Bug 1379034 - RFE: add 'iSCSI protocol' support of option 'password-secret' to support for securely passing passwords to QEMU block drivers
Summary: RFE: add 'iSCSI protocol' support of option 'password-secret' to support for ...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev   
(Show other bugs)
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 7.4
Assignee: Jeff Cody
QA Contact: Suqin Huang
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-24 06:13 UTC by Chao Yang
Modified: 2017-08-02 03:32 UTC (History)
11 users (show)

Fixed In Version: qemu-kvm-rhev-2.9.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 23:37:14 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 20:04:36 UTC

Description Chao Yang 2016-09-24 06:13:40 UTC
Description of problem:
This bug is opened to track https://bugzilla.redhat.com/show_bug.cgi?id=1301057#c8

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Daniel Berrange 2016-12-08 13:03:15 UTC
Just posted some patches to support this upstream

https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01124.html

Comment 3 Daniel Berrange 2016-12-08 14:20:01 UTC
Counter-proposal from Kevin Wolf

https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01130.html

Comment 5 Jeff Cody 2017-01-25 17:46:18 UTC
Reworked patches based on Kevin's approach have been sent to qemu-devel.

The patches can also be seen here:

https://github.com/codyprime/qemu-kvm-jtc/commits/iscsi-blockdev-add

Comment 6 Jeff Cody 2017-02-21 16:41:17 UTC
Sent a pull request upstream that contains patches that implement this feature:

https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04873.html

Comment 7 Jeff Cody 2017-02-21 18:30:31 UTC
Applied to qemu upstream master

Comment 8 Suqin Huang 2017-04-27 02:36:58 UTC
package:
qemu-kvm-rhev-2.9.0-1.el7.x86_64


Authentication failure(513) error when test with cmd:

    -object secret,id=sec0,file=/home/iscsi-password \
    -drive driver=iscsi,file=iscsi://10.73.199.233/iqn.2017-04.com.example:t2/0,user=redhat,password-secret=sec0 \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=03 \

Note: Double check the iscsi-password file, no blank in the file



Pass with old cmd:

    -drive id=drive_image1,if=none,cache=none,snapshot=on,aio=native,format=raw,file=iscsi://10.73.199.233/iqn.2017-04.com.example:t2/0  \
    -iscsi user=redhat,password=redhat,id=iqn \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=03 \

Comment 9 Daniel Berrange 2017-04-27 08:26:49 UTC
Please run 'od -x -a /home/iscsi-password' and post the output to this bug. I'm pretty sure you will find there is a newline character there that needs removing

Comment 11 Suqin Huang 2017-04-28 06:17:31 UTC
# od -x -a /home/iscsi-password 
0000000    6572    6864    7461    000a
          r   e   d   h   a   t  nl
0000007


it works after remove the file

# echo -n redhat > /home/iscsi-password
# od -x -a /home/iscsi-password 
0000000    6572    6864    7461
          r   e   d   h   a   t
0000006

cmd:

/usr/libexec/qemu-kvm \
-object secret,id=sec0,file=/home/iscsi-password   \
-drive id=drive_image1,if=none,cache=none,snapshot=on,aio=native,format=raw,file=iscsi://10.73.199.233/iqn.2017-04.com.example:t2/0,file.user=redhat,file.password-secret=sec0  \
-device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=06

Comment 12 Suqin Huang 2017-04-28 06:18:13 UTC
according comment11, update the bug to verified

Comment 14 errata-xmlrpc 2017-08-01 23:37:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 15 errata-xmlrpc 2017-08-02 01:14:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 16 errata-xmlrpc 2017-08-02 02:06:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 17 errata-xmlrpc 2017-08-02 02:47:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 18 errata-xmlrpc 2017-08-02 03:12:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 19 errata-xmlrpc 2017-08-02 03:32:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392


Note You need to log in before you can comment on or make changes to this bug.