本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。
使用 ONTAP 儲存設備為 SUSE Linux Enterprise Server 16 設定 NVMe-oF
貢獻者
建議變更
PDF
目錄
SUSE Linux Enterprise Server 16 主機支援基於光纖通道的 NVMe (NVMe/FC) 和基於 TCP 的 NVMe (NVMe/TCP) 協議,並具備非對稱命名空間存取 (ANA) 功能。ANA 提供與 iSCSI 和 FCP 環境中的非對稱邏輯單元存取 (ALUA) 等效的多路徑功能。
了解如何為 SUSE Linux Enterprise Server 16 設定 NVMe over Fabrics(NVMe-oF)主機。如需更多支援和功能資訊,請參閱 "ONTAP支援和功能"。
使用 SUSE Linux Enterprise Server 16 的 NVMe-oF 有以下已知限制:
-
這 `nvme disconnect-all`此命令會斷開根檔案系統和資料檔案系統,可能會導致系統不穩定。請勿在透過 NVMe-TCP 或 NVMe-FC 命名空間從 SAN 啟動的系統上執行此操作。
-
NetApp sanlun 主機公用程式不支援 NVMe-oF。或者,您可以依賴原生產品中包含的NetApp外掛程式。
nvme-cli適用於所有 NVMe-oF 傳輸的軟體套件。
步驟 1 :選擇性啟用 SAN 開機
您可以設定主機以使用 SAN 啟動來簡化部署並提高可擴充性。使用"互通性對照表工具"驗證您的 Linux 作業系統、主機匯流排適配器 (HBA)、HBA 韌體、HBA 啟動 BIOS 和ONTAP版本是否支援 SAN 啟動。
步驟
-
在伺服器 BIOS 中為 SAN 啟動命名空間對應到的連接埠啟用 SAN 啟動。
如需如何啟用HBA BIOS的相關資訊、請參閱廠商專屬的文件。
-
重新啟動主機並驗證作業系統是否已啟動並正在運行。
步驟 2:安裝 SUSE Linux Enterprise Server 和 NVMe 軟體,並驗證您的設定
若要為 NVMe-oF 設定主機,您需要安裝主機和 NVMe 軟體包,啟用多路徑,並驗證主機 NQN 設定。
步驟
-
在伺服器上安裝 SUSE Linux Enterprise Server 16。安裝完成後,請確認您執行的是指定的 SUSE Linux Enterprise Server 16 核心:
uname -rSUSE Linux Enterprise Server 核心版本範例:
6.12.0-160000.6-default
-
安裝「NVMe-CLI(NVMe - CLI)套件:
rpm -qa|grep nvme-cli下面的例子展示了 `nvme-cli`軟體包版本:
nvme-cli-2.11+29.g35e62868-160000.1.1.x86_64
-
安裝
libnvme套件:rpm -qa|grep libnvme下面的例子展示了 `libnvme`軟體包版本:
libnvme1-1.11+17.g6d55624d-160000.1.1.x86_64
-
在主機上,檢查 hostnqn 字串
/etc/nvme/hostnqn:cat /etc/nvme/hostnqn下面的例子展示了 `hostnqn`版本:
nqn.2014-08.org.nvmexpress:uuid:d3b581b4-c975-11e6-8425-0894ef31a074
-
在ONTAP系統中,驗證以下資訊: `hostnqn`字串匹配 `hostnqn`ONTAP陣列中對應子系統的字串:
::> vserver nvme subsystem host show -vserver vs_coexistence_emulex顯示範例
Vserver Subsystem Priority Host NQN ------- --------- -------- ------------------------------------------------ vs_coexistence_emulex nvme1 regular nqn.2014-08.org.nvmexpress:uuid:d3b581b4-c975-11e6-8425-0894ef31a074 nvme10 regular nqn.2014-08.org.nvmexpress:uuid:d3b581b4-c975-11e6-8425-0894ef31a074 nvme11 regular nqn.2014-08.org.nvmexpress:uuid:d3b581b4-c975-11e6-8425-0894ef31a074 nvme12 regular nqn.2014-08.org.nvmexpress:uuid:d3b581b4-c975-11e6-8425-0894ef31a074 4 entries were displayed.
