VDisk Fibre Channel and Infiniband Access Management (LUN Masking)

Prior to version 3.0.16 any host connected to a quadstor system over FC would be able to access any of the VDisks configured on the system. This can pose many management problems to an administrator.

For example two hosts H1 and H2 and two quadstor systems Q1 and Q2 maybe connected to the same FC switch. This would mean both H1 and H2 can access VDisks on Q1 and VDisks on Q2. However the intention of an administrator might have been that H1 only access VDisks on Q1 and H2 access VDisks on Q2

Access Management

The fcconfig tool allows for controlling access to a VDisk over the FC interface. Using the fcconfig tool rules can added to specify the host WWPN or GUID that can or cannot access a VDisk.

To add a rule

/quadstor/bin/fcconfig -a -v <VDisk Name> -r <allow|disallow> -w <wwpn>

For example

/quadstor/bin/fcconfig -a -v FOO -r allow -w f0:f1:f2:f3:f4:f5:f6:f7
/quadstor/bin/fcconfig -a -v FOO -r allow -w fe80:0000:0000:0000:0002:c902:0025:7f89

In the above example VDisk FOO is allowed access for a host with WWPN f0:f1:f2:f3:f4:f5:f6:f7. The WWPN expected is a 23 character string. Similarly fe80:0000:0000:0000:0002:c902:0025:7f89 is the GUID of the SRP initiator.

The WWPN or GUID specified will have be be in lower-case

To delete the above rule

/quadstor/bin/fcconfig -x -v FOO -r allow -w f0:f1:f2:f3:f4:f5:f6:f7

To list all existing rules

/quadstor/bin/fcconfig -l

Examples

/quadstor/bin/fcconfig -a -r disallow : Disallow access to all VDisks over the FC interface
/quadstor/bin/fcconfig -a -r allow : Allow access to all VDisks over the FC interface
/quadstor/bin/fcconfig -a -r disallow -w f0:f1:f2:f3:f4:f5:f6:f7 : Disallow access to all VDisks for WWPN f0:f1:f2:f3:f4:f5:f6:f7
/quadstor/bin/fcconfig -x -r disallow : Delete all disallow rules
/quadstor/bin/fcconfig -x -w /quadstor/bin/fcconfig -a -r disallow : Delete all rules corresponding to the specified WWPN

Rules can be combined. For example

/quadstor/bin/fcconfig -a -r disallow
/quadstor/bin/fcconfig -a -r allow -v FOO

The above two rules combined specify that access to only VDisk FOO is allowed over the FC interface. It should be noted that without an explicit disallow access isn't restricted. For example if '/quadstor/bin/fcconfig -a -r disallow' is not specified, other VDisks are still accessible.

Rule priority

For a given client WWPN an exact rule match for that WWPN and the target VDisk is searched. If found that rule applies. Else the following matches are searched for with the first match in the following order being the rule to apply

  1. Rule matching the client WWPN
  2. Rule matching the target VDisk
  3. Rule which applies to any WWPN

Rule matching the client WWPN

Rule matching the target VDisk

Rule which applies to any WWPN

Rule which applies to any VDisk

If there is no rule matches then access to the VDisk is considered allowed for that client WWPN