Documentation / target / tcmu-design.txt

Based on kernel version 4.16.1. Page generated on 2018-04-09 11:53 EST.

	Contents:
	
	1) TCM Userspace Design
	  a) Background
	  b) Benefits
	  c) Design constraints
	  d) Implementation overview
	     i. Mailbox
	     ii. Command ring
	     iii. Data Area
	  e) Device discovery
	  f) Device events
	  g) Other contingencies
	2) Writing a user pass-through handler
	  a) Discovering and configuring TCMU uio devices
	  b) Waiting for events on the device(s)
	  c) Managing the command ring
	3) A final note
	
	
	TCM Userspace Design
	--------------------
	
	TCM is another name for LIO, an in-kernel iSCSI target (server).
	Existing TCM targets run in the kernel.  TCMU (TCM in Userspace)
	allows userspace programs to be written which act as iSCSI targets.
	This document describes the design.
	
	The existing kernel provides modules for different SCSI transport
	protocols.  TCM also modularizes the data storage.  There are existing
	modules for file, block device, RAM or using another SCSI device as
	storage.  These are called "backstores" or "storage engines".  These
	built-in modules are implemented entirely as kernel code.
	
	Background:
	
	In addition to modularizing the transport protocol used for carrying
	SCSI commands ("fabrics"), the Linux kernel target, LIO, also modularizes
	the actual data storage as well. These are referred to as "backstores"
	or "storage engines". The target comes with backstores that allow a
	file, a block device, RAM, or another SCSI device to be used for the
	local storage needed for the exported SCSI LUN. Like the rest of LIO,
	these are implemented entirely as kernel code.
	
	These backstores cover the most common use cases, but not all. One new
	use case that other non-kernel target solutions, such as tgt, are able
	to support is using Gluster's GLFS or Ceph's RBD as a backstore. The
	target then serves as a translator, allowing initiators to store data
	in these non-traditional networked storage systems, while still only
	using standard protocols themselves.
	
	If the target is a userspace process, supporting these is easy. tgt,
	for example, needs only a small adapter module for each, because the
	modules just use the available userspace libraries for RBD and GLFS.
	
	Adding support for these backstores in LIO is considerably more
	difficult, because LIO is entirely kernel code. Instead of undertaking
	the significant work to port the GLFS or RBD APIs and protocols to the
	kernel, another approach is to create a userspace pass-through
	backstore for LIO, "TCMU".
	
	
	Benefits:
	
	In addition to allowing relatively easy support for RBD and GLFS, TCMU
	will also allow easier development of new backstores. TCMU combines
	with the LIO loopback fabric to become something similar to FUSE
	(Filesystem in Userspace), but at the SCSI layer instead of the
	filesystem layer. A SUSE, if you will.
	
	The disadvantage is there are more distinct components to configure, and
	potentially to malfunction. This is unavoidable, but hopefully not
	fatal if we're careful to keep things as simple as possible.
	
	Design constraints:
	
	- Good performance: high throughput, low latency
	- Cleanly handle if userspace:
	   1) never attaches
	   2) hangs
	   3) dies
	   4) misbehaves
	- Allow future flexibility in user & kernel implementations
	- Be reasonably memory-efficient
	- Simple to configure & run
	- Simple to write a userspace backend
	
	
	Implementation overview:
	
	The core of the TCMU interface is a memory region that is shared
	between kernel and userspace. Within this region is: a control area
	(mailbox); a lockless producer/consumer circular buffer for commands
	to be passed up, and status returned; and an in/out data buffer area.
	
	TCMU uses the pre-existing UIO subsystem. UIO allows device driver
	development in userspace, and this is conceptually very close to the
	TCMU use case, except instead of a physical device, TCMU implements a
	memory-mapped layout designed for SCSI commands. Using UIO also
	benefits TCMU by handling device introspection (e.g. a way for
	userspace to determine how large the shared region is) and signaling
	mechanisms in both directions.
	
	There are no embedded pointers in the memory region. Everything is
	expressed as an offset from the region's starting address. This allows
	the ring to still work if the user process dies and is restarted with
	the region mapped at a different virtual address.
	
	See target_core_user.h for the struct definitions.
	
	The Mailbox:
	
	The mailbox is always at the start of the shared memory region, and
	contains a version, details about the starting offset and size of the
	command ring, and head and tail pointers to be used by the kernel and
	userspace (respectively) to put commands on the ring, and indicate
	when the commands are completed.
	
	version - 1 (userspace should abort if otherwise)
	flags:
	- TCMU_MAILBOX_FLAG_CAP_OOOC: indicates out-of-order completion is
	  supported.  See "The Command Ring" for details.
	cmdr_off - The offset of the start of the command ring from the start
	of the memory region, to account for the mailbox size.
	cmdr_size - The size of the command ring. This does *not* need to be a
	power of two.
	cmd_head - Modified by the kernel to indicate when a command has been
	placed on the ring.
	cmd_tail - Modified by userspace to indicate when it has completed
	processing of a command.
	
