安装SAN Host Utilities
简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。
适用于采用ONTAP的SUSE Linux Enterprise Server 15 SP4的NVMe-oF主机配置
贡献者
建议更改
PDF
具有非对称命名空间访问(AANA)的SUSE Linux Enterprise Server (SLES) 15 SP4支持基于网络结构的NVMe (NVMe-oF)、包括基于光纤通道的NVMe (NVMe/FC)和其他传输。在NVMe-oF环境中、ANA相当于iSCSI和FCP环境中的AUA多路径功能、并通过内核NVMe多路径实施。
以下支持适用于采用ONTAP的SLES 15 SP4的NVMe-oF主机配置:
-
NVMe 和 SCSI 流量均可在同一主机上运行。因此、对于SCSI LUN、您可以为SCSI mpath设备配置dm-path、而可以使用NVMe多路径在主机上配置NVMe-oF命名空间设备。
-
除了NVMe/FC之外、还支持基于TCP的NVMe (NVMe/TCP)。本机NVMe-CLI软件包中的NetApp插件可显示NVMe/FC和NVMe/TCP命名库的ONTAP详细信息。
有关支持的配置的其他详细信息、请参见 "NetApp 互操作性表工具"。
功能
-
支持NVMe安全带内身份验证
-
支持使用唯一发现NQN的永久性发现控制器(PDC)
已知限制
-
目前不支持使用NVMe-oF协议启动SAN。
-
NVMe-oF不支持sanlun。因此、SLES15 SP5主机上的NVMe-oF不支持主机实用程序。您可以依靠本机NVMe-CLI软件包中提供的NetApp插件来进行所有NVMe-oF传输。
配置 NVMe/FC
您可以为Broadcom/Emulex FC适配器或Marvell/Qlogic FC适配器配置NVMe/FC。
Broadcom/Emulex
步骤
-
确认您使用的是建议的适配器型号:
cat /sys/class/scsi_host/host*/modelname
示例输出:
LPe32002 M2 LPe32002-M2
-
验证适配器型号问题描述:
cat /sys/class/scsi_host/host*/modeldesc
示例输出:
Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter
-
验证是否正在使用建议的Emulex主机总线适配器(HBA)固件版本:
cat /sys/class/scsi_host/host*/fwrev
示例输出:
12.8.351.47, sli-4:2:c 12.8.351.47, sli-4:2:c
-
验证是否正在使用建议的lpfc驱动程序版本:
cat /sys/module/lpfc/version
示例输出:
0:14.2.0.6
-
验证是否可以查看启动程序端口:
cat /sys/class/fc_host/host*/port_name
示例输出:
0x100000109b579d5e 0x100000109b579d5f
-
验证启动程序端口是否联机:
cat /sys/class/fc_host/host*/port_state
示例输出:
Online Online
-
验证NVMe/FC启动程序端口是否已启用且目标端口是否可见:
cat /sys/class/scsi_host/host*/nvme_info
示例输出:
在此示例中、一个启动程序端口已启用、并与两个目标生命周期关联。
NVME Initiator Enabled XRI Dist lpfc0 Total 6144 IO 5894 ELS 250 NVME LPORT lpfc0 WWPN x100000109b579d5e WWNN x200000109b579d5e DID x011c00 ONLINE NVME RPORT WWPN x208400a098dfdd91 WWNN x208100a098dfdd91 DID x011503 TARGET DISCSRVC ONLINE NVME RPORT WWPN x208500a098dfdd91 WWNN x208100a098dfdd91 DID x010003 TARGET DISCSRVC ONLINE NVME Statistics LS: Xmt 0000000e49 Cmpl 0000000e49 Abort 00000000 LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000 Total FCP Cmpl 000000003ceb594f Issue 000000003ce65dbe OutIO fffffffffffb046f abort 00000bd2 noxri 00000000 nondlp 00000000 qdepth 00000000 wqerr 00000000 err 00000000 FCP CMPL: xb 000014f4 Err 00012abd NVME Initiator Enabled XRI Dist lpfc1 Total 6144 IO 5894 ELS 250 NVME LPORT lpfc1 WWPN x100000109b579d5f WWNN x200000109b579d5f DID x011b00 ONLINE NVME RPORT WWPN x208300a098dfdd91 WWNN x208100a098dfdd91 DID x010c03 TARGET DISCSRVC ONLINE NVME RPORT WWPN x208200a098dfdd91 WWNN x208100a098dfdd91 DID x012a03 TARGET DISCSRVC ONLINE NVME Statistics LS: Xmt 0000000e50 Cmpl 0000000e50 Abort 00000000 LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000 Total FCP Cmpl 000000003c9859ca Issue 000000003c93515e OutIO fffffffffffaf794 abort 00000b73 noxri 00000000 nondlp 00000000 qdepth 00000000 wqerr 00000000 err 00000000 FCP CMPL: xb 0000159d Err 000135c3
