Skip to main content
SAN hosts and cloud clients
本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。

適用於 ONTAP 的 SUSE Linux Enterprise Server 15 SP6 的 NVMe 主機組態

貢獻者
PDF

含非對稱命名空間存取( ANA )的 SUSE Linux Enterprise Server 15 SP6 支援 NVMe over Fabrics ( NVMe over Fabric , NVMe of ),包括 NVMe over Fibre Channel ( NVMe / FC )和其他傳輸。在 NVMe 環境中、 ANA 等同於 iSCSI 和 FCP 環境中的 ALUA 多重路徑、並以核心內建 NVMe 多重路徑來實作。

以下支援適用於採用 ONTAP 的 SUSE Linux Enterprise Server 15 SP6 的 NVMe 主機組態:

  • 在同一個共存的主機上執行 NVMe 和 SCSI 流量。例如,您可以為 SCSI LUN 的 SCSI 裝置設定 dm-multipath mpath ,並使用 NVMe 多重路徑在主機上設定 NVMe 命名空間裝置。

  • 支援 NVMe over TCP ( NVMe / TCP )和 NVMe / FC 。這讓原生套件中的 NetApp 外掛程式 `nvme-cli`能夠同時顯示 NVMe / FC 和 NVMe / TCP 命名空間的 ONTAP 詳細資料。

如需支援組態的詳細資訊、請參閱 "NetApp 互通性對照表工具"

功能

  • 支援 NVMe 安全頻內驗證

  • 使用獨特的探索 NQN 支援持續探索控制器( PDC )

  • 支援 NVMe / TCP 的 TLS 1.3 加密

已知限制

  • 目前不支援使用 NVMe 型傳輸協定進行 SAN 開機。

  • 在 SUSE Linux Enterprise Server 15 SP6 主機上, NetApp sanlun 主機公用程式不支援 NVMe 型。您可以改用原生套件中的 NetApp 外掛程式 `nvme-cli`來執行所有 NVMe 傳輸。

設定NVMe/FC

您可以為採用 ONTAP 組態的 SUSE Linux Enterprise Server 15 SP6 設定使用 Broadcom/Emulex FC 或 Marvell/Qlogic FC 介面卡的 NVMe / FC 。

Broadcom / Emulex

為 Broadcom / Emulex FC 介面卡設定 NVMe / FC 。

步驟

  1. 確認您使用的是建議的介面卡機型:

    cat /sys/class/scsi_host/host*/modelname
    輸出範例
    LPe32002 M2
LPe32002-M2

  2. 驗證介面卡型號說明:

    cat /sys/class/scsi_host/host*/modeldesc
    輸出範例
    Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter
Emulex LightPulse LPe32002-M2 2-Port 32Gb Fibre Channel Adapter

  3. 確認您使用的是建議的 Emulex 主機匯流排介面卡( HBA )韌體版本:

    cat /sys/class/scsi_host/host*/fwrev
    輸出範例
    14.2.673.40, sli-4:2:c
14.2.673.40, sli-4:2:c

  4. 確認您使用的是建議的 lpfc 驅動程式版本:

    cat /sys/module/lpfc/version
    輸出範例
    0:14.4.0.1

  5. 確認您可以檢視啟動器連接埠:

    cat /sys/class/fc_host/host*/port_name
    輸出範例
    0x10000090fae0ec88
0x10000090fae0ec89

  6. 驗證啟動器連接埠是否在線上:

    cat /sys/class/fc_host/host*/port_state
    輸出範例
    Online
Online

  7. 確認已啟用 NVMe / FC 啟動器連接埠、且目標連接埠可見:

