TOMOYO Linux Cross Reference
Linux/Documentation/target/tcmu-design.rst

   ====================
   TCM Userspace Design
   ====================
   
   
   .. Contents:
   
      1) Design
        a) Background
       b) Benefits
       c) Design constraints
       d) Implementation overview
          i. Mailbox
          ii. Command ring
          iii. Data Area
       e) Device discovery
       f) Device events
       g) Other contingencies
     2) Writing a user pass-through handler
       a) Discovering and configuring TCMU uio devices
       b) Waiting for events on the device(s)
       c) Managing the command ring
     3) A final note
  
  
  Design
  ======
  
  TCM is another name for LIO, an in-kernel iSCSI target (server).
  Existing TCM targets run in the kernel.  TCMU (TCM in Userspace)
  allows userspace programs to be written which act as iSCSI targets.
  This document describes the design.
  
  The existing kernel provides modules for different SCSI transport
  protocols.  TCM also modularizes the data storage.  There are existing
  modules for file, block device, RAM or using another SCSI device as
  storage.  These are called "backstores" or "storage engines".  These
  built-in modules are implemented entirely as kernel code.
  
  Background
  ----------
  
  In addition to modularizing the transport protocol used for carrying
  SCSI commands ("fabrics"), the Linux kernel target, LIO, also modularizes
  the actual data storage as well. These are referred to as "backstores"
  or "storage engines". The target comes with backstores that allow a
  file, a block device, RAM, or another SCSI device to be used for the
  local storage needed for the exported SCSI LUN. Like the rest of LIO,
  these are implemented entirely as kernel code.
  
  These backstores cover the most common use cases, but not all. One new
  use case that other non-kernel target solutions, such as tgt, are able
  to support is using Gluster's GLFS or Ceph's RBD as a backstore. The
  target then serves as a translator, allowing initiators to store data
  in these non-traditional networked storage systems, while still only
  using standard protocols themselves.
  
  If the target is a userspace process, supporting these is easy. tgt,
  for example, needs only a small adapter module for each, because the
  modules just use the available userspace libraries for RBD and GLFS.
  
  Adding support for these backstores in LIO is considerably more
  difficult, because LIO is entirely kernel code. Instead of undertaking
  the significant work to port the GLFS or RBD APIs and protocols to the
  kernel, another approach is to create a userspace pass-through
  backstore for LIO, "TCMU".
  
  
  Benefits
  --------
  
  In addition to allowing relatively easy support for RBD and GLFS, TCMU
  will also allow easier development of new backstores. TCMU combines
  with the LIO loopback fabric to become something similar to FUSE
  (Filesystem in Userspace), but at the SCSI layer instead of the
  filesystem layer. A SUSE, if you will.
  
  The disadvantage is there are more distinct components to configure, and
  potentially to malfunction. This is unavoidable, but hopefully not
  fatal if we're careful to keep things as simple as possible.
  
  Design constraints
  ------------------
  
  - Good performance: high throughput, low latency
  - Cleanly handle if userspace:
  
     1) never attaches
     2) hangs
     3) dies
     4) misbehaves
  
  - Allow future flexibility in user & kernel implementations
  - Be reasonably memory-efficient
  - Simple to configure & run
  - Simple to write a userspace backend
  
  
  Implementation overview
 -----------------------
 
 The core of the TCMU interface is a memory region that is shared
 between kernel and userspace. Within this region is: a control area
 (mailbox); a lockless producer/consumer circular buffer for commands
 to be passed up, and status returned; and an in/out data buffer area.
 
 TCMU uses the pre-existing UIO subsystem. UIO allows device driver
 development in userspace, and this is conceptually very close to the
 TCMU use case, except instead of a physical device, TCMU implements a
 memory-mapped layout designed for SCSI commands. Using UIO also
 benefits TCMU by handling device introspection (e.g. a way for
 userspace to determine how large the shared region is) and signaling
 mechanisms in both directions.
 
 There are no embedded pointers in the memory region. Everything is
 expressed as an offset from the region's starting address. This allows
 the ring to still work if the user process dies and is restarted with
 the region mapped at a different virtual address.
 
 See target_core_user.h for the struct definitions.
 
 The Mailbox
 -----------
 
 The mailbox is always at the start of the shared memory region, and
 contains a version, details about the starting offset and size of the
 command ring, and head and tail pointers to be used by the kernel and
 userspace (respectively) to put commands on the ring, and indicate
 when the commands are completed.
 
 version - 1 (userspace should abort if otherwise)
 
 flags:
     - TCMU_MAILBOX_FLAG_CAP_OOOC:
         indicates out-of-order completion is supported.
         See "The Command Ring" for details.
 
 cmdr_off
         The offset of the start of the command ring from the start
         of the memory region, to account for the mailbox size.
 cmdr_size
         The size of the command ring. This does *not* need to be a
         power of two.
 cmd_head
         Modified by the kernel to indicate when a command has been
         placed on the ring.
 cmd_tail
         Modified by userspace to indicate when it has completed
         processing of a command.
 