-
重新启动主机。
Marvell/QLogic
步骤
-
SLES 15 SP4内核中包含的本机内置qla2xxx驱动程序包含ONTAP支持所必需的最新修复程序。验证您是否正在运行受支持的适配器驱动程序和固件版本:
cat /sys/class/fc_host/host*/symbolic_name
示例输出:
QLE2742 FW:v9.08.02 DVR:v10.02.07.800-k QLE2742 FW:v9.08.02 DVR:v10.02.07.800-k
-
验证是否已
ql2xnvmeenable参数设置为1:cat /sys/module/qla2xxx/parameters/ql2xnvmeenable 1
启用 1 MB I/O 大小(可选)
ONTAP会在"识别控制器"数据中报告MDTS (MAX Data传输大小)为8、这意味着最大I/O请求大小最多可以为1 MB。但是、要使Broadcom NVMe/FC主机的问题描述I/O请求大小为1 MB、必须增加 lpfc 的值 lpfc_sg_seg_cnt 参数从默认值64更改为256。
步骤
-
将
lpfc_sg_seg_cnt参数设置为 256 。# cat /etc/modprobe.d/lpfc.conf options lpfc lpfc_sg_seg_cnt=256
-
运行
dracut -f命令,然后重新启动主机。 -
验证
lpfc_sg_seg_cnt是否为 256 。# cat /sys/module/lpfc/parameters/lpfc_sg_seg_cnt 256
|
这不适用于逻辑NVMe/FC主机。 |
启用NVMe服务
中包含两个NVMe/FC启动服务 nvme-cli 但是、_ONLY _ nvmefc-boot-connections.service 已启用、可在系统启动期间启动; nvmf-autoconnect.service 未启用。因此、您需要手动启用 nvmf-autoconnect.service 在系统引导期间启动。
步骤
-
-enable
nvmf-autoconnect.service:# systemctl enable nvmf-autoconnect.service Created symlink /etc/systemd/system/default.target.wants/nvmf-autoconnect.service → /usr/lib/systemd/system/nvmf-autoconnect.service.
-
重新启动主机。
-
请验证
nvmf-autoconnect.service和nvmefc-boot-connections.service在系统启动后运行:示例输出:
# systemctl status nvmf-autoconnect.service nvmf-autoconnect.service - Connect NVMe-oF subsystems automatically during boot Loaded: loaded (/usr/lib/systemd/system/nvmf-autoconnect.service; enabled; vendor preset: disabled) Active: inactive (dead) since Thu 2023-05-25 14:55:00 IST; 11min ago Process: 2108 ExecStartPre=/sbin/modprobe nvme-fabrics (code=exited, status=0/SUCCESS) Process: 2114 ExecStart=/usr/sbin/nvme connect-all (code=exited, status=0/SUCCESS) Main PID: 2114 (code=exited, status=0/SUCCESS) systemd[1]: Starting Connect NVMe-oF subsystems automatically during boot... nvme[2114]: traddr=nn-0x201700a098fd4ca6:pn-0x201800a098fd4ca6 is already connected systemd[1]: nvmf-autoconnect.service: Deactivated successfully. systemd[1]: Finished Connect NVMe-oF subsystems automatically during boot. # systemctl status nvmefc-boot-connections.service nvmefc-boot-connections.service - Auto-connect to subsystems on FC-NVME devices found during boot Loaded: loaded (/usr/lib/systemd/system/nvmefc-boot-connections.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2023-05-25 14:55:00 IST; 11min ago Main PID: 1647 (code=exited, status=0/SUCCESS) systemd[1]: Starting Auto-connect to subsystems on FC-NVME devices found during boot... systemd[1]: nvmefc-boot-connections.service: Succeeded. systemd[1]: Finished Auto-connect to subsystems on FC-NVME devices found during boot.