    cat /sys/class/scsi_host/host*/nvme_info

    在以下範例中、會啟用一個啟動器連接埠、並與兩個目標生命體連線。

    顯示範例輸出 
    NVME Initiator Enabled
XRI Dist lpfc0 Total 6144 IO 5894 ELS 250
NVME LPORT lpfc0 WWPN x10000090fae0ec88 WWNN x20000090fae0ec88 DID x0a1300 ONLINE
NVME RPORT WWPN x2070d039ea359e4a WWNN x206bd039ea359e4a DID x0a0a05 TARGET DISCSRVC
ONLINE
NVME Statistics
LS: Xmt 00000003ba Cmpl 00000003ba Abort 00000000
LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000
Total FCP Cmpl 0000000014e3dfb8 Issue 0000000014e308db OutIO ffffffffffff2923
 abort 00000845 noxri 00000000 nondlp 00000063 qdepth 00000000 wqerr 00000003 err 00000000
FCP CMPL: xb 00000847 Err 00027f33
NVME Initiator Enabled
XRI Dist lpfc1 Total 6144 IO 5894 ELS 250
NVME LPORT lpfc1 WWPN x10000090fae0ec89 WWNN x20000090fae0ec89 DID x0a1200 ONLINE
NVME RPORT WWPN x2071d039ea359e4a WWNN x206bd039ea359e4a DID x0a0305 TARGET DISCSRVC
ONLINE
NVME Statistics
LS: Xmt 00000003ba Cmpl 00000003ba Abort 00000000
LS XMIT: Err 00000000 CMPL: xb 00000000 Err 00000000
Total FCP Cmpl 0000000014e39f78 Issue 0000000014e2b832 OutIO ffffffffffff18ba
 abort 0000082d noxri 00000000 nondlp 00000028 qdepth 00000000 wqerr 00000007 err 00000000
FCP CMPL: xb 0000082d Err 000283bb
Marvell / QLogic

SUSE Linux Enterprise Server 15 SP6 核心中隨附的原生收件匣 qla2xxx 驅動程式具有最新的修正程式。這些修正對於 ONTAP 支援至關重要。

為 Marvell/QLogic 介面卡設定 NVMe / FC 。

步驟

  1. 確認您執行的是支援的介面卡驅動程式和韌體版本:

    cat /sys/class/fc_host/host*/symbolic_name
    輸出範例
    QLE2742 FW:v9.14.01 DVR: v10.02.09.200-k
QLE2742 FW:v9.14.01 DVR: v10.02.09.200-k

  2. 確認 ql2xnvmeenable 參數設為 1 :

    cat /sys/module/qla2xxx/parameters/ql2xnvmeenable

    預期值為 1 。

啟用1MB I/O大小(選用)

ONTAP 會在識別控制器資料中報告 8 的 MDTS ( MAX Data 傳輸大小)。這表示最大 I/O 要求大小最多可達 1MB 。若要針對 Broadcom NVMe / FC 主機發出大小為 1 MB 的 I/O 要求、您必須將 lpfc `lpfc_sg_seg_cnt`參數值從預設值 64 增加至 256 。

註 下列步驟不適用於 Qlogic NVMe / FC 主機。
步驟

  1. 將 `lpfc_sg_seg_cnt`參數設定為 256 :

    cat /etc/modprobe.d/lpfc.conf
    輸出範例
    options lpfc lpfc_sg_seg_cnt=256

  2. 執行 `dracut -f`命令,然後重新啟動主機:

  3. 確認 `lpfc_sg_seg_cnt`為 256 :

    cat /sys/module/lpfc/parameters/lpfc_sg_seg_cnt

    預期值為 256 。

驗證 NVMe 服務

從 SUSE Linux Enterprise Server 15 SP6 開始, nvmefc-boot-connections.service NVMe / FC 套件隨附的和 `nvmf-autoconnect.service`開機服務 `nvme-cli`會在系統開機期間自動啟用。系統開機完成後,您應該確認開機服務已啟用。

步驟

  1. 確認 `nvmf-autoconnect.service`已啟用:

    # systemctl status nvmf-autoconnect.service

    顯示範例輸出 
    nvmf-autoconnect.service - Connect NVMe-oF subsystems automatically during boot
  Loaded: loaded (/usr/lib/systemd/system/nvmf-autoconnect.service; enabled; vendor preset: disabled)
  Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago
Process: 2108 ExecStartPre=/sbin/modprobe nvme-fabrics (code=exited, status=0/SUCCESS)
Process: 2114 ExecStart=/usr/sbin/nvme connect-all (code=exited, status=0/SUCCESS)
Main PID: 2114 (code=exited, status=0/SUCCESS)

systemd[1]: Starting Connect NVMe-oF subsystems automatically during boot...
nvme[2114]: traddr=nn-0x201700a098fd4ca6:pn-0x201800a098fd4ca6 is already connected
systemd[1]: nvmf-autoconnect.service: Deactivated successfully.
systemd[1]: Finished Connect NVMe-oF subsystems automatically during boot.

