Bug 616402

Summary: RFE: Enforce read-only target
Product: Red Hat Enterprise Linux 6 Reporter: Alexander Todorov <atodorov>
Component: scsi-target-utilsAssignee: Mike Christie <mchristi>
Status: CLOSED ERRATA QA Contact: Storage QE <storage-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: bdonahue
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Support for read-only target devices has been added to scsi-target-utils. Set read-only devices with the "--params" option of the tgtadm command, like so: tgtadm --lld iscsi --mode logicalunit --op update --tid 1 --lun 1 --params readonly=1 or add "readonly 1" in the target element of your targets.conf file: <target iqn.2008-09.com.target> readonly 1 allow-in-use yes backing-store /storage/lun1 </target> Note that "allow-in-use" must also be set if you enable read-only targets in the targets.conf file.
 Story Points: ---
Clone Of:
: 695870 (view as bug list) Environment:
Last Closed: 2011-05-19 14:14:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 655920, 695870    

Description Alexander Todorov 2010-07-20 11:22:13 UTC 
Description of problem:
As of now I'm not aware of any config file settings that will make a target read-only to the initiator. What we need is probably ACL settings for read/write permissions so that an admin can define read-only access for a group of initiators and read-write for another group.
Comment 1 Mike Christie 2010-07-20 15:56:18 UTC 
Not implemented.
There have been patches
http://lists.wpkg.org/pipermail/stgt/2010-March/003567.html
It has been discussed more here:
http://lists.wpkg.org/pipermail/stgt/2010-April/003644.html
The tgt maintainer has said it is ok as long as someone implements it nicely.

So this should be ok for 6.1.
Comment 2 Mike Christie 2010-07-20 16:04:10 UTC 
Oh yeah, could you describe what exactly you want for this feature? I guess there are a ton of different options, and I want to make sure the upstream patch is going to cover your needs.
Comment 3 Alexander Todorov 2010-07-20 16:49:15 UTC 
(In reply to comment #1)
> It has been discussed more here:
> http://lists.wpkg.org/pipermail/stgt/2010-April/003644.html

I guess I want what's requested on the list. A read-only setting that can be applied on per-initiator basis. My use case is that I have multiple netboot systems that have read-only root and one of those systems will be r/w to perform upgrades.
Comment 5 Mike Christie 2011-02-03 02:53:28 UTC 
I was not able to add exactly what you wanted on this take, but we can take another stab at it in 6.2 if you want

We added read only device support. To set this you can pass it in with tgtadm like other params:

tgtadm --lld iscsi --mode logicalunit --op update --tid 1 --lun 1 --params readonly=1

or in targets.conf you can do:

    <target iqn.2008-09.com.target>
            readonly 1
            backing-store /storage/lun1
    </target>


With this and some other params you can sort of do what you want. You could create 2 targets that share the disk. target1 would leave the lun rw. target2 would set it as read only. Then you can bind initiators to the different targets based on the permissions.

Note that if you are doing this in targets.conf you need to set allow-in-use. So it would look something like this:

<target iqn.2008.09.com.target.readonly>
     readonly 1
     initiator-address 192.168.100.100 192.168.100.101 192.168.100.102
     allow-in-use yes
     backing-store /storage/lun1

</target>

<target iqn.2008.09.com.target.rw>
     initiator-address 192.168.100.99
     allow-in-use yes
     backing-store /storage/lun1
</target>

I put a rpm here:
http://people.redhat.com/mchristi/target/tgt/6.1/
Comment 6 Barry Donahue 2011-03-10 23:57:12 UTC 
Verified on RHEL6.1-20110224.2. I created the FS and then set the lun to readonly (comment #5). I could read from the volume but could not write to it.
Comment 7 Laura Bailey 2011-05-05 04:43:46 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Support for read-only target devices has been added to scsi-target-utils. Set read-only devices with the "--params" option of the tgtadm command, like so:

tgtadm --lld iscsi --mode logicalunit --op update --tid 1 --lun 1 --params readonly=1

or add "readonly 1" in the target element of your targets.conf file:

    <target iqn.2008-09.com.target>
            readonly 1
            allow-in-use yes
            backing-store /storage/lun1
    </target>

Note that "allow-in-use" must also be set if you enable read-only targets in the targets.conf file.
Comment 8 errata-xmlrpc 2011-05-19 14:14:59 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0734.html