ExecStartPre=/sbin/modprobe nvme-fabrics (code=exited, status=0/SUCCESS) Process: 2114 ExecStart=/usr/sbin/nvme connect-all (code=exited, status=0/SUCCESS) Main PID: 2114 (code=exited, status=0/SUCCESS) systemd[1]: Starting Connect NVMe-oF subsystems automatically during boot... nvme[2114]: traddr=nn-0x201700a098fd4ca6:pn-0x201800a098fd4ca6 is already connected systemd[1]: nvmf-autoconnect.service: Deactivated successfully. systemd[1]: Finished Connect NVMe-oF subsystems automatically during boot.
-
验证是否 `nvmefc-boot-connections.service`已启用:
systemctl status nvmefc-boot-connections.service显示示例输出
nvmefc-boot-connections.service - Auto-connect to subsystems on FC-NVME devices found during boot Loaded: loaded (/usr/lib/systemd/system/nvmefc-boot-connections.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago Main PID: 1647 (code=exited, status=0/SUCCESS) systemd[1]: Starting Auto-connect to subsystems on FC-NVME devices found during boot... systemd[1]: nvmefc-boot-connections.service: Succeeded. systemd[1]: Finished Auto-connect to subsystems on FC-NVME devices found during boot.
步骤 7:验证多路径配置
验证内核NVMe多路径状态、ANA状态和ONTAP命名空间是否适用于NVMe-oF配置。
步骤
-
验证是否已启用内核NVMe多路径:
cat /sys/module/nvme_core/parameters/multipath您应看到以下输出:
Y
-
验证相应的ONTAP命名空间的 NVMe-oF 设置(例如,将型号设置为NetApp ONTAP Controller,并将负载均衡 iopolicy 设置为 queue-depth)是否正确反映在主机上:
-
显示子系统:
cat /sys/class/nvme-subsystem/nvme-subsys*/model您应看到以下输出:
NetApp ONTAP Controller NetApp ONTAP Controller
-
显示策略:
cat /sys/class/nvme-subsystem/nvme-subsys*/iopolicy您应看到以下输出:
queue-depth queue-depth
-
-
验证是否已在主机上创建并正确发现命名空间:
nvme list显示示例
Node SN Model --------------------------------------------------------- /dev/nvme7n1 81Ix2BVuekWcAAAAAAAB NetApp ONTAP Controller Namespace Usage Format FW Rev ----- 21.47 GB / 21.47 GB 4 KiB + 0 B FFFFFFFF
-
验证每个路径的控制器状态是否为活动状态且是否具有正确的ANA状态:
nvme list-subsys /dev/<controller_ID>
从 ONTAP 9.16.1 开始,NVMe/FC 和 NVMe/TCP 报告 ASA r2 系统上的所有优化路径。 NVMe/FC以下示例输出显示了使用 NVMe/FC 的 AFF、FAS、ASA 或 ASA r2 系统的双节点 ONTAP 控制器上托管的命名空间。
显示 AFF、FAS 或 ASA 的示例输出
nvme-subsys114 - NQN=nqn.1992-08.com.netapp:sn.9e30b9760a4911f08c87d039eab67a95:subsystem.sles_161_27 hostnqn=nqn.2014-08.org.nvmexpress:uuid:f651xxxx-3133-xxxx-bbff-7edxxxxf123f iopolicy=round-robin\ +- nvme114 fc traddr=nn-0x234ed039ea359e4a:pn-0x2360d039ea359e4a,host_traddr=nn-0x20000090fae0ec88:pn-0x10000090fae0ec88 live optimized +- nvme115 fc traddr=nn-0x234ed039ea359e4a:pn-0x2362d039ea359e4a,host_traddr=nn-0x20000090fae0ec88:pn-0x10000090fae0ec88 live non-optimized +- nvme116 fc traddr=nn-0x234ed039ea359e4a:pn-0x2361d039ea359e4a,host_traddr=nn-0x20000090fae0ec89:pn-0x10000090fae0ec89 live optimized +- nvme117 fc traddr=nn-0x234ed039ea359e4a:pn-0x2363d039ea359e4a,host_traddr=nn-0x20000090fae0ec89:pn-0x10000090fae0ec89 live non-optimized显示 ASA r2 的输出示例
nvme-subsys96 - NQN=nqn.1992-08.om.netapp:sn.b351b2b6777b11f0b3c2d039ea5cfc91:subsystem.nvme24 hostnqn=nqn.2014-08.org.nvmexpress:uuid:d3b5xxxx-c975-xxxx-8425-089xxxx1a074 \ +- nvme203 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2015d039ea5cfc90,host_traddr=nn-0x200000109bdacc76:pn-0x100000109bdacc76 live optimized +- nvme25 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2014d039ea5cfc90,host_traddr=nn-0x200000109bdacc75:pn-0x100000109bdacc75 live optimized +- nvme30 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2012d039ea5cfc90,host_traddr=nn-0x200000109bdacc75:pn-0x100000109bdacc75 live optimized +- nvme32 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2013d039ea5cfc90,host_traddr=nn-0x200000109bdacc76:pn-0x100000109bdacc76 live optimizedNVMe/TCP以下示例输出显示了使用 NVMe/TCP 的 AFF、FAS、ASA 或 ASA r2 系统的双节点 ONTAP 控制器上托管的命名空间。