  2. 確認 `nvmefc-boot-connections.service`已啟用:

    # systemctl status nvmefc-boot-connections.service

    顯示範例輸出 
    nvmefc-boot-connections.service - Auto-connect to subsystems on FC-NVME devices found during boot
   Loaded: loaded (/usr/lib/systemd/system/nvmefc-boot-connections.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2024-05-25 14:55:00 IST; 11min ago
 Main PID: 1647 (code=exited, status=0/SUCCESS)

systemd[1]: Starting Auto-connect to subsystems on FC-NVME devices found during boot...
systemd[1]: nvmefc-boot-connections.service: Succeeded.
systemd[1]: Finished Auto-connect to subsystems on FC-NVME devices found during boot.

設定NVMe/TCP

NVMe / TCP 沒有自動連線功能。您可以改為透過手動執行 NVMe / TCP 或 connect-all`作業來探索 NVMe / TCP 子系統和命名空間 `connect

步驟

  1. 確認啟動器連接埠可在支援的NVMe/TCP LIF中擷取探索記錄頁面資料:

    nvme discover -t tcp -w <host-traddr> -a <traddr>
    顯示範例輸出 
    Discovery Log Number of Records 8, Generation counter 18
=====Discovery Log Entry 0======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 4
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.211.67
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 1======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 2
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.111.67
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 2======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 3
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.211.66
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 3======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 1
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.111.66
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 4======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 4
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.211.67
eflags: none
sectype: none
=====Discovery Log Entry 5======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 2
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.111.67
eflags: none
sectype: none
=====Discovery Log Entry 6======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 3
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.211.66
eflags: none
sectype: none
=====Discovery Log Entry 7======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 1
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.111.66
eflags: none
sectype: none

  2. 確認所有其他的 NVMe / TCP 啟動器目標 LIF 組合都能成功擷取探索記錄頁面資料:

    nvme discover -t tcp -w <host-traddr> -a <traddr>
    輸出範例
    #nvme discover -t tcp -w 192.168.111.79 -a 192.168.111.66
#nvme discover -t tcp -w 192.168.111.79 -a 192.168.111.67
#nvme discover -t tcp -w 192.168.211.79 -a 192.168.211.66
#nvme discover -t tcp -w 192.168.211.79 -a 192.168.211.67

  3. 執行 nvme connect-all 跨所有節點支援的 NVMe / TCP 啟動器目標生命體執行命令:

    nvme connect-all -t tcp -w <host-traddr> -a <traddr>
    輸出範例
    # nvme connect-all -t tcp -w 192.168.111.79 -a 192.168.111.66
# nvme connect-all -t tcp -w 192.168.111.79 -a 192.168.111.67
# nvme connect-all -t tcp -w 192.168.211.79 -a 192.168.211.66
# nvme connect-all -t tcp -w 192.168.211.79 -a 192.168.211.67
    註 從 SUSE Linux Enterprise Server 15 SP6 開始、 NVMe / TCP 逾時的預設設定 ctrl-loss-tmo`就會關閉。這表示重試次數沒有限制(無限期重試),而且您不需要在使用或 `nvme connect-all`命令(選項 `-l)時手動設定特定的 ctrl-loss-tmo`逾時時間 `nvme connect。此外、在發生路徑故障時、 NVMe / TCP 控制器不會發生逾時、也不會無限期保持連線。

驗證NVMe

請使用下列程序來驗證具有 ONTAP 組態的 SUSE Linux Enterprise Server 15 SP6 的 NVMe 型。

步驟

  1. 確認已啟用核心內建 NVMe 多重路徑:

    cat /sys/module/nvme_core/parameters/multipath

    預期值為「 Y 」。

  2. 確認主機具有適用於 ONTAP NVMe 命名空間的正確控制器機型:

    cat /sys/class/nvme-subsystem/nvme-subsys*/model
    輸出範例
    NetApp ONTAP Controller
NetApp ONTAP Controller

  3. 確認個別 ONTAP NVMe I/O 控制器的 NVMe I/O 原則:

    cat /sys/class/nvme-subsystem/nvme-subsys*/iopolicy
    輸出範例
    round-robin
round-robin

  4. 確認主機可以看到 ONTAP 命名空間:

    nvme list -v
    顯示範例輸出 
    Subsystem        Subsystem-NQN                                                                         Controllers
---------------- ------------------------------------------------------------------------------------- ---------------------
nvme-subsys0     nqn.1992- 08.com.netapp:sn.0501daf15dda11eeab68d039eaa7a232:subsystem.unidir_dhcha p  nvme0, nvme1, nvme2, nvme3

