Filewatcher File Search File Search
Catalog
Content Search
» » » » » » isns-utils-0.93-1.0.el6.x86_64.rpm » Content »
pkg://isns-utils-0.93-1.0.el6.x86_64.rpm:163916/usr/share/man/man5/  info  HEADER  downloads

isns-utils - The iSNS daemon and utility programs…  more info»

isns_config.5.gz

ISNS_CONFIG(8)                                        ISNS_CONFIG(8)



NAME
       isns_config - iSNS configuration file

SYNOPSIS
       /etc/isns/isnsadm.conf
       /etc/isns/isnsd.conf
       /etc/isns/isnsdd.conf


DESCRIPTION
       All  Open-iSNS utilities read their configuration from a file
       in /etc/isns.  There is a  separate  configuration  file  for
       each application, isnsd, isnsadm, and isnsdd.  The syntax and
       the set of supported options is identical, even  though  some
       options  are  specific to e.g. the server.  Unless indicated,
       options are applicable to all utilities.

       An Open-iSNS  configuration  file  contains  keyword-argument
       pairs, one per line.  All keywords are case insensitive.

       A  #  character introduces a comment, which extends until the
       end of the line. Empty lines are ignored.

       There are no line continuations, and you  cannot  use  quotes
       around arguments.

       Some options specify timeout values, which are given in units
       of seconds by default. You can specify an explicit unit, how‐
       ever,  such  as  d (days), h (hours), m (minutes), or s (sec‐
       onds).

   Generic Options
       HostName
              By default, Open-iSNS applications will  retrieve  the
              machine's  hostname  using  the  gethostname(3) system
              call, and use a DNS lookup to look  up  the  canonical
              name.   Using  the  HostName  option, you can overried
              this. This option is rarely needed.

       SourceName
              This option is mandatory for  all  Open-iSNS  applica‐
              tions.   This  should  be  a name which identifies the
              client uniquely.  There are two readings of RFC  4171;
              one requires that this is an iSCSI qualified name such
              as iqn.2001-04.com.example.host,  whereas  other  lan‐
              guage  in  the RFC suggests that this is pretty much a
              free-format string that just has to be  unique  (using
              e.g. the client's fully qualified domain name).

              When  using  DSA  authentication,  Open-iSNS currently
              requires the source name to match the  key  identifier
              (SPI) of the client's public key.

              If  left  empty,  the  source name is derived from the
              client's hostname.

       ServerAddress (client):
              This options specifies the host name or address of the
              iSNS  server to talk to. It can optionally be followed
              by a colon, and a port number.

              Instead of a hostname, IPv4 or IPv6 addresses  can  be
              used.   In  order  to  avoid ambiguities, literal IPv6
              addresses must be surrounded by square brackets, as in
              [2001:4e5f::1].

              When  specifying a port number, you can use either the
              numeric port, or a string name  to  be  looked  up  in
              /etc/services.   When the port is omitted, it defaults
              to 3205, the IANA assigned port number of iSNS.

              If the special string SLP: is used,  the  client  will
              try to locate the iSNS server through SLP.

       SLPRegister (server):
              If set to 1, the iSNS daemon will register itself will
              the SLP service. This allows clients  to  contact  the
              server  without having to configure its address stati‐
              cally.

       PIDFile (server):
              This specifies the name  of  the  server's  PID  file,
              which is /var/run/isnsd.pid by default.

   Database Related Options
       These  options  apply  to  the  iSNS server only, and control
       operation of the iSNS database.

       Database
              This option is used to specify  how  the  database  is
              stored.   Setting  this  to an absolute path name will
              make isnsd keep its database in the  specified  direc‐
              tory.

              If  you leave this empty, isnsd will keep its database
              in memory.  This is also the default setting.

       DefaultDiscoveryDomain
              iSNS scopes visibility of other nodes using  so-called
              Discovery  Domains.  A  storage node A will only "see"
              storage node B, if both are members of the  same  dis‐
              covery domain.

              So  if  a storage node is registered which is not part
              of any discovery domain, it will  not  see  any  other
              nodes.

              By  setting  DefaultDiscoveryDomain=1,  you  can  tell
              isnsd to create a virtual "default discovery  domain",
              which  holds all nodes that are not part of any admin‐
              istratively configured discovery domain.

              By default, there is no default discovery domain.

