Bug 1474209

Summary: [RFE] - Hosted Engine: iSCSI Setup Should use different User/Password For Discovery and Portal
Product: Red Hat Enterprise Virtualization Manager Reporter: Rhys Oxenham <roxenham>
Component: ovirt-hosted-engine-setupAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: Nikolai Sednev <nsednev>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.1.3CC: dfediuck, lsurette, mavital, trichard, ykaul, ylavi
Target Milestone: ovirt-4.2.2Keywords: FutureFeature, Triaged
Target Release: ---Flags: nsednev: testing_plan_complete+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Previously, hosted-engine-setup assumed that the user set the same CHAP username and password for both iSCSI discovery and iSCSI login. Now, the user can pass different username and password couples for iSCSI discovery and iSCSI login at setup time.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-15 17:32:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1353713    
Bug Blocks: 1551828    

Description Rhys Oxenham 2017-07-24 07:18:54 UTC 
Description of problem:

I'm trying to utilise an iSCSI target that has no user credentials to discover targets, but has an ACL on a specific target. The hosted engine setup script (or via the WebUI) only permits authentication to be set for the initial portal login. Therefore it fails to connect to the target, and the setup fails.

Version-Release number of selected component (if applicable):

RHV 4.1.3 (based on RHVH-4.1-20170706.1-RHVH-x86_64-dvd1.iso)

[root@node06 ~]# nodectl info
layers:
  rhvh-4.1-0.20170706.0:
    rhvh-4.1-0.20170706.0+1
bootloader:
  default: rhvh-4.1-0.20170706.0+1
  entries:
    rhvh-4.1-0.20170706.0+1:
      index: 0
      title: rhvh-4.1-0.20170706.0
      kernel: /boot/rhvh-4.1-0.20170706.0+1/vmlinuz-3.10.0-514.26.1.el7.x86_64
      args: "ro crashkernel=auto rd.lvm.lv=rhvh_node06/rhvh-4.1-0.20170706.0+1 rd.lvm.lv=rhvh_node06/swap biosdevname=0 rhgb quiet LANG=en_US.UTF-8 img.bootid=rhvh-4.1-0.20170706.0+1"
      initrd: /boot/rhvh-4.1-0.20170706.0+1/initramfs-3.10.0-514.26.1.el7.x86_64.img
      root: /dev/rhvh_node06/rhvh-4.1-0.20170706.0+1
current_layer: rhvh-4.1-0.20170706.0+1

How reproducible:

Every time

Steps to Reproduce:
1. Create an iSCSI target with no auth on the portal, but an ACL on a target
2. Attempt hosted engine setup and point to the target
3. Watch it fail to connect to the target and setup fail

Actual results:

Setup fails to proceed, or allow you to specify ACL/credentials for the target LUN.

Expected results:

Either provide an option to specify credentials before the target connection attempt, or upon failure offer an option to specify them then.

Additional info:

