Layer 6 · nvmf

The four objects, and the protocol that connects them.

NVMe-over-Fabrics takes the NVMe command set you already know from Layer 0.2 and tunnels it over a network. The protocol adds four new nouns that don't exist in PCIe-attached NVMe: subsystem, namespace, listener, and controller. This page is the vocabulary you'll need for the rest of Layer 6.

~15 min read2 diagramsprerequisites: 0.2 · 4.1

On this page

What NVMe-oF actually does
Initiator and target, end to end
Subsystem — the "SCSI target" of NVMe-oF
Namespace — one bdev, one NSID
Listener — the network endpoint on the target
Controller — the initiator-side state machine
Discovery service — how initiators find targets
Host NQN — the iSCSI IQN equivalent
Admin queue vs I/O queues, across the network
Edge cases & what trips people up

What NVMe-oF actually does

PCIe-attached NVMe puts the NVMe controller and the host's NVMe driver on the same machine, talking over a PCIe bus. The commands travel in a submission queue, completions come back in a completion queue, and that's it. NVMe-over-Fabrics — NVMe-oF for short — replaces that PCIe bus with a network. The host ("initiator") and the storage device ("target") are now two different processes, often on two different hosts, talking TCP or RDMA. The NVMe command set, the submission/completion queue abstraction, and the register interface are unchanged. What changes is how the bytes get from one side to the other.

The spec that defines this is the NVMe-oF specification, TP 8013 maintained by the NVMe Inc. technical work group. It is layered on top of the base NVMe spec. Every transport (RDMA, TCP, FC, VFIO-user) speaks the same wire-level command capsules and the same connection setup; only the framing differs. SPDK implements the target side in lib/nvmf/:lib/ .

Initiator and target, end to end

The protocol has exactly two roles, named the same way iSCSI names them:

Role	What it does	SPDK component	Linux counterpart
Target	Owns the bdevs. Serves them to the network. Accepts connections.	`nvmf_tgt` binary, the SPDK `lib/nvmf/` library	None — there's no in-kernel NVMe-oF target worth using. SPDK is the target.
Initiator	Connects to targets. Discovers them. Submits NVMe commands on behalf of an application.	(no SPDK component — see Layer 0)	Kernel `nvme_tcp` or `nvme_rdma` driver; the `nvme-cli` userland tool

The asymmetry is the thing to internalize: SPDK only ever implements the target side. An SPDK process does not connect to an NVMe-oF target. It does, however, speak PCIe NVMe as a client of the in-kernel driver, which is a different protocol that happens to share the command set. The targets we build with diskengine and the SPDK nvmf_tgt are consumed by either the kernel nvme_tcp/nvme_rdma driver or by another SPDK process running in "PCIe NVMe client" mode.

flowchart LR
subgraph "Initiator host"
  APP[Application
issues read/write syscalls]
  DRV[Kernel NVMe-OF driver
nvme_tcp or nvme_rdma]
  APP --> DRV
end

subgraph "Target host (SPDK)"
  NVMF[nvmf_tgt
the SPDK target]
  BDEV[bdev stack
malloc / nvme / lvol / passthru]
  NVMF --> BDEV
end

DRV -- "RDMA verbs or TCP/TLS" --> NVMF

fig. 1 — initiator/target roles · tap or scroll to zoom · ↗ for fullscreen

fig. 1 The protocol is two-sided. The kernel driver on the left submits NVMe capsules over RDMA or TCP. The nvmf_tgt process on the right translates them into bdev I/O. The application sees a normal /dev/nvmeXnY device and never knows the storage is on another machine.

Subsystem — the "SCSI target" of NVMe-oF

A subsystem is the unit of export. It is a named collection of namespaces, with a list of allowed listeners and a list of allowed hosts. If you're coming from iSCSI, think of it as the iSCSI target: the thing you log in to.