如果是 hostnqn字串不相符、請使用vserver modify命令來更新hostnqn對應 ONTAP 陣列子系統上的字串、以符合hostnqn字串來源/etc/nvme/hostnqn在主機上。
步驟 3:設定 NVMe/FC 和 NVMe/TCP
使用 Broadcom/Emulex 或 Marvell/QLogic 適配器配置 NVMe/FC,或使用手動發現和連接操作來設定 NVMe/TCP。
NVMe/FC - 博通/Emulex
為 Broadcom / Emulex FC 介面卡設定 NVMe / FC 。
步驟
-
確認您使用的是支援的介面卡機型:
-
顯示模型名稱:
cat /sys/class/scsi_host/host*/modelname您應該會看到下列輸出:
SN37A92079 SN37A92079
-
顯示模型描述:
cat /sys/class/scsi_host/host*/modeldesc您應該會看到下列輸出:
Emulex SN37A92079 32Gb 2-Port Fibre Channel Adapter Emulex SN37A92079 32Gb 2-Port Fibre Channel Adapter
-
-
驗證您使用的是建議的Broadcom
lpfc韌體與收件匣驅動程式:-
顯示韌體版本:
cat /sys/class/scsi_host/host*/fwrev以下範例顯示韌體版本:
14.4.393.53, sli-4:6:d 14.4.393.53, sli-4:6:d
-
顯示收件匣驅動程式版本:
cat /sys/module/lpfc/version以下範例顯示了驅動程式版本:
0:14.4.0.11
如需支援的介面卡驅動程式和韌體版本的最新清單,請參閱"互通性對照表工具"。
-
-
驗證的預期輸出是否
lpfc_enable_fc4_type`設置爲 `3:cat /sys/module/lpfc/parameters/lpfc_enable_fc4_type -
確認您可以檢視啟動器連接埠:
cat /sys/class/fc_host/host*/port_name您應該會看到類似如下的輸出:
0x100000109bdacc75 0x100000109bdacc76
-
驗證啟動器連接埠是否在線上:
cat /sys/class/fc_host/host*/port_state您應該會看到下列輸出:
Online Online
-
確認已啟用 NVMe / FC 啟動器連接埠、且目標連接埠可見:
cat /sys/class/scsi_host/host*/nvme_info顯示範例輸出
NVME Initiator Enabled XRI Dist lpfc0 Total 6144 IO 5894 ELS 250 NVME LPORT lpfc0 WWPN x100000109bdacc75 WWNN x200000109bdacc75 DID x060100 ONLINE NVME RPORT WWPN x2001d039ea951c45 WWNN x2000d039ea951c45 DID x080801 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2003d039ea951c45 WWNN x2000d039ea951c45 DID x080d01 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2024d039eab31e9c WWNN x2023d039eab31e9c DID x020a09 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2026d039eab31e9c WWNN x2023d039eab31e9c DID x020a08 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2003d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061b01 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2012d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061b05 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2005d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061201 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2014d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061205 TARGET DISCSRVC ONLINE NVME Statistics LS: Xmt 0000017242 Cmpl 0000017242 Abort 00000000 LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000 Total FCP Cmpl 0000000000378362 Issue 00000000003783c7 OutIO 0000000000000065 abort 00000409 noxri 00000000 nondlp 0000003a qdepth 00000000 wqerr 00000000 err 00000000 FCP CMPL: xb 00000409 Err 0000040a NVME Initiator Enabled XRI Dist lpfc1 Total 6144 IO 5894 ELS 250 NVME LPORT lpfc1 WWPN x100000109bdacc76 WWNN x200000109bdacc76 DID x062800 ONLINE NVME RPORT WWPN x2002d039ea951c45 WWNN x2000d039ea951c45 DID x080701 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2004d039ea951c45 WWNN x2000d039ea951c45 DID x081501 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2025d039eab31e9c WWNN x2023d039eab31e9c DID x020913 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2027d039eab31e9c WWNN x2023d039eab31e9c DID x020912 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2006d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061401 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2015d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061405 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2004d039ea5cfc90 WWNN x2002d039ea5cfc90 DID x061301 TARGET DISCSRVC ONLINE NVME RPORT WWPN x2013d039ea5cfc90 WWNN x2011d039ea5cfc90 DID x061305 TARGET DISCSRVC ONLINE NVME Statistics LS: Xmt 0000017428 Cmpl 0000017428 Abort 00000000 LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000 Total FCP Cmpl 00000000003443be Issue 000000000034442a OutIO 000000000000006c abort 00000491 noxri 00000000 nondlp 00000086 qdepth 00000000 wqerr 00000000 err 00000000 FCP CMPL: xb 00000491 Err 00000494
