Bug 1254422 - [RFE]Add option to specify the initiator for qemu-img to login iscsi target
[RFE]Add option to specify the initiator for qemu-img to login iscsi target
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev (Show other bugs)
7.2
x86_64 Unspecified
medium Severity medium
: rc
: ---
Assigned To: Jeff Cody
Ping Li
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-18 01:30 EDT by Qian Guo
Modified: 2018-03-21 23:20 EDT (History)
10 users (show)

See Also:
Fixed In Version: qemu-kvm-rhev-2.9.0-1.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 19:29:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
config with default initiator name iqn.2008-11.org.linux-kvm (7.13 KB, text/plain)
2017-04-19 22:30 EDT, Ping Li
no flags Details
config with self define initiator name iqn.2017-04.com.example:client (7.14 KB, text/plain)
2017-04-19 22:31 EDT, Ping Li
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 16:04:36 EDT

  None (edit)
Description Qian Guo 2015-08-18 01:30:52 EDT
Description of problem:
When setup ISCSI target, we always has the acl of some iscsi lun, that allow the corresponding host with its initiator name to login it. 

If qemu-img in the host try to access the lun via libiscsi:native, it can not use the initiator name of the host, it only can use the qemu-kvm default initiator name(iqn.2008-11.org.linux-kvm). 

I think we should add some options for qemu-img that can change its initiator name.

PS.
For qemu-kvm, can use -scsi initiator-name to use the host's initiator name

Version-Release number of selected component (if applicable):
qemu-img-rhev-2.3.0-18.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Fam Zheng 2015-09-11 02:11:26 EDT
Posted to upstream:

http://patchwork.ozlabs.org/patch/516598/
Comment 5 Fam Zheng 2016-03-06 23:27:11 EST
This will be supported in QEMU 2.6 with Daniel P. Berrange's QCryptoSecret API work:

commit b189346eb1784df95ed6fed610411dbf23d19e1f
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Thu Jan 21 14:19:21 2016 +0000

    iscsi: add support for getting CHAP password via QCryptoSecret API
    
    The iSCSI driver currently accepts the CHAP password in plain text
    as a block driver property. This change adds a new "password-secret"
    property that accepts the ID of a QCryptoSecret instance.
    
      $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
                user=dan,password-secret=sec0
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
    Message-id: 1453385961-10718-4-git-send-email-berrange@redhat.com
    Signed-off-by: Jeff Cody <jcody@redhat.com>


commit eb769f74205e0906bdb45eeeb332c40b50b1dcb7
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Feb 17 10:10:20 2016 +0000

    qemu-img: allow specifying image as a set of options args
    
    Currently qemu-img allows an image filename to be passed on the
    command line, but unless using the JSON format, it does not have
    a way to set any options except the format eg
    
       qemu-img info https://127.0.0.1/images/centos7.iso
    
    This adds a --image-opts arg that indicates that the positional
    filename should be interpreted as a full option string, not
    just a filename.
    
       qemu-img info --image-opts driver=https,url=https://127.0.0.1/images,sslverify=off
    
    This flag is mutually exclusive with the '-f' / '-F' flags.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
    Signed-off-by: Kevin Wolf <kwolf@redhat.com>

commit 3babeb153caab765e6a66ba1e0a12ff0c3b51a4e
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Feb 17 10:10:17 2016 +0000

    qemu-img: add support for --object command line arg
    
    Allow creation of user creatable object types with qemu-img
    via a new --object command line arg. This will be used to supply
    passwords and/or encryption keys to the various block driver
    backends via the recently added 'secret' object type.
    
     # printf letmein > mypasswd.txt
     # qemu-img info --object secret,id=sec0,file=mypasswd.txt \
          ...other info args...
    
    Reviewed-by: Eric Blake <eblake@redhat.com>
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Comment 6 Mike McCune 2016-03-28 18:35:49 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 8 Fam Zheng 2016-09-13 06:57:27 EDT
The example in b189346eb1784df95ed6fed610411dbf23d19e1f commit message is inaccurate. Only -iscsi in QEMU command line options recognizes password-secret, which is unavailable in qemu-img. We need more work to add user/password/password-secret in upstream to support that.
Comment 9 Fam Zheng 2016-09-13 06:59:31 EDT
Probably a new version of my previous patch

https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03032.html

that also includes password-secret can be proposed again.
Comment 13 Jeff Cody 2017-02-21 11:36:25 EST
Sent a pull request upstream that contains patches for this feature:

https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04873.html
Comment 14 Jeff Cody 2017-02-21 13:30:22 EST
Applied to qemu upstream master
Comment 15 Ping Li 2017-03-15 06:35:54 EDT
Hi jeff,

Could you help to share the use method for specifying initiator-name via qemu-img, and give some suggestions for qe to verify this bz? Thanks in advance.
Comment 16 Jeff Cody 2017-03-21 12:21:00 EDT
Hi,

It probably makes sense to add testing for a custom initiator, with 3 scenarios:

1. No authentication required
2. Authentication passed solely via options
3. Authentication using qemu's 'object' option for the secret password


Here are examples for all three:

1). An iscsi target that does not need authentication:

qemu-img info --image-opts file.driver=iscsi,file.target=iqn.2017-01.com.quasiquark:for.all,file.transport=tcp,file.lun=1,file.portal=192.168.15.180


2). Using user/password authentication (in this example, user=redhat, password=test):

qemu-img info --image-opts file.driver=iscsi,file.target=iqn.2017-01.com.quasiquark:for.all,file.transport=tcp,file.lun=1,file.portal=192.168.15.180,file.user=redhat,file.password=test


3). Using the password secret object method with qemu-img to make it more secure:

A. First create the file with the password in it (note: do not include a newline at the end!):

echo -n "test" > password.txt

B. Now invoke qemu-img as above, but use the object mechanism and the password-secret option for iscsi:

qemu-img info --object secret,id=sec0,file=password.txt \
                --image-opts \
file.driver=iscsi,\
file.target=iqn.2017-01.com.quasiquark:for.all,\
file.transport=tcp,\
file.lun=1,\
file.portal=192.168.15.180,\
file.user=redhat,file.password-secret=sec0
Comment 19 Ping Li 2017-04-19 22:30 EDT
Created attachment 1272831 [details]
config with default initiator name iqn.2008-11.org.linux-kvm
Comment 20 Ping Li 2017-04-19 22:31 EDT
Created attachment 1272832 [details]
config with self define initiator name iqn.2017-04.com.example:client
Comment 25 errata-xmlrpc 2017-08-01 19:29:42 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 26 errata-xmlrpc 2017-08-01 21:07:21 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 27 errata-xmlrpc 2017-08-01 21:59:20 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 28 errata-xmlrpc 2017-08-01 22:40:06 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 29 errata-xmlrpc 2017-08-01 23:04:50 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 30 errata-xmlrpc 2017-08-01 23:24:58 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Note You need to log in before you can comment on or make changes to this bug.