 The Command Ring
 ----------------
 
 Commands are placed on the ring by the kernel incrementing
 mailbox.cmd_head by the size of the command, modulo cmdr_size, and
 then signaling userspace via uio_event_notify(). Once the command is
 completed, userspace updates mailbox.cmd_tail in the same way and
 signals the kernel via a 4-byte write(). When cmd_head equals
 cmd_tail, the ring is empty -- no commands are currently waiting to be
 processed by userspace.
 
 TCMU commands are 8-byte aligned. They start with a common header
 containing "len_op", a 32-bit value that stores the length, as well as
 the opcode in the lowest unused bits. It also contains cmd_id and
 flags fields for setting by the kernel (kflags) and userspace
 (uflags).
 
 Currently only two opcodes are defined, TCMU_OP_CMD and TCMU_OP_PAD.
 
 When the opcode is CMD, the entry in the command ring is a struct
 tcmu_cmd_entry. Userspace finds the SCSI CDB (Command Data Block) via
 tcmu_cmd_entry.req.cdb_off. This is an offset from the start of the
 overall shared memory region, not the entry. The data in/out buffers
 are accessible via the req.iov[] array. iov_cnt contains the number of
 entries in iov[] needed to describe either the Data-In or Data-Out
 buffers. For bidirectional commands, iov_cnt specifies how many iovec
 entries cover the Data-Out area, and iov_bidi_cnt specifies how many
 iovec entries immediately after that in iov[] cover the Data-In
 area. Just like other fields, iov.iov_base is an offset from the start
 of the region.
 
 When completing a command, userspace sets rsp.scsi_status, and
 rsp.sense_buffer if necessary. Userspace then increments
 mailbox.cmd_tail by entry.hdr.length (mod cmdr_size) and signals the
 kernel via the UIO method, a 4-byte write to the file descriptor.
 
 If TCMU_MAILBOX_FLAG_CAP_OOOC is set for mailbox->flags, kernel is
 capable of handling out-of-order completions. In this case, userspace can
 handle command in different order other than original. Since kernel would
 still process the commands in the same order it appeared in the command
 ring, userspace need to update the cmd->id when completing the
 command(a.k.a steal the original command's entry).
 
 When the opcode is PAD, userspace only updates cmd_tail as above --
 it's a no-op. (The kernel inserts PAD entries to ensure each CMD entry
 is contiguous within the command ring.)
 
 More opcodes may be added in the future. If userspace encounters an
 opcode it does not handle, it must set UNKNOWN_OP bit (bit 0) in
 hdr.uflags, update cmd_tail, and proceed with processing additional
 commands, if any.
 
 The Data Area
 -------------
 
 This is shared-memory space after the command ring. The organization
 of this area is not defined in the TCMU interface, and userspace
 should access only the parts referenced by pending iovs.
 
 
 Device Discovery
 ----------------
 
 Other devices may be using UIO besides TCMU. Unrelated user processes
 may also be handling different sets of TCMU devices. TCMU userspace
 processes must find their devices by scanning sysfs
 class/uio/uio*/name. For TCMU devices, these names will be of the
 format::
 
         tcm-user/<hba_num>/<device_name>/<subtype>/<path>
 
 where "tcm-user" is common for all TCMU-backed UIO devices. <hba_num>
 and <device_name> allow userspace to find the device's path in the
 kernel target's configfs tree. Assuming the usual mount point, it is
 found at::
 
         /sys/kernel/config/target/core/user_<hba_num>/<device_name>
 
 This location contains attributes such as "hw_block_size", that
 userspace needs to know for correct operation.
 
 <subtype> will be a userspace-process-unique string to identify the
 TCMU device as expecting to be backed by a certain handler, and <path>
 will be an additional handler-specific string for the user process to
 configure the device, if needed. The name cannot contain ':', due to
 LIO limitations.
 
 For all devices so discovered, the user handler opens /dev/uioX and
 calls mmap()::
 
         mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0)
 
 where size must be equal to the value read from
 /sys/class/uio/uioX/maps/map0/size.
 
 
 Device Events
 -------------
 
 If a new device is added or removed, a notification will be broadcast
 over netlink, using a generic netlink family name of "TCM-USER" and a
 multicast group named "config". This will include the UIO name as
 described in the previous section, as well as the UIO minor
 number. This should allow userspace to identify both the UIO device and
 the LIO device, so that after determining the device is supported
 (based on subtype) it can take the appropriate action.
 
