Bug 1632656 - iSCSI Reverse CHAP authentication not working
Summary: iSCSI Reverse CHAP authentication not working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-blivet
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Vojtech Trefny
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: 1637927 F29FinalBlocker 1635569
TreeView+ depends on / blocked
 
Reported: 2018-09-25 10:16 UTC by lnie
Modified: 2018-12-26 02:47 UTC (History)
17 users (show)

Fixed In Version: python-blivet-3.1.1-2 python-blivet-3.1.1-2.fc29 python-blivet-3.1.2-1.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1635569 1637927 (view as bug list)
Environment:
Last Closed: 2018-10-11 20:28:46 UTC


Attachments (Terms of Use)
screenshot1 (117.68 KB, image/png)
2018-09-25 10:16 UTC, lnie
no flags Details
screenshot2 (133.44 KB, image/png)
2018-09-25 10:17 UTC, lnie
no flags Details
anaconda.log (13.90 KB, text/plain)
2018-09-25 10:17 UTC, lnie
no flags Details
storage.log (41.43 KB, text/plain)
2018-09-25 10:18 UTC, lnie
no flags Details
syslog (268.40 KB, text/plain)
2018-09-25 10:19 UTC, lnie
no flags Details
screenshot (81.71 KB, image/png)
2018-10-09 04:40 UTC, lnie
no flags Details
anaconda.log (10.14 KB, text/plain)
2018-10-09 04:41 UTC, lnie
no flags Details
storage.log (59.04 KB, text/plain)
2018-10-09 04:42 UTC, lnie
no flags Details
configuration file (8.18 KB, text/plain)
2018-10-09 11:08 UTC, lnie
no flags Details

Description lnie 2018-09-25 10:16:55 UTC
Created attachment 1486702 [details]
screenshot1

Description of problem:
create an iscsi target use targetcli,and set discovery and login authentication as following:
/iscsi> set discovery_auth enable=1
Parameter enable is now 'True'.
/iscsi> set discovery_auth userid=IncomingUser
Parameter userid is now 'IncomingUser'.
/iscsi> set discovery_auth password=SomePassword1
Parameter password is now 'SomePassword1'.
/iscsi> set discovery_auth mutual_userid=OutgoingUser
Parameter mutual_userid is now 'OutgoingUser'.
/iscsi> set discovery_auth mutual_password=AnotherPassword2
Parameter mutual_password is now 'AnotherPassword2'.
/iscsi> cd iqn.2018-02.com.example:target/
/iscsi/iqn.20...xample:target> cd tpg1/
/iscsi/iqn.20...e:target/tpg1> set attribute authentication=1
Parameter authentication is now '1'.
/iscsi/iqn.20...e:target/tpg1> set auth userid=IncomingUser2
Parameter userid is now 'IncomingUser2'.
/iscsi/iqn.20...e:target/tpg1> set auth password=SomePassword3
Parameter password is now 'SomePassword3'.
/iscsi/iqn.20...e:target/tpg1> set auth mutual_userid=OutgoingUser2
Parameter mutual_userid is now 'OutgoingUser2'.
/iscsi/iqn.20...e:target/tpg1> set auth mutual_password=AnotherPassword4
Parameter mutual_password is now 'AnotherPassword4'.
/iscsi/iqn.20...e:target/tpg1> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json

As shown in the attached screenshots,the installer failed to discover the target,and after I set  discovery_auth enable=0,the installer can discover the target but failed to login

Version-Release number of selected component (if applicable):
Fedora-Server-dvd-x86_64-29_Beta-1.5.iso

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 lnie 2018-09-25 10:17:22 UTC
Created attachment 1486703 [details]
screenshot2

Comment 2 lnie 2018-09-25 10:17:57 UTC
Created attachment 1486704 [details]
anaconda.log

Comment 3 lnie 2018-09-25 10:18:22 UTC
Created attachment 1486705 [details]
storage.log

Comment 4 lnie 2018-09-25 10:19:06 UTC
Created attachment 1486706 [details]
syslog

Comment 5 Fedora Blocker Bugs Application 2018-09-30 10:35:02 UTC
Proposed as a Blocker for 29-final by Fedora user lnie using the blocker tracking app because:

 Seems to affect the criteria:
The installer must be able to detect (if possible) and install to supported network-attached storage devices

Comment 6 Geoffrey Marr 2018-10-01 19:40:52 UTC
Discussed during the 2018-10-01 blocker review meeting: [1]

The decision to classify this bug as an "AcceptedBlocker" was made as it violates the following criteria:

"The installer must be able to detect (if possible) and install to supported network-attached storage devices" - The criterion does not explicitly say whether auth is blocking, but we believe it is sufficiently commonly used in the real world that we should accept the bug.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-10-01/f29-blocker-review.2018-10-01-16.00.txt

Comment 7 Radek Vykydal 2018-10-03 09:31:00 UTC
Seems that reverse (target) CHAP authentication is not working both for discover and login. Initiator authentication should work fine for both.