	The Command Ring:
	
	Commands are placed on the ring by the kernel incrementing
	mailbox.cmd_head by the size of the command, modulo cmdr_size, and
	then signaling userspace via uio_event_notify(). Once the command is
	completed, userspace updates mailbox.cmd_tail in the same way and
	signals the kernel via a 4-byte write(). When cmd_head equals
	cmd_tail, the ring is empty -- no commands are currently waiting to be
	processed by userspace.
	
	TCMU commands are 8-byte aligned. They start with a common header
	containing "len_op", a 32-bit value that stores the length, as well as
	the opcode in the lowest unused bits. It also contains cmd_id and
	flags fields for setting by the kernel (kflags) and userspace
	(uflags).
	
	Currently only two opcodes are defined, TCMU_OP_CMD and TCMU_OP_PAD.
	
	When the opcode is CMD, the entry in the command ring is a struct
	tcmu_cmd_entry. Userspace finds the SCSI CDB (Command Data Block) via
	tcmu_cmd_entry.req.cdb_off. This is an offset from the start of the
	overall shared memory region, not the entry. The data in/out buffers
	are accessible via tht req.iov[] array. iov_cnt contains the number of
	entries in iov[] needed to describe either the Data-In or Data-Out
	buffers. For bidirectional commands, iov_cnt specifies how many iovec
	entries cover the Data-Out area, and iov_bidi_cnt specifies how many
	iovec entries immediately after that in iov[] cover the Data-In
	area. Just like other fields, iov.iov_base is an offset from the start
	of the region.
	
	When completing a command, userspace sets rsp.scsi_status, and
	rsp.sense_buffer if necessary. Userspace then increments
	mailbox.cmd_tail by entry.hdr.length (mod cmdr_size) and signals the
	kernel via the UIO method, a 4-byte write to the file descriptor.
	
	If TCMU_MAILBOX_FLAG_CAP_OOOC is set for mailbox->flags, kernel is
	capable of handling out-of-order completions. In this case, userspace can
	handle command in different order other than original. Since kernel would
	still process the commands in the same order it appeared in the command
	ring, userspace need to update the cmd->id when completing the
	command(a.k.a steal the original command's entry).
	
	When the opcode is PAD, userspace only updates cmd_tail as above --
	it's a no-op. (The kernel inserts PAD entries to ensure each CMD entry
	is contiguous within the command ring.)
	
	More opcodes may be added in the future. If userspace encounters an
	opcode it does not handle, it must set UNKNOWN_OP bit (bit 0) in
	hdr.uflags, update cmd_tail, and proceed with processing additional
	commands, if any.
	
	The Data Area:
	
	This is shared-memory space after the command ring. The organization
	of this area is not defined in the TCMU interface, and userspace
	should access only the parts referenced by pending iovs.
	
	
	Device Discovery:
	
	Other devices may be using UIO besides TCMU. Unrelated user processes
	may also be handling different sets of TCMU devices. TCMU userspace
	processes must find their devices by scanning sysfs
	class/uio/uio*/name. For TCMU devices, these names will be of the
	format:
	
	tcm-user/<hba_num>/<device_name>/<subtype>/<path>
	
	where "tcm-user" is common for all TCMU-backed UIO devices. <hba_num>
	and <device_name> allow userspace to find the device's path in the
	kernel target's configfs tree. Assuming the usual mount point, it is
	found at:
	
	/sys/kernel/config/target/core/user_<hba_num>/<device_name>
	
	This location contains attributes such as "hw_block_size", that
	userspace needs to know for correct operation.
	
	<subtype> will be a userspace-process-unique string to identify the
	TCMU device as expecting to be backed by a certain handler, and <path>
	will be an additional handler-specific string for the user process to
	configure the device, if needed. The name cannot contain ':', due to
	LIO limitations.
	
	For all devices so discovered, the user handler opens /dev/uioX and
	calls mmap():
	
	mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0)
	
	where size must be equal to the value read from
	/sys/class/uio/uioX/maps/map0/size.
	
	
	Device Events:
	
	If a new device is added or removed, a notification will be broadcast
	over netlink, using a generic netlink family name of "TCM-USER" and a
	multicast group named "config". This will include the UIO name as
	described in the previous section, as well as the UIO minor
	number. This should allow userspace to identify both the UIO device and
	the LIO device, so that after determining the device is supported
	(based on subtype) it can take the appropriate action.
	
	
	Other contingencies:
	
	Userspace handler process never attaches:
	
	- TCMU will post commands, and then abort them after a timeout period
	  (30 seconds.)
	