In SPDK, the subsystem is a C struct with state, an NQN, a list of namespaces, a list of listeners, a list of hosts, and a list of currently connected controllers. Creation goes through spdk_nvmf_subsystem_create — the function that lives behind the JSON-RPC method nvmf_create_subsystem.

spdk_v26_01_migration/lib/nvmf/subsystem.c · lines 220-275 spdk_nvmf_subsystem_create — what the struct looks like

The subsystem is created in the inactive state. No listeners are attached yet, no namespaces, no controllers. The fields set here are the ones every subsystem owns.

struct spdk_nvmf_subsystem {
    char subnqn[SPDK_NVMF_NQN_MAX_LEN];   // (1)
    struct spdk_nvmf_tgt *tgt;
    enum spdk_nvmf_subsystem_state state;  // (2)
    TAILQ_HEAD(, spdk_nvmf_ctrlr) ctrlrs;  // (3)
    TAILQ_HEAD(, spdk_nvmf_subsystem_listener) listeners;
    TAILQ_HEAD(, spdk_nvmf_host) hosts;
    struct spdk_nvmf_ns **ns;              // (4)
    uint32_t max_nsid;
    uint32_t next_cntlid;                  // (5)
    struct spdk_bit_array *used_listener_ids;
    struct spdk_bit_array *subsystem_ids;
    bool allow_any_host;
    // ... ANA state, reservations, etc.
};

subnqn — the subsystem's NVMe Qualified Name. The string the initiator uses to identify which subsystem it wants to connect to. Same format rules as an iSCSI IQN. The well-known discovery NQN is nqn.2014-08.org.nvmexpress.discovery.
state — one of INACTIVE, ACTIVE, or PAUSED. You can only mutate a subsystem in INACTIVE or PAUSED. This is what makes namespace changes safe — you pause the subsystem, change it, resume it. See the spdk_nvmf_subsystem_add_ns_ext precondition check at lib/nvmf/subsystem.c:2243 .
ctrlrs — every controller currently associated with this subsystem. Each connecting initiator gets one controller. When the last qpair for a controller goes away, the controller is destroyed. See lib/nvmf/nvmf.c:1442 for the "last qpair tears down the ctrlr" path.
ns — an array of namespace pointers, indexed by NSID. One per NSID, up to max_nsid. Created on spdk_nvmf_subsystem_add_ns_ext at lib/nvmf/subsystem.c:2229 .
next_cntlid — the controller ID to hand out next. Each connecting initiator gets a unique 16-bit ID, allocated from the min_cntlid..max_cntlid range.

Namespace — one bdev, one NSID

A namespace is what NVMe-oF calls the exposed block device. The unit of exposure is one bdev. When you call spdk_nvmf_subsystem_add_ns_ext, the subsystem spdk_bdev_open_ext_v2's the named bdev read-write and stores the resulting spdk_bdev_desc inside an spdk_nvmf_ns. The NSID is allocated from a free slot in the subsystem's namespace array.

spdk_v26_01_migration/lib/nvmf/subsystem.c · lines 2253-2313 spdk_nvmf_subsystem_add_ns_ext — the namespace-to-bdev binding

The interesting bit is the open: a single namespace holds one open handle on a bdev, kept open for the entire life of the subsystem. Removing the namespace closes it.

if (opts.nsid == 0) {
    /* Find a free index. */
    for (opts.nsid = 1; opts.nsid <= subsystem->max_nsid; opts.nsid++) {
        if (_nvmf_subsystem_get_ns(subsystem, opts.nsid) == NULL) {
            break;
        }
    }
    if (opts.nsid > subsystem->max_nsid) {
        SPDK_ERRLOG("No free namespace slot available\n");
        return 0;
    }
}

ns = calloc(1, sizeof(*ns));
// ... init ns struct ...

rc = spdk_bdev_open_ext_v2(bdev_name, true, nvmf_ns_event, ns,
                           &open_opts, &ns->desc);
if (rc != 0) {
    SPDK_ERRLOG("Subsystem %s: bdev %s cannot be opened, error=%d\n",
                subsystem->subnqn, bdev_name, rc);
    free(ns);
    return 0;
}

The mapping is one-to-one. Two namespaces cannot point to the same bdev, and one namespace cannot expose two bdevs. If you want RAID or concatenation, you do it in the bdev layer (a lvol sits on top of an lvstore; a vbdev_passthru is one to one). diskengine's wiring is at NvmfSubsystemAddNs:114 .

