Limitations

What scsipub's iSCSI target does and doesn't support, as of today. We update this page when behaviour changes; if something here surprises you, file at support@defensiblelogic.com.

Works today

  • iSCSI target on TCP 3260 and iSCSI-over-TLS on 3261 (TLS 1.2 and 1.3 only).
  • Login phase: SessionType=Discovery (SendTargets) and SessionType=Normal.
  • Authentication: CHAP (one-way, MD5) for provisioned targets; None for the public anonymous targets.
  • Header / Data digests: CRC32C and None, negotiated per RFC 7143 §12.1.
  • SCSI command set: TEST UNIT READY, REQUEST SENSE, INQUIRY, REPORT LUNS, READ CAPACITY 10/16, READ 6/10/16, WRITE 6/10/16, MODE SENSE 6/10, SYNCHRONIZE CACHE 10/16.
  • INQUIRY VPD pages: 0x00 (Supported Pages), 0x80 (Unit Serial Number), 0x83 (Device Identification — T10 vendor ID + iSCSI SCSI Name String), 0xB0 (Block Limits), 0xB1 (Block Device Characteristics — non-rotating medium so the host treats us SSD-style), 0xB2 (Logical Block Provisioning — thin).
  • Multi-LUN at the protocol level and via the API: POST /api/sessions accepts images: [...] (up to 256 LUNs); REPORT LUNS enumerates, SCSI Command and Data-Out route per LUN, per-LUN write isolation. There's also a no-auth public demo IQN iqn.2025-01.pub.scsipub:multi for trying multi-LUN without an account.
  • SCSI-3 Persistent Reservations — for paid sessions, multiple iSCSI connections to the same IQN share one COW backend (per-IQN SharedLU). PR commands (REGISTER/RESERVE/RELEASE/CLEAR/PREEMPT, READ_KEYS/READ_RESERVATION/REPORT_CAPABILITIES) coordinate writes between attached initiators. All six reservation types are enforced. State is DB-backed and survives target restarts per SPC-4 §5.12.1.
  • Residual under/overflow counts on Data-In and SCSI Response per RFC 7143 §10.4.4 — strict initiators see correct accounting on short reads.
  • Target-initiated NOP-In keepalives, configurable interval (default 30s, env-tunable). Half-open connections surface as a transport error in seconds rather than waiting up to 4h for the TTL.
  • Per-tier write-limit quotas (anonymous sessions cap at 64 MB).
  • Connection close = session destroy for non-persistent tiers; suspend-then-evict-on-TTL for persistent tiers.

Not implemented (intentionally, for now)

These are real gaps that will surface for clustering, multipathing, and enterprise initiators. None of them are bugs; if you need any of them sooner than later, email above so we can prioritize.

  • Multiple Connections per Session (MC/S). MaxConnections=1 is hardcoded. Linux open-iscsi multipathing falls back to per-session paths instead, which works but doesn't aggregate bandwidth.
  • Session recovery. We reject login attempts with TSIH != 0. A dropped connection means a full re-login from scratch — vMotion, Failover Cluster, and any initiator using ErrorRecoveryLevel ≥ 1 will degrade.
  • UNMAP / WRITE SAME / thin-provisioning hints. discard from the host filesystem is silently dropped at the SCSI layer. Storage savings on the COW overlay are not reclaimed when the host frees blocks. We do advertise the LU as thin (VPD 0xB2) so the host knows to expect it.
  • SCSI ACA (Auto Contingent Allegiance). We accept and tolerate every TaskAttribute (Untagged, Simple, Ordered, HoQ, ACA), and our serial PDU processing satisfies Simple and Ordered for free. ACA's contingent-allegiance state machine isn't implemented; ACA-tagged commands get Simple semantics. Only matters for the specific clustering software that depends on ACA error recovery.
  • Descriptor-format sense (response code 0x72). We always return fixed-format sense (0x70). Most initiators tolerate it; a few prefer descriptor format for richer error info.
  • Authenticated SendTargets discovery. Discovery sessions skip CHAP — anyone reaching the portal can list the public-anonymous IQNs. Per-customer IQNs (CHAP-protected targets) are not advertised in SendTargets, so this is enumeration of the public catalog only, not customer activity.
  • SECURITY PROTOCOL IN/OUT. No SCSI-level encryption negotiation. iSCSI-over-TLS on 3261 is the wire-encryption story; SED / encrypted-at-rest features in the host's SCSI layer aren't surfaced.

Probably-not-relevant gaps

  • AHS (Additional Header Segments) — discarded on parse; only matters for proprietary stacks.
  • ASYNC MESSAGE — we never send target-initiated async events; affects only initiators that monitor for them.
  • Mutual CHAP (target authenticates to initiator) — CHAP is initiator-side only.
  • SRP / Kerberos — not supported; CHAP is the only authmethod.
  • IPv6 binding — relies on Ranch defaults; if your network is v6-only, file an issue.

Recommended initiator config

For Linux open-iscsi against scsipub: 

node.session.auth.authmethod = CHAP            # if provisioned target
node.session.auth.username   = $CHAP_USER       # from POST /api/sessions
node.session.auth.password   = $CHAP_SECRET     # from POST /api/sessions
node.conn[0].iscsi.HeaderDigest = CRC32C        # or None
node.conn[0].iscsi.DataDigest   = CRC32C        # or None

Windows MS iSCSI Initiator: under the target's properties, set Header Digest and Data Digest to Required or None; both work. Avoid Preferred if you've had digest-related connection drops, because Windows can negotiate down silently.

See the API reference for what scsipub does support, and /status for live system state.