	Userspace handler process is killed:
	
	- It is still possible to restart and re-connect to TCMU
	  devices. Command ring is preserved. However, after the timeout period,
	  the kernel will abort pending tasks.
	
	Userspace handler process hangs:
	
	- The kernel will abort pending tasks after a timeout period.
	
	Userspace handler process is malicious:
	
	- The process can trivially break the handling of devices it controls,
	  but should not be able to access kernel memory outside its shared
	  memory areas.
	
	
	Writing a user pass-through handler (with example code)
	-------------------------------------------------------
	
	A user process handing a TCMU device must support the following:
	
	a) Discovering and configuring TCMU uio devices
	b) Waiting for events on the device(s)
	c) Managing the command ring: Parsing operations and commands,
	   performing work as needed, setting response fields (scsi_status and
	   possibly sense_buffer), updating cmd_tail, and notifying the kernel
	   that work has been finished
	
	First, consider instead writing a plugin for tcmu-runner. tcmu-runner
	implements all of this, and provides a higher-level API for plugin
	authors.
	
	TCMU is designed so that multiple unrelated processes can manage TCMU
	devices separately. All handlers should make sure to only open their
	devices, based opon a known subtype string.
	
	a) Discovering and configuring TCMU UIO devices:
	
	(error checking omitted for brevity)
	
	int fd, dev_fd;
	char buf[256];
	unsigned long long map_len;
	void *map;
	
	fd = open("/sys/class/uio/uio0/name", O_RDONLY);
	ret = read(fd, buf, sizeof(buf));
	close(fd);
	buf[ret-1] = '\0'; /* null-terminate and chop off the \n */
	
	/* we only want uio devices whose name is a format we expect */
	if (strncmp(buf, "tcm-user", 8))
		exit(-1);
	
	/* Further checking for subtype also needed here */
	
	fd = open(/sys/class/uio/%s/maps/map0/size, O_RDONLY);
	ret = read(fd, buf, sizeof(buf));
	close(fd);
	str_buf[ret-1] = '\0'; /* null-terminate and chop off the \n */
	
	map_len = strtoull(buf, NULL, 0);
	
	dev_fd = open("/dev/uio0", O_RDWR);
	map = mmap(NULL, map_len, PROT_READ|PROT_WRITE, MAP_SHARED, dev_fd, 0);
	
	
	b) Waiting for events on the device(s)
	
	while (1) {
	  char buf[4];
	
	  int ret = read(dev_fd, buf, 4); /* will block */
	
	  handle_device_events(dev_fd, map);
	}
	
	
	c) Managing the command ring
	
	#include <linux/target_core_user.h>
	
	int handle_device_events(int fd, void *map)
	{
	  struct tcmu_mailbox *mb = map;
	  struct tcmu_cmd_entry *ent = (void *) mb + mb->cmdr_off + mb->cmd_tail;
	  int did_some_work = 0;
	
	  /* Process events from cmd ring until we catch up with cmd_head */
	  while (ent != (void *)mb + mb->cmdr_off + mb->cmd_head) {
	
	    if (tcmu_hdr_get_op(ent->hdr.len_op) == TCMU_OP_CMD) {
	      uint8_t *cdb = (void *)mb + ent->req.cdb_off;
	      bool success = true;
	
	      /* Handle command here. */
	      printf("SCSI opcode: 0x%x\n", cdb[0]);
	
	      /* Set response fields */
	      if (success)
	        ent->rsp.scsi_status = SCSI_NO_SENSE;
	      else {
	        /* Also fill in rsp->sense_buffer here */
	        ent->rsp.scsi_status = SCSI_CHECK_CONDITION;
	      }
	    }
	    else if (tcmu_hdr_get_op(ent->hdr.len_op) != TCMU_OP_PAD) {
	      /* Tell the kernel we didn't handle unknown opcodes */
	      ent->hdr.uflags |= TCMU_UFLAG_UNKNOWN_OP;
	    }
	    else {
	      /* Do nothing for PAD entries except update cmd_tail */
	    }
	
	    /* update cmd_tail */
	    mb->cmd_tail = (mb->cmd_tail + tcmu_hdr_get_len(&ent->hdr)) % mb->cmdr_size;
	    ent = (void *) mb + mb->cmdr_off + mb->cmd_tail;
	    did_some_work = 1;
	  }
	
	  /* Notify the kernel that work has been finished */
	  if (did_some_work) {
	    uint32_t buf = 0;
	
	    write(fd, &buf, 4);
	  }
	
	  return 0;
	}
	
	
	A final note
	------------
	
	Please be careful to return codes as defined by the SCSI
	specifications. These are different than some values defined in the
	scsi/scsi.h include file. For example, CHECK CONDITION's status code
	is 2, not 1.

• [ target ]
• target-export-device
• tcm_mod_builder.py
• tcm_mod_builder.txt
• tcmu-design.txt
•  

---