NVMe/FC - Marvell/QLogic
為 Marvell/QLogic 介面卡設定 NVMe / FC 。
步驟
-
確認您執行的是支援的介面卡驅動程式和韌體版本:
cat /sys/class/fc_host/host*/symbolic_name以下範例顯示了驅動程式和韌體版本:
QLE2772 FW:v9.15.06 DVR:v10.02.09.400-k-debug QLE2772 FW:v9.15.06 DVR:v10.02.09.400-k-debug
-
請確認
ql2xnvmeenable已設定。這可讓 Marvell 介面卡作為 NVMe / FC 啟動器運作:cat /sys/module/qla2xxx/parameters/ql2xnvmeenable預期輸出為 1 。
NVMe / TCP
NVMe/TCP 協定不支援自動連線操作。相反,您可以透過執行 NVMe/TCP 來發現 NVMe/TCP 子系統和命名空間 `connect`或者 `connect-all`手動操作。
步驟
-
確認啟動器連接埠可在支援的NVMe/TCP LIF中擷取探索記錄頁面資料:
nvme discover -t tcp -w <host-traddr> -a <traddr>
顯示範例輸出
nvme discover -t tcp -w 192.168.38.20 -a 192.168.38.10 Discovery Log Number of Records 8, Generation counter 42 =====Discovery Log Entry 0====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 4 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.211.71 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 1====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 3 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.111.71 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 2====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 2 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.211.70 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 3====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 1 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:discovery traddr: 192.168.111.70 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 4====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 4 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.211.71 eflags: none sectype: none =====Discovery Log Entry 5====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 3 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.111.71 eflags: none sectype: none =====Discovery Log Entry 6====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 2 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.211.70 eflags: none sectype: none =====Discovery Log Entry 7====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 1 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.f8e2af201b7211f0ac2bd039eab67a95:subsystem.sample_tcp_sub traddr: 192.168.111.70 eflags: none sectype: none localhost:~ #
-
確認所有其他的 NVMe / TCP 啟動器目標 LIF 組合都能成功擷取探索記錄頁面資料:
nvme discover -t tcp -w <host-traddr> -a <traddr>
顯示範例
nvme discover -t tcp -w 192.168.38.20 -a 192.168.38.10 nvme discover -t tcp -w 192.168.38.20 -a 192.168.38.11 nvme discover -t tcp -w 192.168.39.20 -a 192.168.39.10 nvme discover -t tcp -w 192.168.39.20 -a 192.168.39.11
-
執行
nvme connect-all跨所有節點支援的 NVMe / TCP 啟動器目標生命體執行命令:nvme connect-all -t tcp -w <host-traddr> -a <traddr>
顯示範例
nvme connect-all -t tcp -w 192.168.38.20 -a 192.168.38.10 nvme connect-all -t tcp -w 192.168.38.20 -a 192.168.38.11 nvme connect-all -t tcp -w 192.168.39.20 -a 192.168.39.10 nvme connect-all -t tcp -w 192.168.39.20 -a 192.168.39.11
NVMe/TCP 的設置 `ctrl_loss_tmo timeout`自動設定為“關閉”。因此:
-
重試次數沒有限制(無限重試)。
-
您不需要手動配置特定的 `ctrl_loss_tmo timeout`使用時長 `nvme connect`或者 `nvme connect-all`命令(選項 -l )。
-
如果發生路徑故障,NVMe/TCP 控制器不會逾時,並且會無限期地保持連線。
步驟 4:(可選)修改 udev 規則中的 iopolicy
從 SUSE Linux Enterprise Server 16 開始,NVMe-oF 的預設 iopolicy 設定為 queue-depth。如果您想將 iopolicy 更改為 round-robin,請如下修改 udev rules 檔案:
步驟
-
使用 root 權限在文字編輯器中開啟 udev 規則檔:
/usr/lib/udev/rules.d/71-nvmf-netapp.rules您應該會看到下列輸出:
vi /usr/lib/udev/rules.d/71-nvmf-netapp.rules
-
找到為NetApp ONTAP控制器設定 iopolicy 的行,如下例所示:
ACTION=="add", SUBSYSTEM=="nvme-subsystem", ATTR{subsystype}=="nvm", ATTR{model}=="NetApp ONTAP Controller", ATTR{iopolicy}="queue-depth" -
