RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1254422 - [RFE]Add option to specify the initiator for qemu-img to login iscsi target
Summary: [RFE]Add option to specify the initiator for qemu-img to login iscsi target
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.2
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jeff Cody
QA Contact: Ping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-18 05:30 UTC by Qian Guo
Modified: 2018-03-22 03:20 UTC (History)
10 users (show)

Fixed In Version: qemu-kvm-rhev-2.9.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 23:29:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
config with default initiator name iqn.2008-11.org.linux-kvm (7.13 KB, text/plain)
2017-04-20 02:30 UTC, Ping Li 		no flags Details
config with self define initiator name iqn.2017-04.com.example:client (7.14 KB, text/plain)
2017-04-20 02:31 UTC, Ping Li 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 20:04:36 UTC

Description Qian Guo 2015-08-18 05:30:52 UTC 
Description of problem:
When setup ISCSI target, we always has the acl of some iscsi lun, that allow the corresponding host with its initiator name to login it. 

If qemu-img in the host try to access the lun via libiscsi:native, it can not use the initiator name of the host, it only can use the qemu-kvm default initiator name(iqn.2008-11.org.linux-kvm). 

I think we should add some options for qemu-img that can change its initiator name.

PS.
For qemu-kvm, can use -scsi initiator-name to use the host's initiator name

Version-Release number of selected component (if applicable):
qemu-img-rhev-2.3.0-18.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Fam Zheng 2015-09-11 06:11:26 UTC 
Posted to upstream:

http://patchwork.ozlabs.org/patch/516598/
Comment 5 Fam Zheng 2016-03-07 04:27:11 UTC 
This will be supported in QEMU 2.6 with Daniel P. Berrange's QCryptoSecret API work:

commit b189346eb1784df95ed6fed610411dbf23d19e1f
Author: Daniel P. Berrange <berrange>
Date:   Thu Jan 21 14:19:21 2016 +0000

    iscsi: add support for getting CHAP password via QCryptoSecret API
    
    The iSCSI driver currently accepts the CHAP password in plain text
    as a block driver property. This change adds a new "password-secret"
    property that accepts the ID of a QCryptoSecret instance.
    
      $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
                user=dan,password-secret=sec0
    
    Signed-off-by: Daniel P. Berrange <berrange>
    Message-id: 1453385961-10718-4-git-send-email-berrange
    Signed-off-by: Jeff Cody <jcody>


commit eb769f74205e0906bdb45eeeb332c40b50b1dcb7
Author: Daniel P. Berrange <berrange>
Date:   Wed Feb 17 10:10:20 2016 +0000

    qemu-img: allow specifying image as a set of options args
    
    Currently qemu-img allows an image filename to be passed on the
    command line, but unless using the JSON format, it does not have
    a way to set any options except the format eg
    
       qemu-img info https://127.0.0.1/images/centos7.iso
    
    This adds a --image-opts arg that indicates that the positional
    filename should be interpreted as a full option string, not
    just a filename.
    
       qemu-img info --image-opts driver=https,url=https://127.0.0.1/images,sslverify=off
    
    This flag is mutually exclusive with the '-f' / '-F' flags.
    
    Signed-off-by: Daniel P. Berrange <berrange>
    Signed-off-by: Kevin Wolf <kwolf>

commit 3babeb153caab765e6a66ba1e0a12ff0c3b51a4e
Author: Daniel P. Berrange <berrange>
Date:   Wed Feb 17 10:10:17 2016 +0000

    qemu-img: add support for --object command line arg
    
    Allow creation of user creatable object types with qemu-img
    via a new --object command line arg. This will be used to supply
    passwords and/or encryption keys to the various block driver
    backends via the recently added 'secret' object type.
    
     # printf letmein > mypasswd.txt
     # qemu-img info --object secret,id=sec0,file=mypasswd.txt \
          ...other info args...
    
    Reviewed-by: Eric Blake <eblake>
    Signed-off-by: Daniel P. Berrange <berrange>
    Signed-off-by: Kevin Wolf <kwolf>
Comment 6 Mike McCune 2016-03-28 22:35:49 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 8 Fam Zheng 2016-09-13 10:57:27 UTC 
The example in b189346eb1784df95ed6fed610411dbf23d19e1f commit message is inaccurate. Only -iscsi in QEMU command line options recognizes password-secret, which is unavailable in qemu-img. We need more work to add user/password/password-secret in upstream to support that.
Comment 9 Fam Zheng 2016-09-13 10:59:31 UTC 
Probably a new version of my previous patch

https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03032.html

that also includes password-secret can be proposed again.
Comment 13 Jeff Cody 2017-02-21 16:36:25 UTC 
Sent a pull request upstream that contains patches for this feature:

https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04873.html
Comment 14 Jeff Cody 2017-02-21 18:30:22 UTC 
Applied to qemu upstream master
Comment 15 Ping Li 2017-03-15 10:35:54 UTC 
Hi jeff,

Could you help to share the use method for specifying initiator-name via qemu-img, and give some suggestions for qe to verify this bz? Thanks in advance.
Comment 16 Jeff Cody 2017-03-21 16:21:00 UTC 
Hi,

It probably makes sense to add testing for a custom initiator, with 3 scenarios:

1. No authentication required
2. Authentication passed solely via options
3. Authentication using qemu's 'object' option for the secret password


Here are examples for all three:

1). An iscsi target that does not need authentication:

qemu-img info --image-opts file.driver=iscsi,file.target=iqn.2017-01.com.quasiquark:for.all,file.transport=tcp,file.lun=1,file.portal=192.168.15.180


2). Using user/password authentication (in this example, user=redhat, password=test):

qemu-img info --image-opts file.driver=iscsi,file.target=iqn.2017-01.com.quasiquark:for.all,file.transport=tcp,file.lun=1,file.portal=192.168.15.180,file.user=redhat,file.password=test


3). Using the password secret object method with qemu-img to make it more secure:

A. First create the file with the password in it (note: do not include a newline at the end!):

echo -n "test" > password.txt

B. Now invoke qemu-img as above, but use the object mechanism and the password-secret option for iscsi:

qemu-img info --object secret,id=sec0,file=password.txt \
                --image-opts \
file.driver=iscsi,\
file.target=iqn.2017-01.com.quasiquark:for.all,\
file.transport=tcp,\
file.lun=1,\
file.portal=192.168.15.180,\
file.user=redhat,file.password-secret=sec0
Comment 19 Ping Li 2017-04-20 02:30:57 UTC 
Created attachment 1272831 [details]
config with default initiator name iqn.2008-11.org.linux-kvm
Comment 20 Ping Li 2017-04-20 02:31:46 UTC 
Created attachment 1272832 [details]
config with self define initiator name iqn.2017-04.com.example:client
Comment 25 errata-xmlrpc 2017-08-01 23:29:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 26 errata-xmlrpc 2017-08-02 01:07:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 27 errata-xmlrpc 2017-08-02 01:59:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 28 errata-xmlrpc 2017-08-02 02:40:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 29 errata-xmlrpc 2017-08-02 03:04:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 30 errata-xmlrpc 2017-08-02 03:24:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Note You need to log in before you can comment on or make changes to this bug.