Description of problem: As subject Version-Release number of selected component (if applicable): libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64 qemu-kvm-4.0.0-6.module+el8.1.0+3736+a2aefea3.x86_64 How reproducible: 100% Steps to Reproduce: 1. Setup a iscsi target with chap authorization redhat:redhat 2. Create the overlay image: # qemu-img create --object secret,data='redhat',id=sec,format=raw -f qcow2 -b 'json:{"driver": "raw", "file": {"lun": "0", "portal": "10.66.4.183", "driver": "iscsi", "transport": "tcp", "target": "iqn.2019-08.com.chap.target", "user":"redhat", "password-secret":"sec"}}' -o backing_fmt=raw /tmp/iscsi_auth_cipher 3. Enable -blockdev for vm: <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> … <qemu:capabilities> <qemu:add capability='blockdev'/> <qemu:del capability='drive'/> </qemu:capabilities> </domain> 4. Attach the overlay image to vm # virsh attach-disk copy /tmp/iscsi_auth_cipher vdc --subdriver qcow2 error: Failed to attach disk error: internal error: unable to execute QEMU command 'blockdev-add': iSCSI: Failed to connect to LUN : Failed to log in to target. Status: Authentication failure(513) 5. Inactive attach the overlay image to vm. Then start the vm # virsh attach-disk copy /tmp/iscsi_auth_cipher vdc --subdriver qcow2 --config Disk attached successfully # virsh destroy copy Domain copy destroyed # virsh start copy error: Failed to start domain copy error: internal error: process exited while connecting to monitor: 2019-07-25T07:56:09.111915Z qemu-kvm: -blockdev {"driver":"iscsi","portal":"10.66.4.183:3260","target":"iqn.2019-08.com.chap.target","lun":0,"transport":"tcp","node-name":"libvirt-3-storage","read-only":true,"discard":"unmap"}: iSCSI: Failed to connect to LUN : Failed to log in to target. Status: Authentication failure(513) Actual results: Expected results: Additional info: The qmp log of step4: Jul 25 15:54:37 lab libvirtd[16437]: 16441: info : qemuMonitorSend:1072 : QEMU_MONITOR_SEND_MSG: mon=0x7f4804016e80 msg={"execute":"blockdev-add","arguments":{"driver":"iscsi","portal":"10.66.4.183:3260","target":"iqn.2019-08.com.chap.target","lun":0,"transport":"tcp","node-name":"libvirt-4-storage","read-only":true,"discard":"unmap"},"id":"libvirt-21"}#015#012 fd=-1 Jul 25 15:54:37 lab libvirtd[16437]: 16437: info : qemuMonitorIOWrite:546 : QEMU_MONITOR_IO_WRITE: mon=0x7f4804016e80 buf={"execute":"blockdev-add","arguments":{"driver":"iscsi","portal":"10.66.4.183:3260","target":"iqn.2019-08.com.chap.target","lun":0,"transport":"tcp","node-name":"libvirt-4-storage","read-only":true,"discard":"unmap"},"id":"libvirt-21"}#015#012 len=237 ret=237 errno=0 Jul 25 15:54:37 lab libvirtd[16437]: 16441: error : qemuMonitorJSONCheckError:392 : internal error: unable to execute QEMU command 'blockdev-add': iSCSI: Failed to connect to LUN : Failed to log in to target. Status: Authentication failure(513) The qemu cmdline of step5: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin HOME=/var/lib/libvirt/qemu/domain--1-copy XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-copy/.local/share XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-copy/.cache XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-copy/.config QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -name guest=copy,debug-threads=on -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain--1-copy/master-key.aes -machine pc-i440fx-rhel7.6.