修改規則,使
queue-depth變成round-robin:ACTION=="add", SUBSYSTEM=="nvme-subsystem", ATTR{subsystype}=="nvm", ATTR{model}=="NetApp ONTAP Controller", ATTR{iopolicy}="round-robin" -
重新載入udev規則並套用變更:
udevadm control --reload udevadm trigger --subsystem-match=nvme-subsystem -
請檢查子系統的目前 I/O 策略。例如,替換<子系統>
nvme-subsys0。cat /sys/class/nvme-subsystem/<subsystem>/iopolicy您應該會看到下列輸出:
round-robin
|
|
新的 iopolicy 會自動套用於相符的NetApp ONTAP控制器設備。您無需重啟。 |
步驟 5:可選,啟用 NVMe/FC 的 1MB I/O。
ONTAP在識別控制器資料中報告最大資料傳輸大小 (MDTS) 為 8。這意味著最大 I/O 請求大小可達 1MB。若要向 Broadcom NVMe/FC 主機發出 1MB 大小的 I/O 要求,您應該會增加 `lpfc`的價值 `lpfc_sg_seg_cnt`參數從預設值 64 更改為 256。
|
|
這些步驟不適用於 Qlogic NVMe / FC 主機。 |
步驟
-
將 `lpfc_sg_seg_cnt`參數設定為 256 :
cat /etc/modprobe.d/lpfc.conf您應該會看到類似以下範例的輸出:
options lpfc lpfc_sg_seg_cnt=256
-
執行 `dracut -f`命令,然後重新啟動主機。
-
確認的值 `lpfc_sg_seg_cnt`為 256 :
cat /sys/module/lpfc/parameters/lpfc_sg_seg_cnt
步驟 6:驗證 NVMe 啟動服務
這 `nvmefc-boot-connections.service`和 `nvmf-autoconnect.service`NVMe/FC 中包含的啟動服務 `nvme-cli`系統啟動時,軟體包會自動啟用。
啟動完成後,驗證 `nvmefc-boot-connections.service`和 `nvmf-autoconnect.service`啟動服務已啟用。
步驟
-
確認 `nvmf-autoconnect.service`已啟用:
systemctl status nvmf-autoconnect.service顯示範例輸出
nvmf-autoconnect.service - Connect NVMe-oF subsystems automatically during boot Loaded: loaded (/usr/lib/systemd/system/nvmf-autoconnect.service; enabled; vendor preset: disabled) Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago Process: 2108 ExecStartPre=/sbin/modprobe nvme-fabrics (code=exited, status=0/SUCCESS) Process: 2114 ExecStart=/usr/sbin/nvme connect-all (code=exited, status=0/SUCCESS) Main PID: 2114 (code=exited, status=0/SUCCESS) systemd[1]: Starting Connect NVMe-oF subsystems automatically during boot... nvme[2114]: traddr=nn-0x201700a098fd4ca6:pn-0x201800a098fd4ca6 is already connected systemd[1]: nvmf-autoconnect.service: Deactivated successfully. systemd[1]: Finished Connect NVMe-oF subsystems automatically during boot.
-
確認 `nvmefc-boot-connections.service`已啟用:
systemctl status nvmefc-boot-connections.service顯示範例輸出
nvmefc-boot-connections.service - Auto-connect to subsystems on FC-NVME devices found during boot Loaded: loaded (/usr/lib/systemd/system/nvmefc-boot-connections.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago Main PID: 1647 (code=exited, status=0/SUCCESS) systemd[1]: Starting Auto-connect to subsystems on FC-NVME devices found during boot... systemd[1]: nvmefc-boot-connections.service: Succeeded. systemd[1]: Finished Auto-connect to subsystems on FC-NVME devices found during boot.
步驟 7:驗證多路徑配置
驗證核心內建 NVMe 多重路徑狀態, ANA 狀態和 ONTAP 命名空間是否適用於 NVMe 組態。
步驟
-
確認已啟用核心內建 NVMe 多重路徑:
cat /sys/module/nvme_core/parameters/multipath您應該會看到下列輸出:
Y
-
驗證對應的ONTAP命名空間的 NVMe-oF 設定(例如,將型號設定為NetApp ONTAP Controller,並將負載平衡 iopolicy 設定為 queue-depth)是否正確反映在主機上:
-
顯示子系統:
cat /sys/class/nvme-subsystem/nvme-subsys*/model您應該會看到下列輸出:
NetApp ONTAP Controller NetApp ONTAP Controller
-
顯示策略:
cat /sys/class/nvme-subsystem/nvme-subsys*/iopolicy您應該會看到下列輸出:
queue-depth queue-depth
-
-
確認已在主機上建立並正確探索命名空間:
nvme list顯示範例
Node SN Model --------------------------------------------------------- /dev/nvme7n1 81Ix2BVuekWcAAAAAAAB NetApp ONTAP Controller Namespace Usage Format FW Rev ----- 21.47 GB / 21.47 GB 4 KiB + 0 B FFFFFFFF
-
確認每個路徑的控制器狀態均為有效、且具有正確的ANA狀態:
nvme list-subsys /dev/<controller_ID>
從 ONTAP 9.16.1 開始,NVMe/FC 和 NVMe/TCP 會在 ASA r2 系統上報告所有最佳化路徑。 NVMe / FC以下範例輸出顯示了託管在雙節點 ONTAP 控制器上的命名空間,適用於 AFF、FAS 和 ASA 系統以及具有 NVMe/FC 的 ASA r2 系統。
顯示 AFF、FAS 和 ASA 範例輸出