 
 Other contingencies
 -------------------
 
 Userspace handler process never attaches:
 
 - TCMU will post commands, and then abort them after a timeout period
   (30 seconds.)
 
 Userspace handler process is killed:
 
 - It is still possible to restart and re-connect to TCMU
   devices. Command ring is preserved. However, after the timeout period,
   the kernel will abort pending tasks.
 
 Userspace handler process hangs:
 
 - The kernel will abort pending tasks after a timeout period.
 
 Userspace handler process is malicious:
 
 - The process can trivially break the handling of devices it controls,
   but should not be able to access kernel memory outside its shared
   memory areas.
 
 
 Writing a user pass-through handler (with example code)
 =======================================================
 
 A user process handing a TCMU device must support the following:
 
 a) Discovering and configuring TCMU uio devices
 b) Waiting for events on the device(s)
 c) Managing the command ring: Parsing operations and commands,
    performing work as needed, setting response fields (scsi_status and
    possibly sense_buffer), updating cmd_tail, and notifying the kernel
    that work has been finished
 
 First, consider instead writing a plugin for tcmu-runner. tcmu-runner
 implements all of this, and provides a higher-level API for plugin
 authors.
 
 TCMU is designed so that multiple unrelated processes can manage TCMU
 devices separately. All handlers should make sure to only open their
 devices, based opon a known subtype string.
 
 a) Discovering and configuring TCMU UIO devices::
 
       /* error checking omitted for brevity */
 
       int fd, dev_fd;
       char buf[256];
       unsigned long long map_len;
       void *map;
 
       fd = open("/sys/class/uio/uio0/name", O_RDONLY);
       ret = read(fd, buf, sizeof(buf));
       close(fd);
       buf[ret-1] = '\0'; /* null-terminate and chop off the \n */
 
       /* we only want uio devices whose name is a format we expect */
       if (strncmp(buf, "tcm-user", 8))
         exit(-1);
 
       /* Further checking for subtype also needed here */
 
       fd = open(/sys/class/uio/%s/maps/map0/size, O_RDONLY);
       ret = read(fd, buf, sizeof(buf));
       close(fd);
       str_buf[ret-1] = '\0'; /* null-terminate and chop off the \n */
 
       map_len = strtoull(buf, NULL, 0);
 
       dev_fd = open("/dev/uio0", O_RDWR);
       map = mmap(NULL, map_len, PROT_READ|PROT_WRITE, MAP_SHARED, dev_fd, 0);
 
 
       b) Waiting for events on the device(s)
 
       while (1) {
         char buf[4];
 
         int ret = read(dev_fd, buf, 4); /* will block */
 
         handle_device_events(dev_fd, map);
       }
 
 
 c) Managing the command ring::
 
       #include <linux/target_core_user.h>
 
       int handle_device_events(int fd, void *map)
       {
         struct tcmu_mailbox *mb = map;
         struct tcmu_cmd_entry *ent = (void *) mb + mb->cmdr_off + mb->cmd_tail;
         int did_some_work = 0;
 
         /* Process events from cmd ring until we catch up with cmd_head */
         while (ent != (void *)mb + mb->cmdr_off + mb->cmd_head) {
 
           if (tcmu_hdr_get_op(ent->hdr.len_op) == TCMU_OP_CMD) {
             uint8_t *cdb = (void *)mb + ent->req.cdb_off;
             bool success = true;
 
             /* Handle command here. */
             printf("SCSI opcode: 0x%x\n", cdb[0]);
 
             /* Set response fields */
             if (success)
               ent->rsp.scsi_status = SCSI_NO_SENSE;
             else {
               /* Also fill in rsp->sense_buffer here */
               ent->rsp.scsi_status = SCSI_CHECK_CONDITION;
             }
           }
           else if (tcmu_hdr_get_op(ent->hdr.len_op) != TCMU_OP_PAD) {
             /* Tell the kernel we didn't handle unknown opcodes */
             ent->hdr.uflags |= TCMU_UFLAG_UNKNOWN_OP;
           }
           else {
             /* Do nothing for PAD entries except update cmd_tail */
           }
 
           /* update cmd_tail */
           mb->cmd_tail = (mb->cmd_tail + tcmu_hdr_get_len(&ent->hdr)) % mb->cmdr_size;
           ent = (void *) mb + mb->cmdr_off + mb->cmd_tail;
           did_some_work = 1;
         }
 
         /* Notify the kernel that work has been finished */
         if (did_some_work) {
           uint32_t buf = 0;
 
           write(fd, &buf, 4);
         }
 
         return 0;
       }
 
 
 A final note
 ============
 
 Please be careful to return codes as defined by the SCSI
 specifications. These are different than some values defined in the
 scsi/scsi.h include file. For example, CHECK CONDITION's status code
 is 2, not 1.

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.