配置 NVMe/TCP
您可以使用以下操作步骤配置NVMe/TCP。
步骤
-
验证启动程序端口是否可以通过受支持的NVMe/TCP LIF提取发现日志页面数据:
nvme discover -t tcp -w <host-traddr> -a <traddr>
示例输出:
# nvme discover -t tcp -w 192.168.1.4 -a 192.168.1.31 Discovery Log Number of Records 8, Generation counter 18 =====Discovery Log Entry 0====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 0 trsvcid: 8009 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:discovery traddr: 192.168.2.117 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 1====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 1 trsvcid: 8009 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:discovery traddr: 192.168.1.117 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 2====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 2 trsvcid: 8009 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:discovery traddr: 192.168.2.116 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 3====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 3 trsvcid: 8009 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:discovery traddr: 192.168.1.116 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 4====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:subsystem.subsys_CLIEN T116 traddr: 192.168.2.117 eflags: not specified sectype: none =====Discovery Log Entry 5====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 1 trsvcid: 4420 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:subsystem.subsys_CLIEN T116 traddr: 192.168.1.117 eflags: not specified sectype: none =====Discovery Log Entry 6====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 2 trsvcid: 4420 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:subsystem.subsys_CLIEN T116 traddr: 192.168.2.116 eflags: not specified sectype: none =====Discovery Log Entry 7====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 3 trsvcid: 4420 subnqn: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:subsystem.subsys_CLIEN T116 traddr: 192.168.1.116 eflags: not specified sectype: none
-
验证所有其他NVMe/TCP启动程序-目标LIF组合是否可以成功提取发现日志页面数据:
nvme discover -t tcp -w <host-traddr> -a <traddr>
示例输出:
# nvme discover -t tcp -w 192.168.1.4 -a 192.168.1.32 # nvme discover -t tcp -w 192.168.2.5 -a 192.168.2.36 # nvme discover -t tcp -w 192.168.2.5 -a 192.168.2.37
-
运行
nvme connect-all在节点中所有受支持的NVMe/TCP启动程序-目标SIP上运行命令:nvme connect-all -t tcp -w host-traddr -a traddr -l <ctrl_loss_timeout_in_seconds>
示例输出:
# nvme connect-all -t tcp -w 192.168.1.4 -a 192.168.1.31 -l -1 # nvme connect-all -t tcp -w 192.168.1.4 -a 192.168.1.32 -l -1 # nvme connect-all -t tcp -w 192.168.2.5 -a 192.168.1.36 -l -1 # nvme connect-all -t tcp -w 192.168.2.5 -a 192.168.1.37 -l -1
NetApp建议设置 ctrl-loss-tmo选项-1这样、如果路径丢失、NVMe/TCP启动程序就会无限期地尝试重新连接。
验证 NVMe-oF
您可以使用以下操作步骤验证NVMe-oF。
步骤
-
验证是否已启用内核 NVMe 多路径:
cat /sys/module/nvme_core/parameters/multipath Y
-
验证主机是否具有适用于ONTAP NVMe命名卷的正确控制器型号:
cat /sys/class/nvme-subsystem/nvme-subsys*/model
示例输出:
NetApp ONTAP Controller NetApp ONTAP Controller
-
验证相应ONTAP NVMe I/O控制器的NVMe I/O策略:
cat /sys/class/nvme-subsystem/nvme-subsys*/iopolicy
示例输出:
round-robin round-robin
-
验证ONTAP名称卷是否对主机可见:
nvme list -v
示例输出:
