Bug 1789310

Summary: Virtual iscsi disk's authenticate lost when save the domain
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: gaojianan <jgao>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED ERRATA QA Contact: gaojianan <jgao>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.2CC: jdenemar, jgao, lcheng, lmen, pkrempa, smitterl, xuzhang, yisun
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-6.0.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-05 09:55:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description gaojianan 2020-01-09 10:25:21 UTC 
Description of problem:
Virtual iscsi disk's authenticate lost when save the domain

Version-Release number of selected component (if applicable):
libvirt-5.10.0-1.module+el8.2.0+5135+ed3b2489.x86_64
qemu-kvm-4.2.0-5.module+el8.2.0+5389+367d9739.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Prepare a guest with authenticate iscsi lun
   <disk type='network' device='disk'>
      <driver name='qemu' type='raw' cache='none' io='threads' discard='unmap' detect_zeroes='on'/>
      <source protocol='iscsi' name='iqn.2020-01.com.virttest:disk-pool-auth.target/0'>
        <host name='10.66.85.243' port='3260'/>
        <initiator>
          <iqn name='iqn.2020-01.com.example:authclient'/>
        </initiator>
        <auth username='redhat'>
          <secret type='iscsi' uuid='3d714d03-e23c-4b0d-b794-3450bd750bf4'/>
        </auth>
      </source>
      <target dev='vdf' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='5'/>
    </disk>

# virsh secret-list
 UUID                                   Usage
----------------------------------------------------------------------------------------
 3d714d03-e23c-4b0d-b794-3450bd750bf4   iscsi libvirtiscsi

# MYSECRET=`printf %s "redhat" | base64`


# virsh secret-set-value 3d714d03-e23c-4b0d-b794-3450bd750bf4 $MYSECRET
Secret value set

# virsh domblklist demo 
 target   source
-------------------------------------------------------------------------
 vda    /var/lib/libvirt/images/RHEL-8.2.0-20191219.0-x86_64-ovmf.qcow2
 vdb    /var/lib/libvirt/images/raw.img
 vdf    iqn.2020-01.com.virttest:disk-pool-auth.target/0

2.Make an external snapshot for the domain and then save the domain:
# virsh snapshot-create-as demo --disk-only  --diskspec vdf,file=/tmp/iscsi.s1
snapshot created 1578564908

# virsh save demo /tmp/demo.save1

# qemu-img info /tmp/demo.save1 
image: /tmp/demo.save1
file format: raw
virtual size: 356 MiB (373433856 bytes)
disk size: 356 MiB

3.Try to restore the domain from the file:
# virsh restore /tmp/demo.save1 
error:internal error: process exited while connecting to monitor: 2020-01-09T10:17:38.885996Z qemu-kvm: -blockdev {"driver":"iscsi","portal":"10.66.85.243:3260","target":"iqn.2020-01.com.virttest:disk-pool-auth.target","lun":0,"transport":"tcp","initiator-name":"iqn.2020-01.com.example:authclient","node-name":"libvirt-2-storage","cache":{"direct":true,"no-flush":false},"auto-read-only":true,"discard":"unmap"}: iSCSI: Failed to connect to LUN : Failed to log in to target. Status: Authentication failure(513)

But it still can be started:
# virsh start demo 
Domain demo started
And the authencation still exists in the xml  by checking with "dumpxml"

But in /tmp/demo.save1 ,it lost
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none' io='threads' discard='unmap' detect_zeroes='on'/>
      <source file='/tmp/iscsi.s1'/>
      <backingStore type='network'>
        <format type='raw'/>
        <source protocol='iscsi' name='iqn.2020-01.com.virttest:disk-pool-auth.target/0'>
          <host name='10.66.85.243' port='3260'/>
          <initiator>
            <iqn name='iqn.2020-01.com.example:authclient'/>
          </initiator>
        </source>
      </backingStore>
      <target dev='vdf' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='5'/>
    </disk>

Actual results:
As step 3

Expected results:
The authenticate info should be kept when execute "virsh save",so we can restore from the saving file.

Additional info:
This bug is similar to https://bugzilla.redhat.com/show_bug.cgi?id=1788898 but in different function.
Comment 1 Peter Krempa 2020-01-13 12:00:42 UTC 
Fixed upstream:

commit 3f2d167d9c733f588e693d44d7aa9b21dcb415c7 (HEAD -> master, origin/master, origin/HEAD)
Author: Peter Krempa <pkrempa>
Date:   Fri Jan 10 17:25:16 2020 +0100

    conf: Always format storage source auth and encryption under <source> for backing files
    
    Historically there are two places where we format authentication and
    encryption for a disk. The logich which formats it for backing files was
    flawed though and didn't format it at all. This worked if the image
    became a backing file through the means of a snapshot but not directly.
    
    Force formatting of the source and encryption for any non-disk case to
    fix the issue.
    
    This caused problems in many places as we use the formatter to copy the
    definition. Effectively any copy lost the secret definition.
Comment 3 gaojianan 2020-02-03 02:00:27 UTC 
Verified on :
libvirt-6.0.0-2.virtcov.el8.x86_64
qemu-kvm-4.2.0-8.module+el8.2.0+5607+dc756904.x86_64

Step:
1.Start a guest with authenticate iscsi lun
...
   <disk type='network' device='disk'>
      <driver name='qemu' type='raw' cache='none' io='threads' discard='unmap' detect_zeroes='on'/>
      <source protocol='iscsi' name='iqn.2020-01.com.virttest:disk-pool-auth.target/0'>
        <host name='10.66.85.243' port='3260'/>
        <initiator>
          <iqn name='iqn.2020-01.com.example:authclient'/>
        </initiator>
        <auth username='redhat'>
          <secret type='iscsi' uuid='3d714d03-e23c-4b0d-b794-3450bd750bf4'/>
        </auth>
      </source>
      <target dev='vdf' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='5'/>
    </disk>
...

2.Create external snapshot and save the domain
# virsh snapshot-create-as demo  --disk-only --diskspec vdf,file=/tmp/iscsi.s1
Domain snapshot 1580694814 created

# virsh save demo /tmp/demo.save

Domain demo saved to /tmp/demo.save

[root@jgao-test1 ~]# qemu-img info /tmp/demo.save 
image: /tmp/demo.save
file format: raw
virtual size: 43.6 MiB (45769728 bytes)
disk size: 43.7 MiB

Check the /tmp/demo.save,still can found the part of source and encryption.

3.Restore the domain and check the domain xml
# virsh restore /tmp/demo.save 
Domain restored from /tmp/demo.save

Can still found the encryption part
<source protocol='iscsi' name='iqn.2020-01.com.virttest:disk-pool-auth.target/0'>
          <host name='10.66.85.243' port='3260'/>
          <initiator>
            <iqn name='iqn.2020-01.com.example:authclient'/>
          </initiator>
          <auth username='redhat'>
            <secret type='iscsi' uuid='3d714d03-e23c-4b0d-b794-3450bd750bf4'/>
          </auth>
        </source>

Work as expected
Comment 5 errata-xmlrpc 2020-05-05 09:55:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2017