Device   SN                   MN                                       FR       TxPort Asdress        Subsystem    Namespaces
-------- -------------------- ---------------------------------------- -------- ---------------------------------------------
nvme0    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.111.66,trsvcid=4420,host_traddr=192.168.111.79 nvme-subsys0 nvme0n1
nvme1    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.111.67,trsvcid=4420,host_traddr=192.168.111.79 nvme-subsys0 nvme0n1
nvme2    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.211.66,trsvcid=4420,host_traddr=192.168.211.79 nvme-subsys0 nvme0n1
nvme3    81LGgBUqsI3EAAAAAAAE NetApp ONTAP Controller   FFFFFFFF tcp traddr=192.168.211.67,trsvcid=4420,host_traddr=192.168.211.79 nvme-subsys0 nvme0n1
Device        Generic     NSID       Usage                 Format         Controllers
------------ ------------ ---------- -------------------------------------------------------------
/dev/nvme0n1 /dev/ng0n1   0x1     1.07  GB /   1.07  GB    4 KiB +  0 B   nvme0, nvme1, nvme2, nvme3

  5. 確認每個路徑的控制器狀態均為有效、且具有正確的ANA狀態:

    nvme list-subsys /dev/<subsystem_name>
    NVMe / FC
    nvme list-subsys /dev/nvme2n1
    顯示範例輸出 
    nvme-subsys2 - NQN=nqn.1992-
08.com.netapp:sn.06303c519d8411eea468d039ea36a106:subs
ystem.nvme
 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4c4544-
0056-5410-8048-c6c04f425633
 iopolicy=round-robin
\
+- nvme4 fc traddr=nn-0x208fd039ea359e4a:pn-0x210dd039ea359e4a,host_traddr=nn-0x2000f4c7aa0cd7ab:pn-0x2100f4c7aa0cd7ab live optimized
+- nvme6 fc traddr=nn-0x208fd039ea359e4a:pn-0x210ad039ea359e4a,host_traddr=nn-0x2000f4c7aa0cd7aa:pn-0x2100f4c7aa0cd7aa live optimized
    NVMe / TCP
    nvme list-subsys
    顯示範例輸出 
    nvme-subsys1 - NQN=nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
 hostnqn=nqn.2014-08.org.nvmexpress:uuid:4c4c4544-0035-5910-804b-b2c04f444d33
 iopolicy=round-robin
\
+- nvme4 tcp traddr=192.168.111.66,trsvcid=4420,host_traddr=192.168.111.79,src_addr=192.168.111.79 live
+- nvme3 tcp traddr=192.168.211.66,trsvcid=4420,host_traddr=192.168.211.79,src_addr=192.168.111.79 live
+- nvme2 tcp traddr=192.168.111.67,trsvcid=4420,host_traddr=192.168.111.79,src_addr=192.168.111.79 live
+- nvme1 tcp traddr=192.168.211.67,trsvcid=4420,host_traddr=192.168.211.79,src_addr=192.168.111.79 live

  6. 驗證NetApp外掛程式是否顯示每ONTAP 個版本名稱空間裝置的正確值:

    欄位
    nvme netapp ontapdevices -o column
    輸出範例
    Device           Vserver    Namespace Path                       NSID UUID                                   Size
---------------- ---------- ------------------------------------ ------------------------------------------- --------
/dev/nvme0n1     vs_192     /vol/fcnvme_vol_1_1_0/fcnvme_ns      1    c6586535-da8a-40fa-8c20-759ea0d69d33   20GB
    JSON
    nvme netapp ontapdevices -o json
    顯示範例輸出 
    {
"ONTAPdevices":[
{
"Device":"/dev/nvme0n1",
"Vserver":"vs_192",
"Namespace_Path":"/vol/fcnvme_vol_1_1_0/fcnvme_ns",
"NSID":1,
"UUID":"c6586535-da8a-40fa-8c20-759ea0d69d33",
"Size":"20GB",
"LBA_Data_Size":4096,
"Namespace_Size":262144
}
]
}

