Bug 1425757

Summary:	RFE: add support for securely passing passwords to iSCSI block drivers
Product:	Red Hat Enterprise Linux 7	Reporter:	Daniel Berrangé <berrange>
Component:	libvirt	Assignee:	John Ferlan <jferlan>
Status:	CLOSED ERRATA	QA Contact:	yisun
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.4	CC:	berrange, chayang, coli, dyuan, jdenemar, juzhang, knoel, lmen, michen, mrezanin, mtessun, ngu, virt-maint, xfu, xuzhang
Target Milestone:	rc	Keywords:	FutureFeature
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	libvirt-4.3.0-1.el7	Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:	1301057	Environment:
Last Closed:	2018-10-30 09:49:43 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1301057
Bug Blocks:	1182074

Comment 2 Daniel Berrangé 2017-02-22 10:32:39 UTC

This bug is to track the piece of  Bug 1301057 that we were not able to implement in 7.3 - iSCSI support. The password-secret option was originally provided against the -iscsi option, but we didn't realize you could not reliably associated -iscsi to the -drive iscsi,.... arg.

QEMU has now made all the -iscsi options available directly with the -drive iscsi config, making -iscsi obsolete. So we can now provide the password secret support in libvirt. See bug 1379034 for the QEMU part.

Comment 4 John Ferlan 2017-09-05 19:13:17 UTC

Patches posted upstream:

https://www.redhat.com/archives/libvir-list/2017-September/msg00100.html

Comment 5 John Ferlan 2017-10-05 13:23:41 UTC

Numerous updates since comment 4, now at v5:

https://www.redhat.com/archives/libvir-list/2017-October/msg00228.html

Comment 6 John Ferlan 2017-11-24 17:06:53 UTC

After a few reposts and waiting, upstream v6:

https://www.redhat.com/archives/libvir-list/2017-November/msg00309.html

has been pushed.

Comment 8 John Ferlan 2017-12-13 20:21:17 UTC

The original series was pushed as part of libvirt-3.9.0.

After pushing while working on something else, I realized there's one adjustment needed for the hotplug code... details are in the patch, see: 

https://www.redhat.com/archives/libvir-list/2017-December/msg00165.html

that was pushed in libvirt-4.0.0 as commit id '6050affb'

Comment 10 yisun 2018-06-21 08:59:19 UTC

Verified with libvirt-4.4.0-2.virtcov.el7.x86_64


Test with latest libvirt but old qemu-kvm
# rpm -qa | egrep "qemu-kvm-rhev|libvirt-4"
libvirt-4.4.0-2.virtcov.el7.x86_64
qemu-kvm-rhev-2.6.0-28.el7_3.17.x86_64

1. prepare a libvirt secret and use it in vm
# virsh dumpxml avocado-vt-vm1
...
<disk type='network' device='disk'>
    <driver name='qemu' type='raw'/>
    <source protocol='iscsi' name='iqn.2013-10.com.example:iscsi/0'>
        <host name='127.0.0.1' port='3260'/>
    </source>
    <auth username='rhat'>
        <secret type='iscsi' uuid='41437de7-4871-476d-8b06-b2d9a140df8d'/>
    </auth>
    <target dev='vdb' bus='virtio'/>
</disk>

2. start the vm and check the qemu process
# ps -ef | grep avocado-vt-vm1 | grep rhat
qemu      8867     1  8 04:31 ?        00:00:23 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,... -drive file=iscsi://rhat:rhatrhat.0.1:3260/iqn.1992-01.com.example/0,format=raw,if=none,id=drive-virtio-disk1 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk1,id=virtio-disk1 ...

<==== password is in plaintext since rfe1379034 not involved in this qemu-kvm version, this is expected 



Test with latest libvirt and qemu
# rpm -qa | egrep "qemu-kvm-rhev|libvirt-4"
qemu-kvm-rhev-2.12.0-4.el7.x86_64
libvirt-4.4.0-2.virtcov.el7.x86_64

1. prepare a libvirt secret and use it in vm as virtual disk
# virsh dumpxml avocado-vt-vm1
...
<disk type='network' device='disk'>
    <driver name='qemu' type='raw'/>
    <source protocol='iscsi' name='iqn.2013-10.com.example:iscsi/0'>
        <host name='127.0.0.1' port='3260'/>
    </source>
    <auth username='rhat'>
        <secret type='iscsi' uuid='41437de7-4871-476d-8b06-b2d9a140df8d'/>
    </auth>
    <target dev='vdb' bus='virtio'/>
</disk>

# virsh start avocado-vt-vm1

# ps -ef | grep avocado-vt-vm1 | grep rhat
qemu      9392     1 92 04:38 ?        00:00:01 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object secret,id=masterKey0 ...
-drive file.driver=iscsi,file.portal=127.0.0.1:3260,file.target=iqn.1992-01.com.example,file.lun=0,file.transport=tcp,file.user=rhat,file.password-secret=virtio-disk1-secret0,format=raw,if=none,id=drive-virtio-disk1 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk1,id=virtio-disk1
<==== now the password is not plaintext 

2. prepare a libvirt secret and use it in vm as hostdev
#virsh dumpxml avocado-vt-vm1
...
    <hostdev mode='subsystem' type='scsi' managed='no'>
      <source protocol='iscsi' name='iqn.1992-01.com.example/0'>
        <host name='127.0.0.1' port='3260'/>
        <auth username='rhat'>
          <secret type='iscsi' usage='libvirtiscsi'/>
        </auth>
      </source>
      <alias name='hostdev0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </hostdev>

# virsh start avocado-vt-vm1

# ps -ef | grep avocado-vt-vm1 | grep rhat
qemu     10038     1 83 04:45 ?        00:00:03 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object secret,id=masterKey0... -drive file.driver=iscsi,file.portal=127.0.0.1:3260,file.target=iqn.1992-01.com.example,file.lun=0,file.transport=tcp,file.user=rhat,file.password-secret=hostdev0-secret0,if=none,format=raw,id=drive-hostdev0...
<==== now the password is not plaintext

Comment 12 errata-xmlrpc 2018-10-30 09:49:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113