显示 AFF、FAS 或 ASA 的示例输出
nvme-subsys9 - NQN=nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme10 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b7cxxxx44d33 \ +- nvme105 tcp traddr=192.168.39.10,trsvcid=4420,host_traddr=192.168.39.20,src_addr=192.168.39.20 live optimized +- nvme153 tcp traddr=192.168.39.11,trsvcid=4420,host_traddr=192.168.39.20,src_addr=192.168.39.20 live non-optimized +- nvme57 tcp traddr=192.168.38.11,trsvcid=4420,host_traddr=192.168.38.20,src_addr=192.168.38.20 live non-optimized +- nvme9 tcp traddr=192.168.38.10,trsvcid=4420,host_traddr=192.168.38.20,src_addr=192.168.38.20 live optimized显示 ASA r2 的输出示例
nvme-subsys4 - NQN=nqn.1992-08.com.netapp:sn.17e32b6e8c7f11f09545d039eac03c33:subsystem.Bidirectional_DHCP_1_0 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0054-xxxx-8039-c3cxxxx23034 \ +- nvme4 tcp traddr=192.168.20.28,trsvcid=4420,host_traddr=192.168.20.21,src_addr=192.168.20.21 live optimized +- nvme5 tcp traddr=192.168.20.29,trsvcid=4420,host_traddr=192.168.20.21,src_addr=192.168.20.21 live optimized +- nvme6 tcp traddr=192.168.21.28,trsvcid=4420,host_traddr=192.168.21.21,src_addr=192.168.21.21 live optimized +- nvme7 tcp traddr=192.168.21.29,trsvcid=4420,host_traddr=192.168.21.21,src_addr=192.168.21.21 live optimized -
验证NetApp插件是否为每个ONTAP 命名空间设备显示正确的值:
列nvme netapp ontapdevices -o column显示示例
Device Vserver Namespace Path NSID UUID Size ---------------- ------------------------- ----------------- ---- -------------------------------------- --------- /dev/nvme0n1 vs_coexistence_emulex ns1 1 79510f05-7784-11f0-b3c2-d039ea5cfc91 21.47GB
JSONnvme netapp ontapdevices -o json显示示例
{ "ONTAPdevices":[{ "Device":"/dev/nvme0n1", "Vserver":"vs_coexistence_emulex", "Namespace_Path":"ns1", "NSID":1, "UUID":"79510f05-7784-11f0-b3c2-d039ea5cfc91", "Size":"21.47GB", "LBA_Data_Size":4096, "Namespace_Size":5242880 } ] }
步骤 8:创建持久发现控制器
您可以为 SUSE Linux Enterprise Server 16 主机创建永久发现控制器 (PDC)。需要 PDC 才能自动检测 NVMe 子系统添加或删除操作以及对发现日志页面数据的更改。
步骤
-
验证发现日志页面数据是否可用、并且可以通过启动程序端口和目标LIF组合进行检索:
nvme discover -t <trtype> -w <host-traddr> -a <traddr>显示示例输出
Discovery Log Number of Records 8, Generation counter 10 =====Discovery Log Entry 0====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 3 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.39.10 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 1====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 1 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.38.10 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 2====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 4 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.39.11 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 3====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 2 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.38.11 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 4====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 3 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.39.10 