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off -m 1024 -overcommit mem-lock=off -smp 1,sockets=1,cores=1,threads=1 -object iothread,id=iothread1 -object iothread,id=iothread2 -object iothread,id=iothread3 -uuid c3f1cdcb-cc26-462d-9e4a-fdb6f40402ca -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain--1-copy/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x7 -device ahci,id=sata0,bus=pci.0,addr=0x9 -device ahci,id=sata1,bus=pci.0,addr=0xa -device ahci,id=sata2,bus=pci.0,addr=0xb -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -device usb-hub,id=hub0,bus=usb.0,port=3 -blockdev '{"driver":"file","filename":"/var/lib/libvirt/images/copy.qcow2","node-name":"libvirt-2-storage","read-only":false,"discard":"unmap"}' -blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"qcow2","file":"libvirt-2-storage"}' -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xc,drive=libvirt-2-format,id=virtio-disk0,bootindex=1,serial=sadasdasdasdas -blockdev '{"driver":"file","filename":"/tmp/iscsi_auth_cipher","node-name":"libvirt-1-storage","read-only":false,"discard":"unmap"}' -blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage"}' -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xd,drive=libvirt-1-format,id=virtio-disk2 -netdev tap,fd=28,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:d1:0d:97,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/domain--1-copy/org.qemu.guest_agent.0,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -spice port=5901,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on Both of them miss chap authorization part. Libvirt also fails to parse iscsi url with auth # qemu-img create -b iscsi://redhat%redhat.4.183/iqn.2019-08.com.chap.target/0 /tmp/iscsi_auth_cleartxt -o backing_fmt=raw -f qcow2 Formatting '/tmp/iscsi_auth_cleartxt', fmt=qcow2 size=4294967296 backing_file=iscsi://redhat%redhat.4.183/iqn.2019-08.com.chap.target/0 backing_fmt=raw cluster_size=65536 lazy_refcounts=off refcount_bits=16 # virsh attach-disk copy /tmp/iscsi_auth_cleartxt vdc --subdriver qcow2 error: Failed to attach disk error: internal error: failed to parse backing file location 'iscsi://redhat%redhat.4.183/iqn.2019-08.com.chap.target/0' # qemu-img info /tmp/iscsi_auth_clear_json image: /tmp/iscsi_auth_clear_json file format: qcow2 virtual size: 4.0G (4294967296 bytes) disk size: 196K cluster_size: 65536 backing file: json:{"driver": "raw", "file": {"lun": "0", "portal": "10.66.4.183", "driver": "iscsi", "transport": "tcp", "target": "iqn.2019-08.com.chap.target", "user":"redhat", "password":"redhat"}} backing file format: raw Format specific information: compat: 1.1 lazy refcounts: false refcount bits: 16 corrupt: false # virsh attach-disk copy /tmp/iscsi_auth_clear_json vdc --subdriver qcow2 error: Failed to attach disk error: internal error: unable to execute QEMU command 'blockdev-add': iSCSI: Failed to connect to LUN : Failed to log in to target. Status: Authentication failure(513)
So, these are multiple separate issues described here. The first that instantiates the password via '--object secret' will never work and it never worked before. This is the one thing that we try to fix with blockdev. In such case you must provide the backing image data with authentication explicitly in the XML. This will then ensure that the secret objects are created properly: <disk type='file' device='disk'> <source file='/tmp/iscsi_auth_cipher'/> <backingStore type='network'> <source protocol='iscsi' name='iqn.2019-08.com.chap.target/0'> <host name='10.66.4.183'/> <auth username='redhat'> <secret type='iscsi' usage='FILL_ME_IN'/> </auth> </source> <backingStore/> </backingStore> </disk> This will properly instantiate a libvirt secret for the backing file. The ISCSI URI case and json password passthrough scenarios which probably would work prior to enabling of blockdev, it's questionable whether it's a good idea to keep supporting them. Passing in the secrets in files is not very secure. At any rate I can investigate whether we'll attempt to pass them through via secret objects.