       RegistrationPeriod
              The iSNS server can purge registered entities after  a
              certain  period of inactivity. This is called the reg‐
              istration period.  Clients who  register  objects  are
              supposed  to  refresh  their  registration within this
              period.

              The default value is 1 hour. Setting it to 0  disables
              expiry of entities from the database.

       ESIRetries
              Open-iSNS is able to monitor the reachability of stor‐
              age nodes and their portals by using a  protocol  fea‐
              ture  called  ESI  (Entity  status  inquiry).  Clients
              request ESI monitoring  by  registering  an  ESI  port
              along  with each portal. The server will send ESI mes‐
              sages to these portals at regular intervals.   If  the
              portal  fails  to  reply several times in a row, it is
              considered dead, and will be removed  from  the  data‐
              base.

              ESIRetries  specifies  the  maximum number of attempts
              the server will make at contacting the  portal  before
              pronouncing it dead. If set to 0, the server will dis‐
              able ESI and reject any registrations that specify  an
              ESI port with an error code of "ESI not supported".

              The default value is 3.

       ESIMinInterval
              This timeout value specifies the minimum ESI interval.
              If a client requests an ESI interval  less  than  this
              value, it is silently rounded up.

              The default value is 60 seconds.

       ESIMaxInterval
              This timeout value specifies the maximum ESI interval.
              If a client requests an ESI interval greater than this
              value, it is silently rounded down.

              The default value is 10 minutes.

              The  maximum  ESI  interval  must  not exceed half the
              value of the registration period.

       SCNRetries
              iSNS clients can  register  to  receive  State  Change
              Notification  (SCN) messages to learn about changes in
              the iSNS database.  This value specifies how often the
              server  will  try  to  retransmit an SCN message until
              giving up.

              The default value is 3.

       SCNCallout
              This is the path name of a helper program that  isnsdd
              will invoke whenever it processes a state change noti‐
              fication from the server. The helper program  will  be
              invoked with an argument indicating the type of event,
              being one of add, update, or remove.  This is followed
              by  a list of attributes in name=value notation, using
              the names and conventions described in isnsadm(8).

   Security Related Options
       The iSNS standard defines an authentication method  based  on
       the DSA algorithm. Participants in a message exchange authen‐
       ticate messages by adding an "authentication block"  contain‐
       ing  a  time  stamp, a string identifying the key used, and a
       digital signature of the message.  The same  method  is  also
       used by SLP, the Service Location Protocol.

       The  string contained in the authentication block is referred
       to as the Security Policy Index(SPI).   This  string  can  be
       used  by  the  server  to  look up the client's public key by
       whatever mechanism; so the string could be used as  the  name
       of  a  public key file in a directory, or to retrieve an X509
       certificate from LDAP.

       From the perspective of Open-iSNS client applications,  there
       are  only  two  keys: the client's own (private) key, used to
       sign the messages it sends to the server,  and  the  server's
       public  key, used to verify the signatures of incoming server
       messages.

       The iSNS server needs, in addition to its  own  private  key,
       access to all public keys of clients that will communicate to
       it. The latter are kept in what is called a  key  store.  Key
       stores  and  their operation will be discussed in section Key
       Stores and Policy below.

       The following configuration options control authentication:

       Security
              This enables or disables DSA authentication.  When set
              to  1,  the  client will sign all messages, and expect
              all server messages to be signed.

              When enabling security in the  server,  incoming  mes‐
              sages  are  checked for the presence of an auth block.
              If none is present, or if the  server  cannot  find  a
              public  key  corresponding  to the SPI, the message is
              treated as originating from an  anonymous  source.  If
              the  SPI  is known but the signature is incorrect, the
              message is dropped silently.

              Messages from an anonymous source will be  assigned  a
              very  restrictive  policy that allows database queries
              only.

              Setting this option to 0 will turn off authentication.

              The default value is  -1,  which  tells  iSNS  to  use
              authentication if the required keys are installed, and
              use unauthenticated iSNS otherwise.

       AuthName
              This is the string that will be used as the SPI in all
              outgoing messages that have an auth block. It defaults
              to the host name (please refer to option HostName).

       AuthKeyFile
              This is the path name  of  a  file  containing  a  PEM
              encoded  DSA  key.   This key is used to sign outgoing
              messages.  The default is /etc/isns/auth_key.

       ServerKeyFile
              This option is used by client applications  only,  and
              specifies  the  path  name  of a file containing a PEM
              encoded DSA key.  This key is used to authenticate the
              server's       replies.       The      default      is
              /etc/isns/server_key.pub.