Listener — the network endpoint on the target

A listener is the address a target listens on. It's a transport ID: trtype (RDMA / TCP / VFIOUSER / FC), adrfam (IPv4 / IPv6), traddr (the IP, or for FC, the WWN), and trsvcid (the port number, or for FC, the route).

Listeners belong to a subsystem, not to a target. Two subsystems can each have a listener on the same target, even on the same transport address — they're tagged by NQN, not by address. The acceptor poller is at the target level; the per-subsystem filter happens when a connection is established.

spdk_v26_01_migration/lib/nvmf/subsystem.c · lines 1592-1608 spdk_nvmf_subsystem_add_listener_ext — the address binding

void
spdk_nvmf_subsystem_add_listener_ext(struct spdk_nvmf_subsystem *subsystem,
                                     const struct spdk_nvme_transport_id *trid,
                                     spdk_nvmf_tgt_subsystem_listen_done_fn cb_fn,
                                     void *cb_arg,
                                     struct spdk_nvmf_listener_opts *opts)
{
    _nvmf_subsystem_add_listener(subsystem, trid, cb_fn, cb_arg, opts);
}

The function is short, but the work underneath is the meat. A listener is added in three phases: the subsystem is paused (so no new connections arrive), the transport actually starts listening on the trid, and the subsystem is resumed. The transport's listen_associate hook is where the work gets transport-specific — for RDMA it opens a listening CM ID; for TCP it opens a socket; for VFIO-user it sets up a vfio-user server endpoint.

The opts argument is transport-specific: secure channel (TLS) for TCP, ANA state, the socket implementation selector, etc. The header is at include/spdk/nvmf.h:908 .

Controller — the initiator-side state machine

A controller is the NVMe-oF equivalent of an "I_T nexus" in SCSI. It's the runtime state for one connecting initiator on one subsystem: an admin queue, a set of I/O qpairs, the negotiated limits, the controller ID, the host NQN, and the keep-alive timer.

A controller is created by the Fabrics Connect command. The flow is: initiator sends a Connect capsule on the admin qpair, the target's nvmf_ctrlr_create at lib/nvmf/ctrlr.c:438 builds a fresh spdk_nvmf_ctrlr, allocates a controller ID, sets up the admin queue, and replies with a Connect response.

spdk_v26_01_migration/lib/nvmf/ctrlr.c · lines 437-540 nvmf_ctrlr_create — what the controller struct looks like

The struct itself is bigger, but these are the fields you look at when debugging.

ctrlr = calloc(1, sizeof(*ctrlr));
if (ctrlr == NULL) {
    return NULL;
}

if (spdk_nvme_trtype_is_fabrics(transport->ops->type)) {
    ctrlr->dynamic_ctrlr = true;            // (1)
} else {
    ctrlr->cntlid = connect_data->cntlid;
}

ctrlr->subsys = subsystem;
ctrlr->thread = req->qpair->group->thread;   // (2)
ctrlr->qpair_mask = spdk_bit_array_create(
    transport->opts.max_qpairs_per_ctrlr);   // (3)

nvmf_ctrlr_cdata_init(transport, subsystem, &ctrlr->cdata);

dynamic_ctrlr — true for fabric transports (RDMA/TCP), false for direct-attach transports (PCIe, VFIO-user). For fabric transports, the controller ID is allocated by the target at connect time. For non-fabric transports, the controller ID comes from the host's cntlid field.
thread — the SPDK thread the controller lives on. Always the qpair's poll group thread. This is the single constraint that keeps the controller lock-free: every operation on a controller runs on its thread. Cross-thread operations need a spdk_thread_send_msg.
qpair_mask — a bit per qpair, used to find the last qpair when a controller is tearing down. When the last bit clears, the controller is destroyed. See lib/nvmf/nvmf.c:1442 for the "last qpair, free the ctrlr" path.

Discovery service — how initiators find targets

An initiator needs to know what subsystems exist before it can connect. NVMe-oF handles this with a special pre-defined subsystem called the discovery subsystem. Its NQN is fixed: nqn.2014-08.org.nvmexpress.discovery.