nvme-subsys114 - NQN=nqn.1992-08.com.netapp:sn.9e30b9760a4911f08c87d039eab67a95:subsystem.sles_161_27 hostnqn=nqn.2014-08.org.nvmexpress:uuid:f6517cae-3133-11e8-bbff-7ed30aef123f iopolicy=round-robin\ +- nvme114 fc traddr=nn-0x234ed039ea359e4a:pn-0x2360d039ea359e4a,host_traddr=nn-0x20000090fae0ec88:pn-0x10000090fae0ec88 live optimized +- nvme115 fc traddr=nn-0x234ed039ea359e4a:pn-0x2362d039ea359e4a,host_traddr=nn-0x20000090fae0ec88:pn-0x10000090fae0ec88 live non-optimized +- nvme116 fc traddr=nn-0x234ed039ea359e4a:pn-0x2361d039ea359e4a,host_traddr=nn-0x20000090fae0ec89:pn-0x10000090fae0ec89 live optimized +- nvme117 fc traddr=nn-0x234ed039ea359e4a:pn-0x2363d039ea359e4a,host_traddr=nn-0x20000090fae0ec89:pn-0x10000090fae0ec89 live non-optimized顯示 ASA r2 範例輸出
nvme-subsys96 - NQN=nqn.1992-08.om.netapp:sn.b351b2b6777b11f0b3c2d039ea5cfc91:subsystem.nvme24 hostnqn=nqn.2014-08.org.nvmexpress:uuid:d3b581b4-c975-11e6-8425-0894ef31a074 \ +- nvme203 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2015d039ea5cfc90,host_traddr=nn-0x200000109bdacc76:pn-0x100000109bdacc76 live optimized +- nvme25 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2014d039ea5cfc90,host_traddr=nn-0x200000109bdacc75:pn-0x100000109bdacc75 live optimized +- nvme30 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2012d039ea5cfc90,host_traddr=nn-0x200000109bdacc75:pn-0x100000109bdacc75 live optimized +- nvme32 fc traddr=nn-0x2011d039ea5cfc90:pn-0x2013d039ea5cfc90,host_traddr=nn-0x200000109bdacc76:pn-0x100000109bdacc76 live optimizedNVMe / TCP以下範例輸出顯示了託管在雙節點 ONTAP 控制器上的命名空間,適用於 AFF、FAS 和 ASA 系統以及具有 NVMe/TCP 的 ASA r2 系統。
顯示 AFF、FAS 和 ASA 範例輸出
nvme-subsys9 - NQN=nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme10 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b7c04f444d33 \ +- nvme105 tcp traddr=192.168.39.10,trsvcid=4420,host_traddr=192.168.39.20,src_addr=192.168.39.20 live optimized +- nvme153 tcp traddr=192.168.39.11,trsvcid=4420,host_traddr=192.168.39.20,src_addr=192.168.39.20 live non-optimized +- nvme57 tcp traddr=192.168.38.11,trsvcid=4420,host_traddr=192.168.38.20,src_addr=192.168.38.20 live non-optimized +- nvme9 tcp traddr=192.168.38.10,trsvcid=4420,host_traddr=192.168.38.20,src_addr=192.168.38.20 live optimized顯示 ASA r2 範例輸出
nvme-subsys4 - NQN=nqn.1992-08.com.netapp:sn.17e32b6e8c7f11f09545d039eac03c33:subsystem.Bidirectional_DHCP_1_0 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0054-5110-8039-c3c04f523034 \ +- nvme4 tcp traddr=192.168.20.28,trsvcid=4420,host_traddr=192.168.20.21,src_addr=192.168.20.21 live optimized +- nvme5 tcp traddr=192.168.20.29,trsvcid=4420,host_traddr=192.168.20.21,src_addr=192.168.20.21 live optimized +- nvme6 tcp traddr=192.168.21.28,trsvcid=4420,host_traddr=192.168.21.21,src_addr=192.168.21.21 live optimized +- nvme7 tcp traddr=192.168.21.29,trsvcid=4420,host_traddr=192.168.21.21,src_addr=192.168.21.21 live optimized -
驗證NetApp外掛程式是否顯示每ONTAP 個版本名稱空間裝置的正確值:
欄位nvme netapp ontapdevices -o column顯示範例
Device Vserver Namespace Path NSID UUID Size ---------------- ------------------------- ----------------- ---- -------------------------------------- --------- /dev/nvme0n1 vs_coexistence_emulex ns1 1 79510f05-7784-11f0-b3c2-d039ea5cfc91 21.47GB
JSONnvme netapp ontapdevices -o json顯示範例
{ "ONTAPdevices":[{ "Device":"/dev/nvme0n1", "Vserver":"vs_coexistence_emulex", "Namespace_Path":"ns1", "NSID":1, "UUID":"79510f05-7784-11f0-b3c2-d039ea5cfc91", "Size":"21.47GB", "LBA_Data_Size":4096, "Namespace_Size":5242880 } ] }
步驟 8:建立持久發現控制器
您可以為 SUSE Linux Enterprise Server 16 主機建立持久發現控制器(PDC)。PDC 用於自動偵測 NVMe 子系統的新增或刪除操作以及發現日誌頁面資料的變更。
步驟
-
確認探索記錄頁面資料可用、並可透過啟動器連接埠和目標 LIF 組合擷取:
nvme discover -t <trtype> -w <host-traddr> -a <traddr>顯示範例輸出