       KeyStore
              This server-side option specifies  the  key  store  to
              use, described in the next section.

       The  following  two  options control how iSNS will verify the
       time stamp contained in the authentication  block,  which  is
       supposed to prevent replay attacks.

       Auth.ReplayWindow
              In  order  to  compensate  for clock drift between two
              hosts exchanging iSNS messages, Open-iSNS will apply a
              little fuzz when comparing the time stamp contained in
              the message to the local system time. If  the  differ‐
              ence  between time stamp and local system time is less
              than the number of seconds given by this  option,  the
              message is acceptable. Otherwise, it is rejected.

              The default value is 5m.

       Auth.TimestampJitter
              When  verifying  incoming  messages,  Open-iSNS checks
              that the time stamps sent by the peer  are  increasing
              monotonically. In order to compensate for the reorder‐
              ing of messages by the network (eg when using  UDP  as
              transport),  a  certain time stamp jitter is accepted.
              If the time stamp of an incoming messages is  no  ear‐
              lier than TimestampJitter seconds before the last time
              stamp received, then the message is acceptable.   Oth‐
              erwise, it is rejected.

              The default value is 1s.

   Key Stores and Policy
       The current implementation supports two types of key stores.

       The  simple  key  store uses a flat directory to store public
       keys, each key in a file of its own. The file is expected  to
       hold the client's PEM-encoded public key, and it must use the
       client's SPI as the name.  This type  of  key  store  is  not
       really  recommended, as it does not store any policy informa‐
       tion.

       A simple key store can be configured by setting the  KeyStore
       option to the path name of the directory.

       The recommended approach is to use the database as key store.
       This uses vendor-specific policy objects to tie  SPI  string,
       public key, entity name, source name and other bits of policy
       together, and store them in a persistent way.

       The database key store is configured by setting the  KeyStore
       option to the reserved value DB:, which is also the default.

       Currently,   Open-iSNS  policy  objects  have  the  following
       attributes, besides the SPI:

       Source:
              This is the source node name the client must  use.  It
              defaults to the SPI string.

       Functions:
              This  is a bitmap detailing which functions the client
              is permitted to invoke. The bit  names  correspond  to
              the shorthand names used in RFC 4711, such as DevAttr‐
              Reg, DevAttrQry, etc. The default is to  allow  regis‐
              tration,  query and deregistration, as well as SCNReg‐
              ister.

       Entity name:
              This is the entity name assigned  to  the  client.  If
              set,  a registration by the client is not permitted to
              use a different entity name. If  the  client  sends  a
              registration  without  Entity  identifier,  the server
              will assign the entity name given in the policy.   The
              default is to not restrict the entity name.

       Object access:
              This  is  a bitfield describing access permissions for
              each object type.  For each object type, you can grant
              Read and/or Write permissions.  Read access applies to
              the Query and  GetNext  calls;  all  other  operations
              require write permission.  The default grants read and
              write access to objects of type Entity, Storage  Node,
              Portal  and Portal Group; and read access to Discovery
              Domains.

       Node types:
              This bitfield describes which types of storage nodes a
              client is allowed to register; the valid bit names are
              target, initiator and  control.   The  default  is  to
              restrict nodes to register initiators only.

   Network Related Options
       Network.MaxSockets
              This  is  the number of incoming connections accepted,
              and defaults to 1024. This usually applies  to  server
              side only, but is relevant if you create a passive TCP
              socket for ESI or SCN.

       Network.ConnectTimeout
              This is a timeout value, which specifies the  time  to
              wait  for  a  TCP  connection  to  be established.  It
              defaults to 60s.

       Network.ReconnectTimeout
              When a connection attempt failed, we wait for a  short
              time  before we try connecting again. This is intended
              to take  the  pressure  off  overloaded  servers.  The
              default value is 10s.

       Network.CallTimeout
              Total  amount of time to wait before timing out a call
              to the iSNS server.  The default value is 60s.

SEE ALSO
       RFC 4171, isnsd(8), isnsadm(8).

AUTHORS
       Olaf Kirch <olaf.kirch@oracle.com>



                             11 May 2007              ISNS_CONFIG(8)
Results 1 - 1 of 1
Help - FTP Sites List - Software Dir.
Search over 15 billion files
© 1997-2017 FileWatcher.com