Subsystem Subsystem-NQN Controllers ---------------- ------------------------------------------------------------------------------------ ----------------------- nvme-subsys0 nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhchap nvme0, nvme1, nvme2, nvme3 Device SN MN FR TxPort Asdress Subsystem Namespaces -------- -------------------- ---------------------------------------- -------- --------------------------------------------- nvme0 81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller FFFFFFFF tcp traddr=192.168.2.214,trsvcid=4420,host_traddr=192.168.2.14 nvme-subsys0 nvme0n1 nvme1 81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller FFFFFFFF tcp traddr=192.168.2.215,trsvcid=4420,host_traddr=192.168.2.14 nvme-subsys0 nvme0n1 nvme2 81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller FFFFFFFF tcp traddr=192.168.1.214,trsvcid=4420,host_traddr=192.168.1.14 nvme-subsys0 nvme0n1 nvme3 81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller FFFFFFFF tcp traddr=192.168.1.215,trsvcid=4420,host_traddr=192.168.1.14 nvme-subsys0 nvme0n1 Device Generic NSID Usage Format Controllers ------------ ------------ ---------- ------------------------------------------------------------- /dev/nvme0n1 /dev/ng0n1 0x1 1.07 GB / 1.07 GB 4 KiB + 0 B nvme0, nvme1, nvme2, nvme3
-
验证每个路径的控制器状态是否为活动状态且是否具有正确的ANA状态:
nvme list-subsys /dev/<subsystem_name>
NVMe/FC# nvme list-subsys /dev/nvme1n1 nvme-subsys1 - NQN=nqn.1992-08.com.netapp:sn.04ba0732530911ea8e8300a098dfdd91:subsystem.nvme_145_1 \ +- nvme2 fc traddr=nn-0x208100a098dfdd91:pn- 0x208200a098dfdd91,host_traddr=nn-0x200000109b579d5f:pn-0x100000109b579d5f live optimized +- nvme3 fc traddr=nn-0x208100a098dfdd91:pn- 0x208500a098dfdd91,host_traddr=nn-0x200000109b579d5e:pn-0x100000109b579d5e live optimized +- nvme4 fc traddr=nn-0x208100a098dfdd91:pn- 0x208400a098dfdd91,host_traddr=nn-0x200000109b579d5e:pn-0x100000109b579d5e live non-optimized +- nvme6 fc traddr=nn-0x208100a098dfdd91:pn- 0x208300a098dfdd91,host_traddr=nn-0x200000109b579d5f:pn-0x100000109b579d5f live non-optimized
NVMe/TCP# nvme list-subsys nvme-subsys0 - NQN=nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhchap hostnqn=nqn.2014-08.org.nvmexpress:uuid:e58eca24-faff-11ea-8fee-3a68dd3b5c5f iopolicy=round-robin +- nvme0 tcp traddr=192.168.2.214,trsvcid=4420,host_traddr=192.168.2.14 live +- nvme1 tcp traddr=192.168.2.215,trsvcid=4420,host_traddr=192.168.2.14 live +- nvme2 tcp traddr=192.168.1.214,trsvcid=4420,host_traddr=192.168.1.14 live +- nvme3 tcp traddr=192.168.1.215,trsvcid=4420,host_traddr=192.168.1.14 live
-
验证NetApp插件是否为每个ONTAP 命名空间设备显示正确的值:
列nvme netapp ontapdevices -o column示例输出:
Device Vserver Namespace Path NSID UUID Size ---------------- ------------------------- ----------------------------------------------------------------------------------------------- /dev/nvme0n1 vs_CLIENT114 /vol/CLIENT114_vol_0_10/CLIENT114_ns10 1 c6586535-da8a-40fa-8c20-759ea0d69d33 1.07GB
JSONnvme netapp ontapdevices -o json示例输出:
{ "ONTAPdevices":[ { "Device":"/dev/nvme0n1", "Vserver":"vs_CLIENT114", "Namespace_Path":"/vol/CLIENT114_vol_0_10/CLIENT114_ns10", "NSID":1, "UUID":"c6586535-da8a-40fa-8c20-759ea0d69d33", "Size":"1.07GB", "LBA_Data_Size":4096, "Namespace_Size":262144 } ] }
创建永久性发现控制器
从ONTAP 9.11.1开始、您可以使用以下操作步骤为SLES 15 SP4主机创建永久性发现控制器(PDC)。要自动检测NVMe子系统添加或删除方案以及对发现日志页面数据的更改、需要PDC。
步骤
-
验证发现日志页面数据是否可用、并且可以通过启动程序端口和目标LIF组合进行检索:
nvme discover -t <trtype> -w <host-traddr> -a <traddr>
示例输出:
Discovery Log Number of Records 16, Generation counter 14 =====Discovery Log Entry 0====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 0 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:discovery traddr: 192.168.1.214 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 1====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 0 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:discovery traddr: 192.168.1.215 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 2====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 0 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:discovery traddr: 192.168.2.215 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 3====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 0 