Discovery Log Number of Records 8, Generation counter 10 =====Discovery Log Entry 0====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 3 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.39.10 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 1====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 1 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.38.10 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 2====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 4 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.39.11 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 3====== trtype: tcp adrfam: ipv4 subtype: current discovery subsystem treq: not specified portid: 2 trsvcid: 8009 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery traddr: 192.168.38.11 eflags: explicit discovery connections, duplicate discovery information sectype: none =====Discovery Log Entry 4====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 3 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.39.10 eflags: none sectype: none =====Discovery Log Entry 5====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 1 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.38.10 eflags: none sectype: none =====Discovery Log Entry 6====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 4 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.39.11 eflags: none sectype: none =====Discovery Log Entry 7====== trtype: tcp adrfam: ipv4 subtype: nvme subsystem treq: not specified portid: 2 trsvcid: 4420 subnqn: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 traddr: 192.168.38.11 eflags: none sectype: none
-
建立探索子系統的 PDC :
nvme discover -t <trtype> -w <host-traddr> -a <traddr> -p您應該會看到下列輸出:
nvme discover -t tcp -w 192.168.39.20 -a 192.168.39.11 -p
-
從 ONTAP 控制器、確認已建立 PDC :
vserver nvme show-discovery-controller -instance -vserver <vserver_name>顯示範例輸出
vserver nvme show-discovery-controller -instance -vserver vs_tcp_sles16 Vserver Name: vs_tcp_sles16 Controller ID: 0180h Discovery Subsystem NQN: nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:discovery Logical Interface: lif3 Node: A400-12-171 Host NQN: nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b7c04f444d33 Transport Protocol: nvme-tcp Initiator Transport Address: 192.168.39.20 Transport Service Identifier: 8009 Host Identifier: 4c4c454400355910804bb7c04f444d33 Admin Queue Depth: 32 Header Digest Enabled: false Data Digest Enabled: false Keep-Alive Timeout (msec): 30000
步驟 9:設定安全帶內身份驗證
支援透過 NVMe/TCP 在 SUSE Linux Enterprise Server 16 主機和 ONTAP 控制器之間進行安全的頻內驗證。
每個主機或控制器都必須與一個 DH-HMAC-CHAP 設定安全認證的關鍵。DH-HMAC-CHAP 金鑰是 NVMe 主機或控制器的 NQN 與管理員設定的驗證金鑰的組合。為了驗證對等方的身份,NVMe 主機或控制器必須識別與對等方關聯的金鑰。
步驟
使用 CLI 或設定 JSON 檔案設定安全帶內身份驗證。如果您需要為不同的子系統指定不同的 dhchap 金鑰、則必須使用組態 JSON 檔案。
CLI
使用 CLI 設定安全的頻內驗證。
-
取得主機 NQN :
cat /etc/nvme/hostnqn -
為主機產生 dhchap 金鑰。
下列輸出說明 `gen-dhchap-key`命令參數:
nvme gen-dhchap-key -s optional_secret -l key_length {32|48|64} -m HMAC_function {0|1|2|3} -n host_nqn • -s secret key in hexadecimal characters to be used to initialize the host key • -l length of the resulting key in bytes • -m HMAC function to use for key transformation 0 = none, 1- SHA-256, 2 = SHA-384, 3=SHA-512 • -n host NQN to use for key transformation在下列範例中、會產生一個隨機的 dhchap 金鑰、其中 HMAC 設為 3 ( SHA-512 )。
nvme gen-dhchap-key -m 3 -n nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b7c04f444d33 DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:
-
在 ONTAP 控制器上、新增主機並指定兩個 dhchap 金鑰:
vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -dhchap-host-secret <authentication_host_secret> -dhchap-controller-secret <authentication_controller_secret> -dhchap-hash-function {sha-256|sha-512} -dhchap-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit} -
主機支援兩種驗證方法:單向和雙向。在主機上、連線至 ONTAP 控制器、並根據所選的驗證方法指定 dhchap 金鑰:
nvme connect -t tcp -w <host-traddr> -a <tr-addr> -n <host_nqn> -S <authentication_host_secret> -C <authentication_controller_secret>
-
驗證
nvme connect authentication命令驗證主機和控制器 dhchap 金鑰:-
驗證主機 dhchap 金鑰:
cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_secret顯示單向組態的輸出範例
# cat /sys/class/nvme-subsystem/nvme-subsys1/nvme*/dhchap_secret DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb: DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb: DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb: DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb:
-
驗證控制器 dhchap 按鍵:
cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_ctrl_secret顯示雙向組態的輸出範例
# cat /sys/class/nvme-subsystem/nvme-subsys6/nvme*/dhchap_ctrl_secret DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=: DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=: DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=: DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:
-
JSON
當 ONTAP 控制器組態上有多個 NVMe 子系統可供使用時、您可以搭配命令使用該 /etc/nvme/config.json`檔案 `nvme connect-all。
使用 `-o`選項來產生 JSON 檔案。有關更多語法選項,請參閱 NVMe connect-all 手冊頁。
-
設定Json檔案:
顯示範例輸出
# cat /etc/nvme/config.json [ { "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b7c04f444d33", "hostid":"4c4c4544-0035-5910-804b-b7c04f444d33", "dhchap_key":"DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb:", "subsystems":[ { "nqn":"nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.inband_bidirectional", "ports":[ { "transport":"tcp", "traddr":"192.168.38.10", "host_traddr":"192.168.38.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" }, { "transport":"tcp", "traddr":"192.168.38.11", "host_traddr":"192.168.38.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" }, { "transport":"tcp", "traddr":"192.168.39.11", "host_traddr":"192.168.39.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" }, { "transport":"tcp", "traddr":"192.168.39.10", "host_traddr":"192.168.39.20", "trsvcid":"4420", "dhchap_ctrl_key":"DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:" } ] } ] } ]
在以下範例中, dhchap_key`對應於 `dhchap_secret`和 `dhchap_ctrl_key`對應於 `dhchap_ctrl_secret。 -
使用組態 JSON 檔案連線至 ONTAP 控制器:
nvme connect-all -J /etc/nvme/config.json顯示範例輸出
traddr=192.168.38.10is already connected traddr=192.168.39.10 is already connected traddr=192.168.38.11 is already connected traddr=192.168.39.11 is already connected traddr=192.168.38.10is already connected traddr=192.168.39.10 is already connected traddr=192.168.38.11 is already connected traddr=192.168.39.11 is already connected traddr=192.168.38.10is already connected traddr=192.168.39.10 is already connected traddr=192.168.38.11 is already connected traddr=192.168.39.11 is already connected
-
確認已為每個子系統的個別控制器啟用 dhchap 機密:
-
驗證主機 dhchap 金鑰:
cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_secret以下範例顯示了 dhchap 金鑰:
DHHC-1:01:wkwAKk8r9Ip7qECKt7V5aIo/7Y1CH7DWkUfLfMxmseg39DFb:
-
驗證控制器 dhchap 按鍵:
cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_ctrl_secret您應該會看到類似以下範例的輸出:
DHHC-1:03:ohdxI1yIS8gBLwIOubcwl57rXcozYuRgBsoWaBvxEvpDlQHn/7dQ4JjFGwmhgwdJWmVoripbWbMJy5eMAbCahN4hhYU=:
-
步驟 10:設定傳輸層安全性
傳輸層安全協定 (TLS) 為 NVMe-oF 主機和ONTAP陣列之間的 NVMe 連線提供安全的端對端加密。您可以使用 CLI 和已設定的預共用金鑰 (PSK) 來設定 TLS 1.3。
|
|
除特別說明需要在ONTAP控制器上執行的步驟外,請在 SUSE Linux Enterprise Server 主機上執行下列步驟。 |
步驟
-
檢查您是否具有以下內容
ktls-utils,openssl, 和 `libopenssl`主機上安裝的軟體包:-
驗證
ktls-utils:rpm -qa | grep ktls您應該會看到顯示以下輸出:
ktls-utils-0.10+33.g311d943-160000.2.2.x86_64
-
驗證 SSL 套件:
rpm -qa | grep ssl顯示範例輸出
libopenssl3-3.5.0-160000.3.2.x86_64 openssl-3.5.0-160000.2.2.noarch openssl-3-3.5.0-160000.3.2.x86_64 libopenssl3-x86-64-v3-3.5.0-160000.3.2.x86_64
-
-
請確認您的設定是否正確
