Bug 1425757 - RFE: add support for securely passing passwords to iSCSI block drivers
Summary: RFE: add support for securely passing passwords to iSCSI block drivers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: John Ferlan
QA Contact: yisun
URL:
Whiteboard:
Depends On: 1301057
Blocks: 1182074
TreeView+ depends on / blocked
 
Reported: 2017-02-22 10:28 UTC by Daniel Berrangé
Modified: 2018-10-30 09:49 UTC (History)
15 users (show)

Fixed In Version: libvirt-4.3.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of: 1301057
Environment:
Last Closed: 2018-10-30 09:49:43 UTC
Target Upstream Version:


Attachments (Terms of Use)

Comment 2 Daniel Berrangé 2017-02-22 10:32:39 UTC
This bug is to track the piece of  Bug 1301057 that we were not able to implement in 7.3 - iSCSI support. The password-secret option was originally provided against the -iscsi option, but we didn't realize you could not reliably associated -iscsi to the -drive iscsi,.... arg.

QEMU has now made all the -iscsi options available directly with the -drive iscsi config, making -iscsi obsolete. So we can now provide the password secret support in libvirt. See bug 1379034 for the QEMU part.

Comment 4 John Ferlan 2017-09-05 19:13:17 UTC
Patches posted upstream:

https://www.redhat.com/archives/libvir-list/2017-September/msg00100.html

Comment 5 John Ferlan 2017-10-05 13:23:41 UTC
Numerous updates since comment 4, now at v5:

https://www.redhat.com/archives/libvir-list/2017-October/msg00228.html

Comment 6 John Ferlan 2017-11-24 17:06:53 UTC
After a few reposts and waiting, upstream v6:

https://www.redhat.com/archives/libvir-list/2017-November/msg00309.html

has been pushed.

Comment 8 John Ferlan 2017-12-13 20:21:17 UTC
The original series was pushed as part of libvirt-3.9.0.

After pushing while working on something else, I realized there's one adjustment needed for the hotplug code... details are in the patch, see: 

https://www.redhat.com/archives/libvir-list/2017-December/msg00165.html

that was pushed in libvirt-4.0.0 as commit id '6050affb'

Comment 10 yisun 2018-06-21 08:59:19 UTC
Verified with libvirt-4.4.0-2.virtcov.el7.x86_64


Test with latest libvirt but old qemu-kvm
# rpm -qa | egrep "qemu-kvm-rhev|libvirt-4"
libvirt-4.4.0-2.virtcov.el7.x86_64
qemu-kvm-rhev-2.6.0-28.el7_3.17.x86_64

1. prepare a libvirt secret and use it in vm
# virsh dumpxml avocado-vt-vm1
...
<disk type='network' device='disk'>
    <driver name='qemu' type='raw'/>
    <source protocol='iscsi' name='iqn.2013-10.com.example:iscsi/0'>
        <host name='127.0.0.1' port='3260'/>
    </source>
    <auth username='rhat'>
        <secret type='iscsi' uuid='41437de7-4871-476d-8b06-b2d9a140df8d'/>
    </auth>
    <target dev='vdb' bus='virtio'/>
</disk>

2. start the vm and check the qemu process
# ps -ef | grep avocado-vt-vm1 | grep rhat
qemu      8867     1  8 04:31 ?        00:00:23 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,... -drive file=iscsi://rhat:rhatrhat@127.0.0.1:3260/iqn.1992-01.com.example/0,format=raw,if=none,id=drive-virtio-disk1 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk1,id=virtio-disk1 ...

<==== password is in plaintext since rfe1379034 not involved in this qemu-kvm version, this is expected 



Test with latest libvirt and qemu
# rpm -qa | egrep "qemu-kvm-rhev|libvirt-4"
qemu-kvm-rhev-2.12.0-4.el7.x86_64
libvirt-4.4.0-2.virtcov.el7.x86_64

1. prepare a libvirt secret and use it in vm as virtual disk
# virsh dumpxml avocado-vt-vm1
...
<disk type='network' device='disk'>
    <driver name='qemu' type='raw'/>
    <source protocol='iscsi' name='iqn.2013-10.com.example:iscsi/0'>
        <host name='127.0.0.1' port='3260'/>
    </source>
    <auth username='rhat'>
        <secret type='iscsi' uuid='41437de7-4871-476d-8b06-b2d9a140df8d'/>
    </auth>
    <target dev='vdb' bus='virtio'/>
</disk>

# virsh start avocado-vt-vm1

# ps -ef | grep avocado-vt-vm1 | grep rhat
qemu      9392     1 92 04:38 ?        00:00:01 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object secret,id=masterKey0 ...
-drive file.driver=iscsi,file.portal=127.0.0.1:3260,file.target=iqn.1992-01.com.example,file.lun=0,file.transport=tcp,file.user=rhat,file.password-secret=virtio-disk1-secret0,format=raw,if=none,id=drive-virtio-disk1 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk1,id=virtio-disk1
<==== now the password is not plaintext 

2. prepare a libvirt secret and use it in vm as hostdev
#virsh dumpxml avocado-vt-vm1
...
    <hostdev mode='subsystem' type='scsi' managed='no'>
      <source protocol='iscsi' name='iqn.1992-01.com.example/0'>
        <host name='127.0.0.1' port='3260'/>
        <auth username='rhat'>
          <secret type='iscsi' usage='libvirtiscsi'/>
        </auth>
      </source>
      <alias name='hostdev0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </hostdev>

# virsh start avocado-vt-vm1

# ps -ef | grep avocado-vt-vm1 | grep rhat
qemu     10038     1 83 04:45 ?        00:00:03 /usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object secret,id=masterKey0... -drive file.driver=iscsi,file.portal=127.0.0.1:3260,file.target=iqn.1992-01.com.example,file.lun=0,file.transport=tcp,file.user=rhat,file.password-secret=hostdev0-secret0,if=none,format=raw,id=drive-hostdev0...
<==== now the password is not plaintext

Comment 12 errata-xmlrpc 2018-10-30 09:49:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113


Note You need to log in before you can comment on or make changes to this bug.