The same issue is present in F28 GA.
On RHEL 7 reverse CHAP works.

Comment 8 Radek Vykydal 2018-10-03 09:36:36 UTC
Reassigning to blivet storage library for investigating.

Comment 9 Vojtech Trefny 2018-10-03 12:45:07 UTC
Upstream PR: https://github.com/storaged-project/blivet/pull/728

Comment 10 Fedora Update System 2018-10-08 13:47:04 UTC
python-blivet-3.1.1-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d610e2461a

Comment 11 Fedora Update System 2018-10-08 17:41:48 UTC
python-blivet-3.1.1-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d610e2461a

Comment 12 Adam Williamson 2018-10-08 18:05:33 UTC
lnie, can you please test the fix? Thanks!

Comment 13 lnie 2018-10-09 04:40:19 UTC
The discovery authentication works fine now,but still unable to login and use the iscsi targets when Reverse CHAP authentication is set. After click the Login button you will see the error shown in the attached screenshot.

Comment 14 lnie 2018-10-09 04:40:55 UTC
Created attachment 1491846 [details]
screenshot

Comment 15 lnie 2018-10-09 04:41:35 UTC
Created attachment 1491847 [details]
anaconda.log

Comment 16 lnie 2018-10-09 04:42:24 UTC
Created attachment 1491848 [details]
storage.log

Comment 17 Vojtech Trefny 2018-10-09 10:39:15 UTC
I've tested this again and both discovery and login works for me.

My configuration:
- updates.img: https://vtrefny.fedorapeople.org/img/iscsi1632274.img
- targetcli config: https://vtrefny.fedorapeople.org/misc/iscsi-discover-auth-mutual.json
- initiator name: "iqn.1994-05.com.redhat:iscsi-test"
- discovery credentials: "mytargetuid", "mytargetsecret", "mymutualuid", "mymutualsecret"
- login credentials: "udisks-user", "udisks-password", "udisks-mutual-user", "udisks-mutual-password"

lnie: Can you please share your targetcli config? Maybe I'm testing something different.

Comment 18 lnie 2018-10-09 11:08:04 UTC
Created attachment 1492032 [details]
configuration file

Comment 19 lnie 2018-10-09 11:09:58 UTC
unable to open your configuration file,mine is attached.

Comment 20 Vojtech Trefny 2018-10-09 12:44:58 UTC
Thank you, I can confirm that the login doesn't work with your configuration. It works on Fedora 28 (with latest blivet and udisks), but doesn't on Fedora 29. The same happens when using iscsiadm manually, so I think it is a different problem:

On Fedora 28:
$ sudo iscsiadm --mode node --targetname iqn.2018-02.com.example:target --portal 10.37.176.17:3260 --login --name node.session.auth.authmethod --value=CHAP --name node.session.auth.username --value="IncomingUser2" --name node.session.auth.password --value="SomePassword3" --name node.session.auth.username_in --value="OutgoingUser2" --name node.session.auth.password_in --value="AnotherPassword4"
Logging in to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260] (multiple)
Login to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260] successful.

On Fedora 29:
$ sudo iscsiadm --mode node --targetname iqn.2018-02.com.example:target --portal 10.37.176.17:3260 --login --name node.session.auth.authmethod --value=CHAP --name node.session.auth.username --value="IncomingUser2" --name node.session.auth.password --value="SomePassword3" --name node.session.auth.username_in --value="OutgoingUser2" --name node.session.auth.password_in --value="AnotherPassword4"
Logging in to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals

Comment 21 Fedora Update System 2018-10-11 20:28:46 UTC
python-blivet-3.1.1-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2018-12-12 13:10:30 UTC
python-blivet-3.1.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5827b58873

Comment 23 Fedora Update System 2018-12-13 03:36:12 UTC
blivet-gui-2.1.10-1.fc29, python-blivet-3.1.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5827b58873

Comment 24 Fedora Update System 2018-12-18 02:11:55 UTC
blivet-gui-2.1.10-2.fc29, python-blivet-3.1.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5827b58873

Comment 25 Fedora Update System 2018-12-26 02:47:37 UTC
blivet-gui-2.1.10-2.fc29, python-blivet-3.1.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.