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:discovery traddr: 192.168.2.214 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 4====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_none traddr: 192.168.1.214 eflags: none sectype: none =====Discovery Log Entry 5====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_none traddr: 192.168.1.215 eflags: none sectype: none =====Discovery Log Entry 6====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_none traddr: 192.168.2.215 eflags: none sectype: none =====Discovery Log Entry 7====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_none traddr: 192.168.2.214 eflags: none sectype: none =====Discovery Log Entry 8====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.subsys_CLIENT114 traddr: 192.168.1.214 eflags: none sectype: none =====Discovery Log Entry 9====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.subsys_CLIENT114 traddr: 192.168.1.215 eflags: none sectype: none =====Discovery Log Entry 10====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.subsys_CLIENT114 traddr: 192.168.2.215 eflags: none sectype: none =====Discovery Log Entry 11====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.subsys_CLIENT114 traddr: 192.168.2.214 eflags: none sectype: none =====Discovery Log Entry 12====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhchap traddr: 192.168.1.214 eflags: none sectype: none =====Discovery Log Entry 13====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhchap traddr: 192.168.1.215 eflags: none sectype: none =====Discovery Log Entry 14====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhchap traddr: 192.168.2.215 eflags: none sectype: none =====Discovery Log Entry 15====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 0 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhchap traddr: 192.168.2.214 eflags: none sectype: none
-
为发现子系统创建PDC:
nvme discover -t <trtype> -w <host-traddr> -a <traddr> -p
示例输出:
nvme discover -t tcp -w 192.168.1.16 -a 192.168.1.116 -p
-
从ONTAP控制器中、验证是否已创建PDC:
vserver nvme show-discovery-controller -instance -vserver vserver_name
示例输出:
vserver nvme show-discovery-controller -instance -vserver vs_nvme175 Vserver Name: vs_CLIENT116 Controller ID: 00C0h Discovery Subsystem NQN: nqn.1992- 08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:discovery Logical Interface UUID: d23cbb0a-c0a6-11ec-9731-d039ea165abc Logical Interface: CLIENT116_lif_4a_1 Node: A400-14-124 Host NQN: nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09- 74362c0c1afc Transport Protocol: nvme-tcp Initiator Transport Address: 192.168.1.16 Host Identifier: 59de25be738348f08a79df4bce9573f3 Admin Queue Depth: 32 Header Digest Enabled: false Data Digest Enabled: false Vserver UUID: 48391d66-c0a6-11ec-aaa5-d039ea165514
设置安全带内身份验证
从ONTAP 9.12.1开始、支持在SLES 15 SP4主机和ONTAP控制器之间通过NVMe/TCP和NVMe/FC进行安全的带内身份验证。
要设置安全身份验证、每个主机或控制器都必须与关联 DH-HMAC-CHAP 密钥、它是NVMe主机或控制器的NQN与管理员配置的身份验证密钥的组合。要对其对等方进行身份验证、NVMe主机或控制器必须识别与对等方关联的密钥。
您可以使用命令行界面或Config JSON文件设置安全带内身份验证。如果需要为不同的子系统指定不同的dhchap密钥、则必须使用config JSON文件。
命令行界面
步骤
-
获取主机NQN:
cat /etc/nvme/hostnqn
-
为SLES15 SP4主机生成dhchap密钥:
nvme gen-dhchap-key -s optional_secret -l key_length {32|48|64} -m HMAC_function {0|1|2|3} -n host_nqn • -s secret key in hexadecimal characters to be used to initialize the host key • -l length of the resulting key in bytes • -m HMAC function to use for key transformation 0 = none, 1- SHA-256, 2 = SHA-384, 3=SHA-512 • -n host NQN to use for key transformation+
在以下示例中、将生成一个随机dhchap密钥、其中HMAC设置为3 (SHA-512)。
# nvme gen-dhchap-key -m 3 -n nqn.2014-08.org.nvmexpress:uuid:d3ca725a- ac8d-4d88-b46a-174ac235139b DHHC-1:03:J2UJQfj9f0pLnpF/ASDJRTyILKJRr5CougGpGdQSysPrLu6RW1fGl5VSjbeDF1n1DEh3nVBe19nQ/LxreSBeH/bx/pU=:
-