建立持續探索控制器

從 ONTAP 9 。 11.1 開始,您可以為 SUSE Linux Enterprise Server 15 SP6 主機建立持續探索控制器( PDC )。需要有 PDC 才能自動偵測 NVMe 子系統新增或移除作業,以及探索記錄頁面資料的變更。

步驟

  1. 確認探索記錄頁面資料可用、並可透過啟動器連接埠和目標 LIF 組合擷取:

    nvme discover -t <trtype> -w <host-traddr> -a <traddr>
    顯示範例輸出 
    Discovery Log Number of Records 8, Generation counter 18
=====Discovery Log Entry 0======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 4
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.211.67
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 1======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 2
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.111.67
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 2======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 3
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.211.66
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 3======
trtype: tcp
adrfam: ipv4
subtype: current discovery subsystem
treq: not specified
portid: 1
trsvcid: 8009
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:discovery
traddr: 192.168.111.66
eflags: explicit discovery connections, duplicate discovery information
sectype: none
=====Discovery Log Entry 4======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 4
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.211.67
eflags: none
sectype: none
=====Discovery Log Entry 5======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 2
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.111.67
eflags: none
sectype: none
=====Discovery Log Entry 6======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 3
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.211.66
eflags: none
sectype: none
=====Discovery Log Entry 7======
trtype: tcp
adrfam: ipv4
subtype: nvme subsystem
treq: not specified
portid: 1
trsvcid: 4420
subnqn: nqn.1992-08.com.netapp:sn.8b5ee9199ff411eea468d039ea36a106:subsystem.nvme_tcp_1
traddr: 192.168.111.66
eflags: none
sectype: none

  2. 建立探索子系統的 PDC :

    nvme discover -t <trtype> -w <host-traddr> -a <traddr> -p
    輸出範例
    nvme discover -t tcp -w 192.168.111.79 -a 192.168.111.666 -p

  3. 從 ONTAP 控制器、確認已建立 PDC :

    vserver nvme show-discovery-controller -instance -vserver <vserver_name>
    顯示範例輸出 
    vserver nvme show-discovery-controller -instance -vserver vs_nvme79
Vserver Name: vs_CLIENT116 Controller ID: 00C0h
Discovery Subsystem NQN: nqn.1992-
08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:discovery Logical Interface UUID: d23cbb0a-c0a6-11ec-9731-d039ea165abc Logical Interface:
CLIENT116_lif_4a_1
Node: A400-14-124
Host NQN: nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc
Transport Protocol: nvme-tcp
Initiator Transport Address: 192.168.1.16
Host Identifier: 59de25be738348f08a79df4bce9573f3 Admin Queue Depth: 32
Header Digest Enabled: false Data Digest Enabled: false
Vserver UUID: 48391d66-c0a6-11ec-aaa5-d039ea165514

設定安全的頻內驗證

從 ONTAP 9 。 12.1 開始,在 SUSE Linux Enterprise Server 15 SP6 主機和 ONTAP 控制器之間,透過 NVMe / TCP 和 NVMe / FC 支援安全頻內驗證。

若要設定安全驗證、每個主機或控制器都必須與相關聯 DH-HMAC-CHAP 金鑰、這是 NVMe 主機或控制器的 NQN 組合、以及管理員設定的驗證密碼。若要驗證其對等端點、 NVMe 主機或控制器必須識別與對等端點相關的金鑰。

您可以使用 CLI 或組態 JSON 檔案來設定安全的頻內驗證。如果您需要為不同的子系統指定不同的 dhchap 金鑰、則必須使用組態 JSON 檔案。

CLI

使用 CLI 設定安全的頻內驗證。

步驟

  1. 取得主機 NQN :

    cat /etc/nvme/hostnqn

  2. 為 SUSE Linux Enterprise Server 15 SP6 主機產生 dhchap 金鑰。

    下列輸出說明 `gen-dhchap-key`命令參數:

    nvme gen-dhchap-key -s optional_secret -l key_length {32|48|64} -m HMAC_function {0|1|2|3} -n host_nqn
•	-s secret key in hexadecimal characters to be used to initialize the host key
•	-l length of the resulting key in bytes
•	-m HMAC function to use for key transformation
0 = none, 1- SHA-256, 2 = SHA-384, 3=SHA-512
•	-n host NQN to use for key transformation