Connect to the discovery subsystem and send Get Log Page with LID 0x01. The target returns a discovery log page: a list of all the subsystems it knows about, with their NQN, transport type, and the addresses where they can be reached.

spdk_v26_01_migration/lib/nvmf/nvmf.c · lines 338-353 nvmf_add_discovery_subsystem — the always-on discovery svc

Every nvmf_tgt process creates a discovery subsystem as part of startup. It is always present; you cannot delete it.

static int
nvmf_add_discovery_subsystem(void)
{
    struct spdk_nvmf_subsystem *subsystem;

    subsystem = spdk_nvmf_subsystem_create(g_spdk_nvmf_tgt,
                                           SPDK_NVMF_DISCOVERY_NQN,
                                           SPDK_NVMF_SUBTYPE_DISCOVERY_CURRENT,
                                           0);
    if (subsystem == NULL) {
        SPDK_ERRLOG("Failed creating discovery nvmf library subsystem\n");
        return -1;
    }

    spdk_nvmf_subsystem_set_allow_any_host(subsystem, true);
    return 0;
}

Note the allow_any_host = true. Discovery is meant to be open to all initiators — otherwise how would you find anything? The discovery subsystem also can't have namespaces (the num_ns argument is 0, and the create function at lib/nvmf/subsystem.c:240 enforces this).

sequenceDiagram
participant Init as Initiator (kernel driver)
participant DiscTgt as Target's discovery svc
participant RegTgt as Target's regular subsystem

Init->>DiscTgt: nvme connect (subnqn = nqn.2014-08...discovery, traddr = 10.0.0.1, RDMA)
DiscTgt-->>Init: connect OK
Init->>DiscTgt: Get Log Page 0x01
DiscTgt-->>Init: discovery log: [nqn-A on 10.0.0.1:4420 RDMA, nqn-B on 10.0.0.1:4421 RDMA]
Init->>RegTgt: nvme connect (subnqn = nqn-A, traddr = 10.0.0.1, RDMA)
RegTgt-->>Init: connect OK, ctrlr created

fig. 2 — discovery flow · tap or scroll to zoom · ↗ for fullscreen

fig. 2 The initiator first connects to the discovery service (the fixed NQN), pulls a list of available subsystems, then connects to whichever one it actually wants. The discovery controller has no namespaces; it only serves the log page.

Host NQN — the iSCSI IQN equivalent

Every initiator has an identifier, just like every iSCSI initiator has an IQN. It's called the Host NQN and it goes into the connect_data at connect time. The target uses it to decide whether the initiator is allowed to talk to the subsystem.

By default, a subsystem is locked to a list of allowed Host NQNs — spdk_nvmf_subsystem_add_host. Only initiators in the list (or those allowed by the global allow_any_host = true) can connect. The well-known discovery NQN is normally open to everyone; production I/O subsystems should be locked down.

The Host NQN lives in /etc/nvme/hostnqn on a Linux initiator. It's persistent across reboots and uniquely identifies a single physical machine. For a VM, it's whatever was set when the VM was provisioned; in some hyperscaler environments it's derived from the VM UUID.

spdk_v26_01_migration/include/spdk/nvmf.h · lines 752-780 spdk_nvmf_subsystem_add_host — the allow-list API

/**
 * Allow the given host NQN to connect to the given subsystem.
 * Adding a host that's already allowed results in an error.
 */
int spdk_nvmf_subsystem_add_host(struct spdk_nvmf_subsystem *subsystem,
                                 const char *hostnqn,
                                 const struct spdk_json_val *params);

Admin queue vs I/O queues, across the network

NVMe-oF keeps NVMe's two-queue model. Every connection carries one admin queue and zero or more I/O queues.

STEP 01

TCP/RDMA Connect

synchronous transport-level handshake

→

STEP 02

Fabrics Connect

admin qpair creates the controller

→

STEP 03

Property Get/Set

negotiate queue count, size, etc.