2017-07-24 03:02:41 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QStart: OVEHOSTED_STORAGE_ISCSI_IP_ADDR
2017-07-24 03:02:41 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ### Please specify the iSCSI portal IP address:
2017-07-24 03:02:41 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QHidden: FALSE
2017-07-24 03:02:41 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ***Q:STRING OVEHOSTED_STORAGE_ISCSI_IP_ADDR
2017-07-24 03:02:41 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QEnd: OVEHOSTED_STORAGE_ISCSI_IP_ADDR
2017-07-24 03:05:24 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:RECEIVE    10.x.x.x
2017-07-24 03:05:24 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QStart: OVEHOSTED_STORAGE_ISCSI_IP_PORT
2017-07-24 03:05:24 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ### Please specify the iSCSI portal port [3260]:
2017-07-24 03:05:24 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QDefault: 3260
2017-07-24 03:05:24 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QHidden: FALSE
2017-07-24 03:05:24 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ***Q:STRING OVEHOSTED_STORAGE_ISCSI_IP_PORT
2017-07-24 03:05:24 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QEnd: OVEHOSTED_STORAGE_ISCSI_IP_PORT
2017-07-24 03:05:25 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:RECEIVE    3260
2017-07-24 03:05:25 DEBUG otopi.plugins.gr_he_setup.storage.blockd dialog.queryEnvKey:90 queryEnvKey called for key OVEHOSTED_STORAGE/iSCSIPortalUser
2017-07-24 03:05:25 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QStart: OVEHOSTED_STORAGE_ISCSI_USER
2017-07-24 03:05:25 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ### Please specify the iSCSI portal user:
2017-07-24 03:05:25 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QHidden: FALSE
2017-07-24 03:05:25 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ***Q:STRING OVEHOSTED_STORAGE_ISCSI_USER
2017-07-24 03:05:25 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QEnd: OVEHOSTED_STORAGE_ISCSI_USER
2017-07-24 03:05:26 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_discovery:320 {'status': {'message': 'Done', 'code': 0}, 'items': [u'10.x.x.x:3260,1 iqn.2017-07.com.rhv:t1']}
2017-07-24 03:05:26 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_discovery:337 found: [{'tgpt': u'1', 'iqn': u'iqn.2017-07.com.rhv:t1', 'portal_hostname': u'10.x.x.x', 'portal_port': u'3260'}]
2017-07-24 03:05:26 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QStart: OVEHOSTED_STORAGE_ISCSI_TARGET
2017-07-24 03:05:26 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ### Please specify the target name (iqn.2017-07.com.rhv:t1) [iqn.2017-07.com.rhv:t1]:
2017-07-24 03:05:26 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QDefault: iqn.2017-07.com.rhv:t1
2017-07-24 03:05:26 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QValidValues: iqn.2017-07.com.rhv:t1
2017-07-24 03:05:26 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QHidden: FALSE
2017-07-24 03:05:26 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       ***Q:STRING OVEHOSTED_STORAGE_ISCSI_TARGET
2017-07-24 03:05:26 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:SEND       **%QEnd: OVEHOSTED_STORAGE_ISCSI_TARGET
2017-07-24 03:05:56 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:204 DIALOG:RECEIVE    iqn.2017-07.com.rhv:t1
2017-07-24 03:05:56 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_get_lun_list:347 {'status': {'message': 'Done', 'code': 0}}
2017-07-24 03:05:56 INFO otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_get_lun_list:359 Discovering iSCSI node
2017-07-24 03:05:57 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_discovery:320 {'status': {'message': 'Done', 'code': 0}, 'items': [u'10.x.x.x:3260,1 iqn.2017-07.com.rhv:t1']}
2017-07-24 03:05:57 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_discovery:337 found: [{'tgpt': u'1', 'iqn': u'iqn.2017-07.com.rhv:t1', 'portal_hostname': u'10.x.x.x', 'portal_port': u'3260'}]
2017-07-24 03:05:57 INFO otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_get_lun_list:366 Connecting to the storage server
2017-07-24 03:05:58 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_get_lun_list:347 {'status': {'message': 'Done', 'code': 0}}
2017-07-24 03:05:58 INFO otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_get_lun_list:359 Discovering iSCSI node
2017-07-24 03:05:58 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_discovery:320 {'status': {'message': 'Done', 'code': 0}, 'items': [u'10.x.x.x:3260,1 iqn.2017-07.com.rhv:t1']}
2017-07-24 03:05:58 DEBUG otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_discovery:337 found: [{'tgpt': u'1', 'iqn': u'iqn.2017-07.com.rhv:t1', 'portal_hostname': u'10.x.x.x', 'portal_port': u'3260'}]
2017-07-24 03:05:58 INFO otopi.plugins.gr_he_setup.storage.blockd blockd._iscsi_get_lun_list:366 Connecting to the storage server
2017-07-24 03:06:00 DEBUG otopi.context context._executeMethod:142 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-setup/storage/blockd.py", line 615, in _customization
    lunGUID = self._customize_lun(self.domainType, target)
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-setup/storage/blockd.py", line 208, in _customize_lun
    iqn=target,
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-setup/storage/blockd.py", line 389, in _iscsi_get_lun_list
    raise RuntimeError("Unable to retrieve the list of LUN(s) please "
RuntimeError: Unable to retrieve the list of LUN(s) please check the SELinux log and settings on your iscsi target
2017-07-24 03:06:00 ERROR otopi.context context._executeMethod:151 Failed to execute stage 'Environment customization': Unable to retrieve the list of LUN(s) please check the SELinux log and settings on your iscsi target
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:760 ENVIRONMENT DUMP - BEGIN
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:770 ENV BASE/error=bool:'True'
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:770 ENV BASE/exceptionInfo=list:'[(<type 'exceptions.RuntimeError'>, RuntimeError('Unable to retrieve the list of LUN(s) please check the SELinux log and settings on your iscsi target',), <traceback object at 0x4410710>)]'
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:770 ENV OVEHOSTED_STORAGE/iSCSIPortalIPAddress=str:'10.x.x.x'
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:770 ENV OVEHOSTED_STORAGE/iSCSIPortalPassword=str:''
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:770 ENV OVEHOSTED_STORAGE/iSCSIPortalPort=str:'3260'
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:770 ENV OVEHOSTED_STORAGE/iSCSIPortalUser=str:''
2017-07-24 03:06:00 DEBUG otopi.context context.dumpEnvironment:774 ENVIRONMENT DUMP - END
2017-07-24 03:06:00 INFO otopi.context context.runSequence:687 Stage: Clean up
2017-07-24 03:06:00 DEBUG otopi.context context.runSequence:691 STAGE cleanup
Comment 1 Rhys Oxenham 2017-07-24 07:23:22 UTC 
I worked around this by removing all authentication and ACL's from my configuration with the following:

/iscsi/iqn.20...m.rhv:t1/tpg1> set attribute authentication=0
Parameter authentication is now '0'.
/iscsi/iqn.20...m.rhv:t1/tpg1> set attribute demo_mode_write_protect=0
Parameter demo_mode_write_protect is now '0'.
/iscsi/iqn.20...m.rhv:t1/tpg1> set attribute generate_node_acls=1
Parameter generate_node_acls is now '1'.

This allowed the setup to proceed...

The following luns have been found on the requested target:
[1]	3600140530f7bc68401a47f9b3819d3d6	97GiB	LIO-ORG	rhv_iscsi
status: free, paths: 1 active
Comment 2 Nikolai Sednev 2018-02-20 17:39:15 UTC 
Works for me on these components on host:
rhvm-appliance-4.2-20180202.0.el7.noarch
ovirt-hosted-engine-ha-2.2.5-1.el7ev.noarch
ovirt-hosted-engine-setup-2.2.10-1.el7ev.noarch
Red Hat Enterprise Linux Server release 7.4 (Maipo)
Linux 3.10.0-693.19.1.el7.x86_64 #1 SMP Thu Feb 1 12:34:44 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

I've created different usernames and passwords for discovery and portal on iSCSI storage and with CHAP authentication, authenticated successfully and received all 5 paths provided by the storage.

 [ INFO  ] ok: [localhost]
           The following targets have been found:
                 [1]     iqn.2005-10.org.freenas.ctl:freenasshedeploymentstarget
                         TPGT: 1, portals:
                                 10.35.162.21:3260
                                 10.35.163.24:3260
                                 10.35.163.32:3260
                                 10.35.163.42:3260
                                 10.35.163.43:3260

Then continued with iSCSI deployment and successfully finished it.

Moving to verified.
Comment 5 errata-xmlrpc 2018-05-15 17:32:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1471
Comment 6 Franta Kust 2019-05-16 13:08:59 UTC 
BZ<2>Jira Resync