    在下列範例中、會產生一個隨機的 dhchap 金鑰、其中 HMAC 設為 3 ( SHA-512 )。

    # nvme gen-dhchap-key -m 3 -n nqn.2014-08.org.nvmexpress:uuid:d3ca725a- ac8d-4d88-b46a-174ac235139b
DHHC-1:03:J2UJQfj9f0pLnpF/ASDJRTyILKJRr5CougGpGdQSysPrLu6RW1fGl5VSjbeDF1n1DEh3nVBe19nQ/LxreSBeH/bx/pU=:

  3. 在 ONTAP 控制器上、新增主機並指定兩個 dhchap 金鑰:

    vserver nvme subsystem host add -vserver <svm_name> -subsystem <subsystem> -host-nqn <host_nqn> -dhchap-host-secret <authentication_host_secret> -dhchap-controller-secret <authentication_controller_secret> -dhchap-hash-function {sha-256|sha-512} -dhchap-group {none|2048-bit|3072-bit|4096-bit|6144-bit|8192-bit}

  4. 主機支援兩種驗證方法:單向和雙向。在主機上、連線至 ONTAP 控制器、並根據所選的驗證方法指定 dhchap 金鑰:

    nvme connect -t tcp -w <host-traddr> -a <tr-addr> -n <host_nqn> -S <authentication_host_secret> -C <authentication_controller_secret>

  5. 驗證 nvme connect authentication 命令驗證主機和控制器 dhchap 金鑰:

    1. 驗證主機 dhchap 金鑰:

      cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_secret
      顯示單向組態的輸出範例 
      # cat /sys/class/nvme-subsystem/nvme-subsys1/nvme*/dhchap_secret
DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:
DHHC-1:03:je1nQCmjJLUKD62mpYbzlpuw0OIws86NB96uNO/t3jbvhp7fjyR9bIRjOHg8wQtye1JCFSMkBQH3pTKGdYR1OV9gx00=:

    2. 驗證控制器 dhchap 按鍵:

      cat /sys/class/nvme-subsystem/<nvme-subsysX>/nvme*/dhchap_ctrl_secret
      顯示雙向組態的輸出範例 
      # cat /sys/class/nvme-subsystem/nvme-subsys6/nvme*/dhchap_ctrl_secret
DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
DHHC-1:03:WorVEV83eYO53kV4Iel5OpphbX5LAphO3F8fgH3913tlrkSGDBJTt3crXeTUB8fCwGbPsEyz6CXxdQJi6kbn4IzmkFU=:
Json 檔案

當 ONTAP 控制器組態上有多個 NVMe 子系統可供使用時、您可以搭配命令使用該 /etc/nvme/config.json`檔案 `nvme connect-all

若要產生 JSON 檔案,您可以使用 `-o`選項。如需更多語法選項,請參閱 NVMe Connect All 手冊頁。

步驟

  1. 設定Json檔案:

    顯示範例輸出 
    # cat /etc/nvme/config.json
[
 {
    "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc",
    "hostid":"3ae10b42-21af-48ce-a40b-cfb5bad81839",
    "dhchap_key":"DHHC-1:03:Cu3ZZfIz1WMlqZFnCMqpAgn/T6EVOcIFHez215U+Pow8jTgBF2UbNk3DK4wfk2EptWpna1rpwG5CndpOgxpRxh9m41w=:"
 },
 {
    "hostnqn":"nqn.2014-08.org.nvmexpress:uuid:12372496-59c4-4d1b-be09-74362c0c1afc",
    "subsystems":[
        {
            "nqn":"nqn.1992-08.com.netapp:sn.48391d66c0a611ecaaa5d039ea165514:subsystem.subsys_CLIENT116",
            "ports":[
               {
                    "transport":"tcp",
                    "traddr":" 192.168.111.66 ",
                    "host_traddr":" 192.168.111.79",
                    "trsvcid":"4420",
                    "dhchap_ctrl_key":"DHHC-
1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
               },
               {
                    "transport":"tcp",
                    "traddr":" 192.168.111.66 ",
                    "host_traddr":" 192.168.111.79",
                    "trsvcid":"4420",
                    "dhchap_ctrl_key":"DHHC-
1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
               },
               {
                    "transport":"tcp",
                   "traddr":" 192.168.111.66 ",
                    "host_traddr":" 192.168.111.79",
                    "trsvcid":"4420",
                    "dhchap_ctrl_key":"DHHC-
1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
               },
               {
                    "transport":"tcp",
                    "traddr":" 192.168.111.66 ",
                    "host_traddr":" 192.168.111.79",
                    "trsvcid":"4420",
                    "dhchap_ctrl_key":"DHHC-
1:01:0h58bcT/uu0rCpGsDYU6ZHZvRuVqsYKuBRS0Nu0VPx5HEwaZ:"
               }
           ]
       }
   ]
 }
]