eflags: none sectype: none =====Discovery Log Entry 5====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 1 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.38.10 eflags: none sectype: none =====Discovery Log Entry 6====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 4 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.39.11 eflags: none sectype: none =====Discovery Log Entry 7====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 2 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.38.11 eflags: none sectype: none
-
为发现子系统创建PDC:
nvme discover -t <trtype> -w <host-traddr> -a <traddr> -p您应看到以下输出:
nvme discover -t tcp -w 192.168.39.20 -a 192.168.39.11 -p
-
从ONTAP控制器中、验证是否已创建PDC:
vserver nvme show-discovery-controller -instance -vserver <vserver_name>显示示例输出
vserver nvme show-discovery-controller -instance -vserver vs_tcp_sles16 Vserver Name: vs_tcp_sles16 Controller ID: 0180h Discovery Subsystem NQN: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery Logical Interface: lif3 Node: A400-12-171 Host NQN: nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b7cxxxx44d33 Transport Protocol: nvme-tcp Initiator Transport Address: 192.168.39.20 Transport Service Identifier: 8009 Host Identifier: 4c4cxxxx0035xxxx804bb7cxxxx44d33 Admin Queue Depth: 32 Header Digest Enabled: false Data Digest Enabled: false Keep-Alive Timeout (msec): 30000
步骤 9:设置安全带内身份验证
在 SUSE Linux Enterprise Server 16 主机和 ONTAP 控制器之间,支持通过 NVMe/TCP 进行安全的带内身份验证。
每个主机或控制器都必须与一个 DH-HMAC-CHAP 设置安全认证的关键。DH-HMAC-CHAP 密钥是 NVMe 主机或控制器的 NQN 与管理员配置的身份验证密钥的组合。为了验证对等方的身份,NVMe 主机或控制器必须识别与对等方关联的密钥。
步骤
使用 CLI 或配置 JSON 文件设置安全带内身份验证。如果需要为不同的子系统指定不同的dhchap密钥、则必须使用config JSON文件。
命令行界面
使用命令行界面设置安全带内身份验证。
-
获取主机NQN:
cat /etc/nvme/hostnqn -
为主机生成 dhchap 密钥。
以下输出说明了 `gen-dhchap-key`命令参数:
nvme gen-dhchap-key -s optional_secret -l key_length {32|48|64} -m HMAC_function {0|1|2|3} -n host_nqn • -s secret key in hexadecimal characters to be used to initialize the host key • -l length of the resulting key in bytes • -m HMAC function to use for key transformation 0 = none, 1- SHA-256, 2 = SHA-384, 3=SHA-512 • -n host NQN to use for key transformation在以下示例中、将生成一个随机dhchap密钥、其中HMAC设置为3 (SHA-512)。
nvme gen-dhchap-key -m 3 -n nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b7cxxxx44d33 DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:
-
在ONTAP控制器上、添加主机并指定两个dhchap密钥:
vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -dhchap-host-secret <authentication_host_secret> -dhchap-controller-secret <authentication_controller_secret> -dhchap-hash-function {sha-256|sha-512} -dhchap-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit} -
主机支持两种类型的身份验证方法:单向和双向。在主机上、连接到ONTAP控制器并根据所选身份验证方法指定dhchap密钥:
nvme connect -t tcp -w <host-traddr> -a <tr-addr> -n <host_nqn> -S <authentication_host_secret> -C <authentication_controller_secret>
-
验证
nvme connect authentication命令、验证主机和控制器dhchap密钥:-
验证主机dhchap密钥:
cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_secret显示单向配置的示例输出
# cat /sys/class/nvme-subsystem/nvme-subsys1/nvme*/dhchap_secret DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb: DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb: DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb: DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb:
-
验证控制器dhchap密钥:
cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_ctrl_secret显示双向配置的示例输出
# cat /sys/class/nvme-subsystem/nvme-subsys6/nvme*/dhchap_ctrl_secret DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=: DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=: DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=: DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:
-
JSON
如果ONTAP控制器配置中有多个NVMe子系统、则可以将文件与命令结合 nvme connect-all`使用 `/etc/nvme/config.json。
使用 `-o`选项来生成 JSON 文件。有关更多语法选项,请参阅 NVMe connect-all 手册页。
-
配置 JSON 文件:
显示示例输出
# cat /etc/nvme/config.json [ { "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b7cxxxx44d33", "hostid":"4c4cxxxx-0035-xxxx-804b-b7cxxxx44d33", "dhchap_key":"DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb:", "subsystems":[ { "nqn":"nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.inband_bidirectional", "ports":[ { "transport":"tcp", "traddr":"192.168.38.10", "host_traddr":"192.168.38.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" }, { "transport":"tcp", "traddr":"192.168.38.11", "host_traddr":"192.168.38.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" }, { "transport":"tcp", "traddr":"192.168.39.11", "host_traddr":"192.168.39.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" }, { "transport":"tcp", "traddr":"192.168.39.10", "host_traddr":"192.168.39.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" } ] } ] } ]
在以下示例中, dhchap_key`对应于 `dhchap_secret`和 `dhchap_ctrl_key`对应于 `dhchap_ctrl_secret。 -
使用config JSON文件连接到ONTAP控制器:
nvme connect-all -J /etc/nvme/config.json显示示例输出
traddr=192.168.38.10is already connected traddr=192.168.39.10 is already connected traddr=192.168.38.11 is already connected traddr=192.168.39.11 is already connected traddr=192.168.38.10is already connected traddr=192.168.39.10 is already connected traddr=192.168.38.11 is already connected traddr=192.168.39.11 is already connected traddr=192.168.38.10is already connected traddr=192.168.39.10 is already connected traddr=192.168.38.11 is already connected traddr=192.168.39.11 is already connected
-
验证是否已为每个子系统的相应控制器启用dhchap密码:
-
验证主机dhchap密钥:
cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_secret以下示例显示了 dhchap 密钥:
DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb:
-
验证控制器dhchap密钥:
cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_ctrl_secret您应该会看到类似于以下示例的输出:
DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:
-
步骤 10:配置传输层安全性
传输层安全协议 (TLS) 为 NVMe-oF 主机和ONTAP阵列之间的 NVMe 连接提供安全的端到端加密。您可以使用 CLI 和已配置的预共享密钥 (PSK) 配置 TLS 1.3。
|
|
除特别说明需要在ONTAP控制器上执行的步骤外,请在 SUSE Linux Enterprise Server 主机上执行以下步骤。 |
步骤
-
检查您是否具有以下内容
ktls-utils,openssl, 和 `libopenssl`主机上安装的软件包:-
验证
ktls-utils:rpm -qa | grep ktls您应该看到显示以下输出:
ktls-utils-0.10+33.g311d943-160000.2.2.x86_64
-
验证 SSL 包:
rpm -qa | grep ssl显示示例输出
libopenssl3-3.5.0-160000.3.2.x86_64 openssl-3.5.0-160000.2.2.noarch openssl-3-3.5.0-160000.3.2.x86_64 libopenssl3-x86-64-v3-3.5.0-160000.3.2.x86_64
-
-
验证是否已正确设置
/etc/tlshd.conf:cat /etc/tlshd.conf显示示例输出
[debug] loglevel=0 tls=0 nl=0 [authenticate] #keyrings= <keyring>;<keyring>;<keyring> [authenticate.client] #x509.truststore= <pathname> #x509.certificate= <pathname> #x509.private_key= <pathname> [authenticate.server] #x509.truststore= <pathname> #x509.certificate= <pathname> #x509.private_key= <pathname>
-
启用 `tlshd`以在系统启动时启动:
systemctl enable tlshd -
验证守护进程是否 `tlshd`正在运行:
systemctl status tlshd显示示例输出
tlshd.service - Handshake service for kernel TLS consumers Loaded: loaded (/usr/lib/systemd/system/tlshd.service; enabled; preset: disabled) Active: active (running) since Wed 2024-08-21 15:46:53 IST; 4h 57min ago Docs: man:tlshd(8) Main PID: 961 (tlshd) Tasks: 1 CPU: 46ms CGroup: /system.slice/tlshd.service └─961 /usr/sbin/tlshd Aug 21 15:46:54 RX2530-M4-17-153 tlshd[961]: Built from ktls-utils 0.11-dev on Mar 21 2024 12:00:00 -
使用生成TLS PSK
nvme gen-tls-key:-
验证主机:
cat /etc/nvme/hostnqn您应看到以下输出:
nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b7cxxxx44d33
-
验证密钥:
nvme gen-tls-key --hmac=1 --identity=1 --subsysnqn= nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1您应看到以下输出:
NVMeTLSkey-1:01:C50ExxxxuOp8xxxxE9EuWjbxxxxhmfoHx4XTqTJUmydf0gIj:
-
-
在ONTAP控制器上、将TLS PSK添加到ONTAP子系统:
显示示例输出
nvme subsystem host add -vserver vs_iscsi_tcp -subsystem nvme1 -host-nqn nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b2cxxxx44d33 -tls-configured-psk NVMeTLSkey-1:01:C50ExxxxuOp8xxxxE9EuWjbxxxxhmfoHx4XTqTJUmydf0gIj:
-
将TLS PSK插入主机内核密钥环:
nvme check-tls-key --identity=1 --subsysnqn=nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 --keydata=NVMeTLSkey-1:01:C50ExxxxuOp8xxxxE9EuWjbxxxxhmfoHx4XTqTJUmydf0gIj: --insert您应该看到以下 TLS 密钥:
Inserted TLS key 069f56bb
PSK 显示为 `NVMe1R01`因为它使用 `identity v1`来自 TLS 握手算法。Identity v1是ONTAP唯一支持的版本。 -
验证是否已正确插入TLS PSK:
cat /proc/keys | grep NVMe显示示例输出
069f56bb I-Q-- 5 perm 3b010000 0 0 psk NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b2cxxxx44d33 nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 oYVLelmiOwnvDjXKBmrnIgGVpFIBDJtc4hmQXE/36Sw=: 32
-
使用插入的TLS PSK连接到ONTAP子系统:
-
验证 TLS PSK:
nvme connect -t tcp -w 192.168.38.20 -a 192.168.38.10 -n nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 --tls_key=0x069f56bb –tls您应看到以下输出:
connecting to device: nvme0
-
验证列表子系统:
nvme list-subsys显示示例输出
nvme-subsys0 - NQN=nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b2cxxxx44d33 ** +- nvme0 tcp traddr=192.168.38.10,trsvcid=4420,host_traddr=192.168.38.20,src_addr=192.168.38.20 live -
从内核密钥环导出 TLS PSK。这可确保密钥在主机重新启动期间保持不变:
# nvme tls --export --keyfile /etc/nvme/tls-keys
-
-
添加目标、并验证与指定ONTAP子系统的TLS连接:
nvme subsystem controller show -vserver vs_tcp_sles16 -subsystem nvme1 -instance显示示例输出
(vserver nvme subsystem controller show) Vserver Name: vs_tcp_sles16 Subsystem: nvme1 Controller ID: 0040h Logical Interface: lif1 Node: A400-12-171 Host NQN: nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b2cxxxx44d33 Transport Protocol: nvme-tcp Initiator Transport Address: 192.168.38.20 Host Identifier: 4c4cxxxx0035xxxx804bb2cxxxx44d33 Number of I/O Queues: 2 I/O Queue Depths: 128, 128 Admin Queue Depth: 32 Max I/O Size in Bytes: 1048576 Keep-Alive Timeout (msec): 5000 Subsystem UUID: 62203cfd-826a-11f0-966e-d039eab31e9d Header Digest Enabled: false Data Digest Enabled: false Authentication Hash Function: sha-256 Authentication Diffie-Hellman Group: 3072-bit Authentication Mode: unidirectional Transport Service Identifier: 4420 TLS Key Type: configured TLS PSK Identity: NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:4c4cxxxx-0035-xxxx-804b-b2cxxxx44d33 nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 oYVLelmiOwnvDjXKBmrnIgGVpFIBDJtc4hmQXE/36Sw= TLS Cipher: TLS-AES-128-GCM-SHA256
第11步:查看已知问题
没有已知问题。