Limitations

What scsipub's iSCSI target does and doesn't support, as of today. We update this page when behaviour changes; if something here surprises you, file at support@defensiblelogic.com.

Works today

  • iSCSI target on TCP 3260 and iSCSI-over-TLS on 3261 (TLS 1.2 and 1.3 only).
  • Login phase: SessionType=Discovery (SendTargets) and SessionType=Normal.
  • Authentication: CHAP (one-way, MD5) for provisioned targets; None for the public anonymous targets.
  • Header / Data digests: CRC32C and None, negotiated per RFC 7143 §12.1.
  • SCSI commands: TEST UNIT READY, REQUEST SENSE, INQUIRY (standard + VPD page 0x00), REPORT LUNS, READ CAPACITY 10/16, READ 6/10/16, WRITE 6/10/16, MODE SENSE 6/10, SYNCHRONIZE CACHE.
  • Single LUN per target (LUN 0).
  • Per-tier write-limit quotas (anonymous sessions cap at 64 MB).
  • Connection close = session destroy for non-persistent tiers; suspend-then-evict-on-TTL for persistent tiers.

Not implemented (intentionally, for now)

These are real gaps that will surface for clustering, multipathing, and enterprise initiators. None of them are bugs; if you need any of them sooner than later, email above so we can prioritize.

  • PERSISTENT RESERVE (SCSI-3) IN/OUT. Required by Windows Failover Cluster, Solaris clustering, AIX HACMP, and shared-disk databases. Without it, two initiators sharing the LUN can corrupt each other's writes.
  • Multiple Connections per Session (MC/S). MaxConnections=1 is hardcoded. Linux open-iscsi multipathing falls back to per-session paths instead, which works but doesn't aggregate bandwidth.
  • Session recovery. We reject login attempts with TSIH != 0. A dropped connection means a full re-login from scratch — vMotion, Failover Cluster, and any initiator using ErrorRecoveryLevel ≥ 1 will degrade.
  • Multi-LUN per target. We expose exactly LUN 0. VMware datastores and Solaris disk groups that put multiple LUNs under one target won't see them.
  • UNMAP / WRITE SAME / thin-provisioning hints. discard from the host filesystem is silently dropped at the SCSI layer. Storage savings on the COW overlay are not reclaimed when the host frees blocks.
  • Target-initiated NOP-In keepalives. We reply to initiator NOP-Out keepalives but never initiate our own. Half-open connections (NAT timeout, initiator panic) aren't detected for up to 4 hours, so zombie sessions accumulate against your write quota until the janitor sweeps them.
  • SCSI TaskAttribute beyond Untagged. We accept Simple, Ordered, and ACA in the PDU but treat all commands as Untagged. Filesystems that depend on Ordered semantics for crash consistency are at risk under concurrent IO.
  • Descriptor-format sense (response code 0x72). We always return fixed-format sense (0x70). Most initiators tolerate it; a few prefer descriptor format for richer error info.
  • Residual under/overflow counts. We always report 0 in the residual count. Reads past EOF and short writes will confuse strict initiators about how many bytes actually moved.
  • Authenticated SendTargets discovery. Discovery sessions skip CHAP — anyone reaching the portal can list the public-anonymous IQNs. Per-customer IQNs (CHAP-protected targets) are not advertised in SendTargets, so this is enumeration of public catalog only, not customer activity.
  • SECURITY PROTOCOL IN/OUT. No SCSI-level encryption negotiation. iSCSI-over-TLS on 3261 is the wire-encryption story; SED / encrypted-at-rest features in the host's SCSI layer aren't surfaced.

Probably-not-relevant gaps

  • AHS (Additional Header Segments) — discarded on parse; only matters for proprietary stacks.
  • ASYNC MESSAGE — we never send target-initiated async events; affects only initiators that monitor for them.
  • Mutual CHAP (target authenticates to initiator) — CHAP is initiator-side only.
  • SRP / Kerberos — not supported; CHAP is the only authmethod.
  • IPv6 binding — relies on Ranch defaults; if your network is v6-only, file an issue.

Recommended initiator config

For Linux open-iscsi against scsipub: 

node.session.auth.authmethod = CHAP            # if provisioned target
node.session.auth.username   = $CHAP_USER       # from POST /api/sessions
node.session.auth.password   = $CHAP_SECRET     # from POST /api/sessions
node.conn[0].iscsi.HeaderDigest = CRC32C        # or None
node.conn[0].iscsi.DataDigest   = CRC32C        # or None

Windows MS iSCSI Initiator: under the target's properties, set Header Digest and Data Digest to Required or None; both work. Avoid Preferred if you've had digest-related connection drops, because Windows can negotiate down silently.

See the API reference for what scsipub does support, and /status for live system state.