    +

    註 在上述範例中, dhchap_key`對應於 `dhchap_secret,並 dhchap_ctrl_key`對應至 `dhchap_ctrl_secret

  2. 使用組態 JSON 檔案連線至 ONTAP 控制器:

    # nvme connect-all -J /etc/nvme/config.json
    顯示範例輸出 
    traddr=192.168.111.66 is already connected
traddr=192.168.211.66 is already connected
traddr=192.168.111.66 is already connected
traddr=192.168.211.66 is already connected
traddr=192.168.111.66 is already connected
traddr=192.168.211.66 is already connected
traddr=192.168.111.67 is already connected
traddr=192.168.211.67 is already connected
traddr=192.168.111.67 is already connected
traddr=192.168.211.67 is already connected
traddr=192.168.111.67 is already connected
traddr=192.168.111.67 is already connected

  3. 確認已為每個子系統的個別控制器啟用 dhchap 機密:

    1. 驗證主機 dhchap 金鑰:

      # cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_secret
      輸出範例
      DHHC-1:01:NunEWY7AZlXqxITGheByarwZdQvU4ebZg9HOjIr6nOHEkxJg:

    2. 驗證控制器 dhchap 按鍵:

      # cat /sys/class/nvme-subsystem/nvme-subsys0/nvme0/dhchap_ctrl_secret
      輸出範例
      DHHC-
1:03:2YJinsxa2v3+m8qqCiTnmgBZoH6mIT6G/6f0aGO8viVZB4VLNLH4z8CvK7pVYxN6S5fOAtaU3DNi12rieRMfdbg3704=:

設定傳輸層安全性

傳輸層安全性( TLS )可為 NVMe 主機和 ONTAP 陣列之間的 NVMe 連線提供安全的端對端加密。從 ONTAP 9 。 16.1 開始,您可以使用 CLI 和設定的預先共用金鑰( PSK )來設定 TLS 1.3 。

關於這項工作

您可以在 SUSE Linux Enterprise Server 15 SP6 主機上執行此程序中的步驟,但指定您在 ONTAP 控制器上執行步驟的位置除外。

步驟

  1. 檢查主機上是否安裝了以下 ktls-utils , openssl 和 libopenssl 軟件包:

    1. rpm -qa | grep ktls

      輸出範例
      ktls-utils-0.10+12.gc3923f7-150600.1.2.x86_64

    2. rpm -qa | grep ssl

      輸出範例
      openssl-3-3.1.4-150600.5.7.1.x86_64
libopenssl1_1-1.1.1w-150600.5.3.1.x86_64
libopenssl3-3.1.4-150600.5.7.1.x86_64

  2. 請確認您的設定是否正確 /etc/tlshd.conf

    # cat /etc/tlshd.conf
    顯示範例輸出 
    [debug]
loglevel=0
tls=0
nl=0
[authenticate]
keyrings=.nvme
[authenticate.client]
#x509.truststore= <pathname>
#x509.certificate= <pathname>
#x509.private_key= <pathname>
[authenticate.server]
#x509.truststore= <pathname>
#x509.certificate= <pathname>
#x509.private_key= <pathname>

  3. 啟用 `tlshd`以在系統開機時啟動:

    # systemctl enable tlshd

  4. 驗證守護程序是否 `tlshd`正在運行:

    # systemctl status tlshd
    顯示範例輸出 
    tlshd.service - Handshake service for kernel TLS consumers
   Loaded: loaded (/usr/lib/systemd/system/tlshd.service; enabled; preset: disabled)
   Active: active (running) since Wed 2024-08-21 15:46:53 IST; 4h 57min ago
     Docs: man:tlshd(8)
Main PID: 961 (tlshd)
   Tasks: 1
     CPU: 46ms
   CGroup: /system.slice/tlshd.service
       └─961 /usr/sbin/tlshd
Aug 21 15:46:54 RX2530-M4-17-153 tlshd[961]: Built from ktls-utils 0.11-dev on Mar 21 2024 12:00:00