在ONTAP控制器上、添加主机并指定两个dhchap密钥:
vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -dhchap-host-secret <authentication_host_secret> -dhchap-controller-secret <authentication_controller_secret> -dhchap-hash-function {sha-256|sha-512} -dhchap-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit} -
主机支持两种类型的身份验证方法:单向和双向。在主机上、连接到ONTAP控制器并根据所选身份验证方法指定dhchap密钥:
nvme connect -t tcp -w <host-traddr> -a <tr-addr> -n <host_nqn> -S <authentication_host_secret> -C <authentication_controller_secret>
-
验证
nvme connect authentication命令、验证主机和控制器dhchap密钥:-
验证主机dhchap密钥:
$cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_secret
单向配置的示例输出:
SR650-14-114:~ # cat /sys/class/nvme-subsystem/nvme-subsys1/nvme*/dhchap_secret DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=: DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=: DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=: DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
-
验证控制器dhchap密钥:
$cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_ctrl_secret
双向配置的输出示例:
SR650-14-114:~ # cat /sys/class/nvme-subsystem/nvme-subsys6/nvme*/dhchap_ctrl_secret DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=: DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=: DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=: DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
-
JSON 文件
您可以使用 /etc/nvme/config.json 文件 nvme connect-all 命令ONTAP。
您可以使用生成JSON文件 -o 选项有关更多语法选项、请参见NVMe Connect-all手册页。
步骤
-
配置 JSON 文件:
# cat /etc/nvme/config.json [ { "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc", "hostid":"3ae10b42-21af-48ce-a40b-cfb5bad81839", "dhchap_key":"DHHC-1:03:Cu3ZZfIz1WMlqZFnCMqpAgn/T6EVOcIFHez215U+Pow8jTgBF2UbNk3DK4wfk2EptWpna1rpwG5CndpOgxpRxh9m41w=:" }, { "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc", "subsystems":[ { "nqn":"nqn.1992-08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:subsystem.subsys_CLIENT116", "ports":[ { "transport":"tcp", "traddr":"192.168.1.117", "host_traddr":"192.168.1.16", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:" }, { "transport":"tcp", "traddr":"192.168.1.116", "host_traddr":"192.168.1.16", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:" }, { "transport":"tcp", "traddr":"192.168.2.117", "host_traddr":"192.168.2.16", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:" }, { "transport":"tcp", "traddr":"192.168.2.116", "host_traddr":"192.168.2.16", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:" } ] } ] } ] [NOTE] In the preceding example, `dhchap_key` corresponds to `dhchap_secret` and `dhchap_ctrl_key` corresponds to `dhchap_ctrl_secret`. -
使用config JSON文件连接到ONTAP控制器:
nvme connect-all -J /etc/nvme/config.json
示例输出:
traddr=192.168.2.116 is already connected traddr=192.168.1.116 is already connected traddr=192.168.2.117 is already connected traddr=192.168.1.117 is already connected traddr=192.168.2.117 is already connected traddr=192.168.1.117 is already connected traddr=192.168.2.116 is already connected traddr=192.168.1.116 is already connected traddr=192.168.2.116 is already connected traddr=192.168.1.116 is already connected traddr=192.168.2.117 is already connected traddr=192.168.1.117 is already connected
-
验证是否已为每个子系统的相应控制器启用dhchap密码:
-
验证主机dhchap密钥:
# cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_secret
示例输出:
DHHC-1:01:NunEWY7AZlXqxITGheByarwZdQvU4ebZg9HOjIr6nOHEkxJg:
-
验证控制器dhchap密钥:
# cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_ctrl_secret
示例输出:
DHHC-1:03:2YJinsxa2v3+m8qqCiTnmgBZoH6mIT6G/6f0aGO8viVZB4VLNLH4z8CvK7pVYxN6S5fOAtaU3DNi12rieRMfdbg3704=:
-
已知问题
具有ONTAP版本的SLES 15 SP4没有已知问题。