Bug 1254422 - [RFE]Add option to specify the initiator for qemu-img to login iscsi target
Summary: [RFE]Add option to specify the initiator for qemu-img to login iscsi target
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev   
(Show other bugs)
Version: 7.2
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jeff Cody
QA Contact: Ping Li
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-18 05:30 UTC by Qian Guo
Modified: 2018-03-22 03:20 UTC (History)
10 users (show)

Fixed In Version: qemu-kvm-rhev-2.9.0-1.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 23:29:42 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
config with default initiator name iqn.2008-11.org.linux-kvm (7.13 KB, text/plain)
2017-04-20 02:30 UTC, Ping Li
no flags Details
config with self define initiator name iqn.2017-04.com.example:client (7.14 KB, text/plain)
2017-04-20 02:31 UTC, Ping Li
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 20:04:36 UTC

Description Qian Guo 2015-08-18 05:30:52 UTC
Description of problem:
When setup ISCSI target, we always has the acl of some iscsi lun, that allow the corresponding host with its initiator name to login it. 

If qemu-img in the host try to access the lun via libiscsi:native, it can not use the initiator name of the host, it only can use the qemu-kvm default initiator name(iqn.2008-11.org.linux-kvm). 

I think we should add some options for qemu-img that can change its initiator name.

PS.
For qemu-kvm, can use -scsi initiator-name to use the host's initiator name

Version-Release number of selected component (if applicable):
qemu-img-rhev-2.3.0-18.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Fam Zheng 2015-09-11 06:11:26 UTC
Posted to upstream:

http://patchwork.ozlabs.org/patch/516598/

Comment 5 Fam Zheng 2016-03-07 04:27:11 UTC
This will be supported in QEMU 2.6 with Daniel P. Berrange's QCryptoSecret API work:

commit b189346eb1784df95ed6fed610411dbf23d19e1f
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Thu Jan 21 14:19:21 2016 +0000

    iscsi: add support for getting CHAP password via QCryptoSecret API
    
    The iSCSI driver currently accepts the CHAP password in plain text
    as a block driver property. This change adds a new "password-secret"
    property that accepts the ID of a QCryptoSecret instance.
    
      $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
                user=dan,password-secret=sec0
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
    Message-id: 1453385961-10718-4-git-send-email-berrange@redhat.com
    Signed-off-by: Jeff Cody <jcody@redhat.com>


commit eb769f74205e0906bdb45eeeb332c40b50b1dcb7
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Feb 17 10:10:20 2016 +0000

    qemu-img: allow specifying image as a set of options args
    
    Currently qemu-img allows an image filename to be passed on the
    command line, but unless using the JSON format, it does not have
    a way to set any options except the format eg
    
       qemu-img info https://127.0.0.1/images/centos7.iso
    
    This adds a --image-opts arg that indicates that the positional
    filename should be interpreted as a full option string, not
    just a filename.
    
       qemu-img info --image-opts driver=https,url=https://127.0.0.1/images,sslverify=off
    
    This flag is mutually exclusive with the '-f' / '-F' flags.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
    Signed-off-by: Kevin Wolf <kwolf@redhat.com>

commit 3babeb153caab765e6a66ba1e0a12ff0c3b51a4e
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Feb 17 10:10:17 2016 +0000

    qemu-img: add support for --object command line arg
    
    Allow creation of user creatable object types with qemu-img
    via a new --object command line arg. This will be used to supply
    passwords and/or encryption keys to the various block driver
    backends via the recently added 'secret' object type.
    
     # printf letmein > mypasswd.txt
     # qemu-img info --object secret,id=sec0,file=mypasswd.txt \
          ...other info args...
    
    Reviewed-by: Eric Blake <eblake@redhat.com>
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
    Signed-off-by: Kevin Wolf <kwolf@redhat.com>

Comment 6 Mike McCune 2016-03-28 22:35:49 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 8 Fam Zheng 2016-09-13 10:57:27 UTC
The example in b189346eb1784df95ed6fed610411dbf23d19e1f commit message is inaccurate. Only -iscsi in QEMU command line options recognizes password-secret, which is unavailable in qemu-img. We need more work to add user/password/password-secret in upstream to support that.

Comment 9 Fam Zheng 2016-09-13 10:59:31 UTC
Probably a new version of my previous patch

https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03032.html

that also includes password-secret can be proposed again.

Comment 13 Jeff Cody 2017-02-21 16:36:25 UTC
Sent a pull request upstream that contains patches for this feature:

https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04873.html

Comment 14 Jeff Cody 2017-02-21 18:30:22 UTC
Applied to qemu upstream master

Comment 15 Ping Li 2017-03-15 10:35:54 UTC
Hi jeff,

Could you help to share the use method for specifying initiator-name via qemu-img, and give some suggestions for qe to verify this bz? Thanks in advance.

Comment 16 Jeff Cody 2017-03-21 16:21:00 UTC
Hi,

It probably makes sense to add testing for a custom initiator, with 3 scenarios:

1. No authentication required
2. Authentication passed solely via options
3. Authentication using qemu's 'object' option for the secret password


Here are examples for all three:

1). An iscsi target that does not need authentication:

qemu-img info --image-opts file.driver=iscsi,file.target=iqn.2017-01.com.quasiquark:for.all,file.transport=tcp,file.lun=1,file.portal=192.168.15.180


2). Using user/password authentication (in this example, user=redhat, password=test):

qemu-img info --image-opts file.driver=iscsi,file.target=iqn.2017-01.com.quasiquark:for.all,file.transport=tcp,file.lun=1,file.portal=192.168.15.180,file.user=redhat,file.password=test


3). Using the password secret object method with qemu-img to make it more secure:

A. First create the file with the password in it (note: do not include a newline at the end!):

echo -n "test" > password.txt

B. Now invoke qemu-img as above, but use the object mechanism and the password-secret option for iscsi:

qemu-img info --object secret,id=sec0,file=password.txt \
                --image-opts \
file.driver=iscsi,\
file.target=iqn.2017-01.com.quasiquark:for.all,\
file.transport=tcp,\
file.lun=1,\
file.portal=192.168.15.180,\
file.user=redhat,file.password-secret=sec0

Comment 19 Ping Li 2017-04-20 02:30 UTC
Created attachment 1272831 [details]
config with default initiator name iqn.2008-11.org.linux-kvm

Comment 20 Ping Li 2017-04-20 02:31 UTC
Created attachment 1272832 [details]
config with self define initiator name iqn.2017-04.com.example:client

Comment 25 errata-xmlrpc 2017-08-01 23:29:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 26 errata-xmlrpc 2017-08-02 01:07:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 27 errata-xmlrpc 2017-08-02 01:59:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 28 errata-xmlrpc 2017-08-02 02:40:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 29 errata-xmlrpc 2017-08-02 03:04:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 30 errata-xmlrpc 2017-08-02 03:24:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392


Note You need to log in before you can comment on or make changes to this bug.