/etc/tlshd.conf:cat /etc/tlshd.conf顯示範例輸出
[debug] loglevel=0 tls=0 nl=0 [authenticate] #keyrings= <keyring>;<keyring>;<keyring> [authenticate.client] #x509.truststore= <pathname> #x509.certificate= <pathname> #x509.private_key= <pathname> [authenticate.server] #x509.truststore= <pathname> #x509.certificate= <pathname> #x509.private_key= <pathname>
-
啟用 `tlshd`以在系統開機時啟動:
systemctl enable tlshd -
驗證守護程序是否 `tlshd`正在運行:
systemctl status tlshd顯示範例輸出
tlshd.service - Handshake service for kernel TLS consumers Loaded: loaded (/usr/lib/systemd/system/tlshd.service; enabled; preset: disabled) Active: active (running) since Wed 2024-08-21 15:46:53 IST; 4h 57min ago Docs: man:tlshd(8) Main PID: 961 (tlshd) Tasks: 1 CPU: 46ms CGroup: /system.slice/tlshd.service └─961 /usr/sbin/tlshd Aug 21 15:46:54 RX2530-M4-17-153 tlshd[961]: Built from ktls-utils 0.11-dev on Mar 21 2024 12:00:00 -
使用產生 TLS PSK
nvme gen-tls-key:-
驗證主機:
cat /etc/nvme/hostnqn您應該會看到下列輸出:
nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b7c04f444d33
-
驗證金鑰:
nvme gen-tls-key --hmac=1 --identity=1 --subsysnqn= nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1您應該會看到下列輸出:
NVMeTLSkey-1:01:C50EsaGtuOp8n5fGE9EuWjbBCtshmfoHx4XTqTJUmydf0gIj:
-
-
在 ONTAP 控制器上,將 TLS PSK 新增至 ONTAP 子系統:
顯示範例輸出
nvme subsystem host add -vserver vs_iscsi_tcp -subsystem nvme1 -host-nqn nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b2c04f444d33 -tls-configured-psk NVMeTLSkey-1:01:C50EsaGtuOp8n5fGE9EuWjbBCtshmfoHx4XTqTJUmydf0gIj:
-
將 TLS PSK 插入主機核心金鑰環:
nvme check-tls-key --identity=1 --subsysnqn=nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 --keydata=NVMeTLSkey-1:01:C50EsaGtuOp8n5fGE9EuWjbBCtshmfoHx4XTqTJUmydf0gIj: --insert您應該會看到以下 TLS 金鑰:
Inserted TLS key 069f56bb
PSK 顯示為 `NVMe1R01`因為它使用 `identity v1`來自 TLS 握手演算法。Identity v1 是 ONTAP 唯一支援的版本。 -
確認 TLS PSK 已正確插入:
cat /proc/keys | grep NVMe顯示範例輸出
069f56bb I-Q-- 5 perm 3b010000 0 0 psk NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b2c04f444d33 nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 oYVLelmiOwnvDjXKBmrnIgGVpFIBDJtc4hmQXE/36Sw=: 32
-
使用插入的 TLS PSK 連線至 ONTAP 子系統:
-
驗證 TLS PSK:
nvme connect -t tcp -w 192.168.38.20 -a 192.168.38.10 -n nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 --tls_key=0x069f56bb –tls您應該會看到下列輸出:
connecting to device: nvme0
-
驗證列表子系統:
nvme list-subsys顯示範例輸出
nvme-subsys0 - NQN=nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b2c04f444d33 ** +- nvme0 tcp traddr=192.168.38.10,trsvcid=4420,host_traddr=192.168.38.20,src_addr=192.168.38.20 live
-
-
新增目標,並驗證 TLS 連線至指定的 ONTAP 子系統:
nvme subsystem controller show -vserver vs_tcp_sles16 -subsystem nvme1 -instance顯示範例輸出
(vserver nvme subsystem controller show) Vserver Name: vs_tcp_sles16 Subsystem: nvme1 Controller ID: 0040h Logical Interface: lif1 Node: A400-12-171 Host NQN: nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b2c04f444d33 Transport Protocol: nvme-tcp Initiator Transport Address: 192.168.38.20 Host Identifier: 4c4c454400355910804bb2c04f444d33 Number of I/O Queues: 2 I/O Queue Depths: 128, 128 Admin Queue Depth: 32 Max I/O Size in Bytes: 1048576 Keep-Alive Timeout (msec): 5000 Subsystem UUID: 62203cfd-826a-11f0-966e-d039eab31e9d Header Digest Enabled: false Data Digest Enabled: false Authentication Hash Function: sha-256 Authentication Diffie-Hellman Group: 3072-bit Authentication Mode: unidirectional Transport Service Identifier: 4420 TLS Key Type: configured TLS PSK Identity: NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b2c04f444d33 nqn.1992-08.com.netapp:sn.9927e165694211f0b4f4d039eab31e9d:subsystem.nvme1 oYVLelmiOwnvDjXKBmrnIgGVpFIBDJtc4hmQXE/36Sw= TLS Cipher: TLS-AES-128-GCM-SHA256
步驟 11 :檢閱已知問題
沒有已知問題。