→

STEP 04

Create I/O Qpairs

controller grows I/O qpairs as requested

→

STEP 05

I/O commands

submit + complete on I/O qpairs

→

STEP 06

Keep Alive

admin qpair periodic, prevents timeout

Transport-level connect. For TCP this is a socket accept(). For RDMA this is an RDMA CM RECV + SEND exchange. For VFIO-user it's a connection to the vfio-user socket. The transport creates a "qpair" object but it has no NVMe state yet.
Fabrics Connect. The initiator sends the first NVMe capsule on this qpair: a Connect command with sqes, recfmt, the subsystem NQN, the host NQN, and the controller ID (or a request for a dynamic one). The target validates the host NQN against the subsystem's allow list, creates a spdk_nvmf_ctrlr, and replies.
Property Get/Set. Admin commands. The initiator asks for the controller's limits and tunes its queue count, queue size, and the keep-alive timer.
Create I/O Qpairs. Each new I/O qpair is a separate connection (a separate TCP socket, a separate RDMA QP). The initiator sends Connect on each one with the same subsystem NQN and the same controller ID; the target looks up the existing controller and attaches the new qpair to it.
I/O commands. Read, write, flush, etc. Each goes to a specific NSID. The target's spdk_nvmf_ns translates NSID + bdev_io into a spdk_bdev_io and dispatches to the bdev stack.
Keep Alive. The initiator sends periodic Keep Alive admin commands so the target knows the connection is still alive. If the timer expires, the target assumes the connection is dead and tears it down.

Edge cases & what trips people up

NVMe-oF is a small protocol, but it has a long list of small places where the implementation can surprise you. These are the ones we actually hit in production.

The target disappears mid-I/O

A host writes 4KB to a bdev. The bdev layer dispatches the I/O. The transport detects that the remote side closed the connection (TCP RST, RDMA CM event, vfio-user disconnect). What happens to the in-flight I/O?

The transport marks the qpair disconnected. The spdk_nvmf_qpair_disconnect function at include/spdk/nvmf.h:508 schedules a callback that aborts all in-flight I/O on the qpair with NVME_SC_ABORTED_BY_HOST or NVME_SC_HOST_PATH_ERROR depending on the cause. The application sees the I/O fail. The target's underlying bdev never gets the I/O; from its point of view, the request was aborted before it executed.

The namespace is removed while the host is connected

The target admin removes a namespace from a subsystem. What happens to the host's /dev/nvmeXnY?

NVMe-oF has a feature for this: AEN — Asynchronous Event Notifications. The target sends an AEN to every controller that has the removed namespace in its visible list, and the kernel re-issues Identify Namespace which now returns "NSID not in use." The block device stays in the kernel; new I/O to the removed NSID fails. The host's I/O stack handles the failure like any other I/O error.

What you cannot do: silently keep the bdev open and let writes land in a now-orphaned namespace. The framework's removal path will close the bdev desc. The spdk_nvmf_ns struct, the ns->desc field, and the bdev channel are all torn down by the time the removal completes.

Multiple paths to the same subsystem

You have two paths: RDMA on 10.0.0.1:4420 and TCP on 10.0.0.1:4430. Both lead to the same NQN. The host connects to both. Does the target create one controller or two?

The target creates one controller, with two qpairs. The Connect command on the second connection matches the existing controller by NQN + host NQN + subsystem, and the new qpair is attached to the same controller. This is by design: it makes multipath I/O work, and the host sees one block device with two paths under /sys/class/nvme.

The catch: each qpair gets its own set of in-flight I/O. The target's qpair_mask tracks all of them. When all qpairs are gone, the controller is destroyed.

Persistent reservations

SCSI had persistent reservations (PRs); NVMe has them too, in the form of Reservation Register, Reservation Acquire, and Reservation Release commands. The semantics are similar: a host can take an exclusive reservation on a namespace, and other hosts get I/O errors until it's released.

For SPDK as a target, the relevant point is that spdk_nvmf_subsystem_add_ns_ext initializes the namespace's reservation_info to all-zero. The reservation state lives in the namespace struct, not the controller. A controller can ask for a reservation; the reservation check is per-namespace. Two controllers on the same namespace can collide on a reservation; only one holds it at a time.

What to take away

NVMe-oF gives the NVMe command set a network. The new words are subsystem (the unit of export), namespace (one bdev, one NSID), listener (a network address on the target), and controller (one initiator's runtime state on one subsystem). The discovery subsystem is the always-on way to find the others. Every controller is owned by one SPDK thread; every namespace is a single open bdev desc; every listener is a transport address paired with a subsystem NQN.

The next page — nvmf_tgt — is about the binary that ties all four of these together, the state machine it walks at startup, and what happens when you push it hard.