  5. 使用產生 TLS PSK nvme gen-tls-key

    1. # cat /etc/nvme/hostnqn

      輸出範例
      nqn.2014-08.org.nvmexpress:uuid:e58eca24-faff-11ea-8fee-3a68dd3b5c5f

    2. # nvme gen-tls-key --hmac=1 --identity=1 --subsysnqn=nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15

      輸出範例
      NVMeTLSkey-1:01:dNcby017axByCko8GivzOO9zGlgHDXJCN6KLzvYoA+NpT1uD:

  6. 在 ONTAP 控制器上,將 TLS PSK 新增至 ONTAP 子系統:

    # nvme subsystem host add -vserver sles15_tls -subsystem sles15 -host-nqn nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc -tls-configured-psk NVMeTLSkey-1:01:dNcby017axByCko8GivzOO9zGlgHDXJCN6KLzvYoA+NpT1uD:

  7. 將 TLS PSK 插入主機核心金鑰環:

    # nvme check-tls-key --identity=1 --subsysnqn=nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bf --keydata=NVMeTLSkey-1:01:dNcby017axByCko8GivzOO9zGlgHDXJCN6KLzvYoA+NpT1uD: --insert
    輸出範例
    Inserted TLS key 22152a7e
    註 PSK 顯示為「 NVMe1R01 」,因為它使用 TLS 交握演算法的「 identity v1 」。Identity v1 是 ONTAP 唯一支援的版本。

  8. 確認 TLS PSK 已正確插入:

    # cat /proc/keys | grep NVMe
    輸出範例
    22152a7e I--Q---     1 perm 3b010000     0     0 psk       NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15 UoP9dEfvuCUzzpS0DYxnshKDapZYmvA0/RJJ8JAqmAo=: 32

  9. 使用插入的 TLS PSK 連線至 ONTAP 子系統:

    1. # nvme connect -t tcp -w 20.20.10.80 -a 20.20.10.14 -n nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15 --tls_key=0x22152a7e --tls

      輸出範例
      connecting to device: nvme0

    2. # nvme list-subsys

      輸出範例
      nvme-subsys0 - NQN=nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15
               hostnqn=nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc
               iopolicy=round-robin
\
 +- nvme0 tcp traddr=20.20.10.14,trsvcid=4420,host_traddr=20.20.10.80,src_addr=20.20.10.80 live

  10. 新增目標,並驗證 TLS 連線至指定的 ONTAP 子系統:

    # nvme subsystem controller show -vserver sles15_tls -subsystem sles15 -instance

    顯示範例輸出 
      (vserver nvme subsystem controller show)
                       Vserver Name: sles15_tls
                          Subsystem: sles15
                      Controller ID: 0040h
                  Logical Interface: sles15t_e1a_1
                               Node: A900-17-174
                           Host NQN: nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc
                 Transport Protocol: nvme-tcp
        Initiator Transport Address: 20.20.10.80
                    Host Identifier: ffa0c815e28b4bb18d4c7c6d5e610bfc
               Number of I/O Queues: 4
                   I/O Queue Depths: 128, 128, 128, 128
                  Admin Queue Depth: 32
              Max I/O Size in Bytes: 1048576
          Keep-Alive Timeout (msec): 5000
                       Vserver UUID: 1d59a6b2-416b-11ef-9ed5-d039ea50acb3
                     Subsystem UUID: 9b81e3c5-5037-11ef-8a90-d039ea50ac83
             Logical Interface UUID: 8185dcac-5035-11ef-8abb-d039ea50acb3
              Header Digest Enabled: false
                Data Digest Enabled: false
       Authentication Hash Function: -
Authentication Diffie-Hellman Group: -
                Authentication Mode: none
       Transport Service Identifier: 4420
                       TLS Key Type: configured
                   TLS PSK Identity: NVMe1R01 nqn.2014-08.org.nvmexpress:uuid:ffa0c815-e28b-4bb1-8d4c-7c6d5e610bfc nqn.1992-08.com.netapp:sn.1d59a6b2416b11ef9ed5d039ea50acb3:subsystem.sles15 UoP9dEfvuCUzzpS0DYxnshKDapZYmvA0/RJJ8JAqmAo=
                         TLS Cipher: TLS-AES-128-GCM-SHA256

已知問題

使用 ONTAP 版本的 SUSE Linux Enterprise Server 15 SP6 沒有已知問題。