> Libvirt also fails to parse iscsi url with auth > # qemu-img create -b > iscsi://redhat%redhat.4.183/iqn.2019-08.com.chap.target/0 Note that this is not a valid URI. The userinfo part must divide the username and password with a ":" rather than "%" ... > /tmp/iscsi_auth_cleartxt -o backing_fmt=raw -f qcow2 > Formatting '/tmp/iscsi_auth_cleartxt', fmt=qcow2 size=4294967296 > backing_file=iscsi://redhat%redhat.4.183/iqn.2019-08.com.chap.target/0 > backing_fmt=raw cluster_size=65536 lazy_refcounts=off refcount_bits=16 > > # virsh attach-disk copy /tmp/iscsi_auth_cleartxt vdc --subdriver qcow2 > > error: Failed to attach disk > error: internal error: failed to parse backing file location > 'iscsi://redhat%redhat.4.183/iqn.2019-08.com.chap.target/0' ... this error message points out that such uri isn't even valid.
Fixed upstream: commit 6ff9241058dba35565ed594c7931e52a46a82b13 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 19:29:43 2019 +0200 util: storagefile: Flag backing store strings with authentication Using inline authentication for storage volumes will not work properly as libvirt requires use of the secret driver for the auth data and thus would not be able to represent the passwords stored in the backing store string. Make sure that the backing store parsers return 1 which is a sign for the caller to not use the file in certain cases. The test data include iscsi via a json pseudo-protocol string and URIs with the userinfo part being present. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit b1c778d854a927c3b7d11f06add9761148b6d5d5 Author: Peter Krempa <pkrempa> Date: Fri Aug 16 11:34:27 2019 +0200 util: storagefile: Don't traverse storage sources unusable by VM virStorageFileGetMetadataRecurse would include files in the backing chain which would not really be usable by libvirt directly e.g. when such file would be promoted to the top layer by an active block commit as for example inline authentication data can't be represented in the VM xml file. The idea is to use secrets for this. With the changes to the backing store string parsers we can report and propagate if such a thing is present in the configuration and thus start skipping those files in the backing chain traversal code. This approach still allows to report the appropriate backing store string in the storage driver which doesn't directly use the backing file. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 46135dd40fbe112211c4ed7f6d9a6cc7b4001af1 Author: Peter Krempa <pkrempa> Date: Fri Aug 16 11:28:03 2019 +0200 util: storagefile: Clarify docs for '@report_broken' of virStorageFileGetMetadata virStorageFileGetMetadata does not report error if we can't interrogate the file somehow. Clarify this in the description of the @report_broken flag as it implies we should report an error in that case. The problem is that we don't know whether there's a problem and unfortunately just offload it to qemu. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 9467c37e963f9a68db0b6a32ccb331fbdc2664ae Author: Peter Krempa <pkrempa> Date: Fri Aug 16 11:14:31 2019 +0200 util: storagefile: Add handling of unusable storage sources Introduce new semantics to virStorageSourceNewFromBacking and some of the helpers used by it which propagate the return value from the callers. The new return value introduced by this patch allows to notify the calller that the parsed virStorageSource correctly describes the source but contains data such as inline authentication which libvirt does not want to support directly. This means that such file would e.g. unusable as a storage source (e.g. when actively commiting the overlay to it) or would not work with blockdev. The caller will then be able to decide whether to consider this backing file as viable or just fall back to qemu dealing with it. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit e1189ae5f320cfe8c87588ffd15ca02840391918 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 19:27:43 2019 +0200 tests: virstorage: Allow testing return value of virStorageSourceNewFromBackingAbsolute Modify testBackingParse to allow testing other return values of the backing store string parser. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 5265743daad7c1ea0c501f5f017062d85042d1d8 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 16:43:40 2019 +0200 util: storagefile: Modify arguments of virStorageSourceNewFromBackingAbsolue Return the parsed storage source via an pointer in arguments and return an integer from the function. Describe the semantics with a comment for the function and adjust callers to the new semantics. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit dddc5524001310abf0246f9a27c268c351f78b13 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 16:21:55 2019 +0200 util: storagefile: Preserve return value in virStorageSourceParseBackingJSONUriStr virStorageSourceParseBackingURI will report special return values in some cases. Preserve it in virStorageSourceParseBackingJSONUriStr. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 36cde667083d381eb247dcd5581e84b51d9e9fba Author: Peter Krempa <pkrempa> Date: Thu Aug 15 14:49:49 2019 +0200 util: storage: Modify return value of virStorageSourceNewFromBacking Return the storage source definition via a pointer in the arguments and document the returned values. This will simplify the possibility to ignore certain backing store types which are not representable by libvirt. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit ffabad75725f70eb35d9b7422f19122a6b5174b0 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 19:16:21 2019 +0200 tests: storage: Refactor cleanup in testBackingParse Automatically clean the temporary buffer and get rid of the cleanup label. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit aece36f7679c6aba91708d2a912543ea83b5cd5b Author: Peter Krempa <pkrempa> Date: Thu Aug 15 16:16:59 2019 +0200 tests: viruri: Add test for password in URI userinfo While it's a bad idea to use userinfo to pass credentials via a URI add a test that we at least do the correct thing. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit fe434a0ceb72e0689f6be6b8fef42b74ea2ac278 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 16:25:47 2019 +0200 util: storagefile: Simplify cleanup in virStorageSourceParseBackingJSON Automatically free the 'root' temporary variable to get rid of some complexity. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit e8578b245bd216f90711111d266c9583ca00fac4 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 16:06:51 2019 +0200 util: storagefile: Simplify cleanup handling in virStorageSourceParseBackingURI Automatically clean the 'uri' variable and get rid of the 'cleanup' label. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit 5a8de41e0fe9af77fdc08c9616290061ad958e27 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 15:54:04 2019 +0200 util: storagefile: Remove cleanup label from virStorageSourceParseBackingJSONiSCSI There is no cleanup code. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> commit ab1021e30479d3fcb0e0a58a09d154d0b2b9bc88 Author: Peter Krempa <pkrempa> Date: Thu Aug 15 15:41:58 2019 +0200 util: storage: Simplify cleanup path handling in virStorageSourceParseBackingJSONInternal Automatically free the intermediate JSON data to get rid of the cleanup section. Signed-off-by: Peter Krempa <pkrempa> Reviewed-by: Ján Tomko <jtomko> v5.6.0-353-g6ff9241058
Re-test the scenarios in this bug with libvirt secret and the test is passed. Verified Version: # rpm -q libvirt qemu-kvm libvirt-6.0.0-15.virtcov.el8.x86_64 qemu-kvm-4.2.0-15.module+el8.2.0+6029+618ef2ec.x86_64 Verified Steps: Pre-step: 1. Setup a iscsi target with chap authorization redhat:redhat 2. Define an iscsi secret. SC1: Refresh the default pool and attach the overlay image creating by iscsi json with authentication 1. Create the overlay image: # qemu-img create --object secret,data='redhat',id=sec,format=raw -f qcow2 -b 'json:{"driver":"raw", "file":{"lun":"0", "portal":"10.66.144.87", "driver":"iscsi", "transport":"tcp", "target":"iqn.2020-04.com.chap.target", "user":"redhat", "password-secret":"sec"}}' -o backing_fmt='raw' /var/lib/libvirt/images/iscsi_auth_cipher Formatting '/var/lib/libvirt/images/iscsi_auth_cipher', fmt=qcow2 size=10737418240 backing_file=json:{"driver":"raw",, "file":{"lun":"0",, "portal":"10.66.144.87",, "driver":"iscsi",, "transport":"tcp",, "target":"iqn.2020-04.com.chap.target",, "user":"redhat",, "password-secret":"sec"}} backing_fmt=raw cluster_size=65536 lazy_refcounts=off refcount_bits=16 2. Refresh the default pool and check the volume. # virsh pool-refresh default Pool default refreshed # virsh vol-list default | grep iscsi iscsi_auth_cipher /var/lib/libvirt/images/iscsi_auth_cipher 3. Prepare a disk xml which include backing image data with authentication # cat disk.xml <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/var/lib/libvirt/images/iscsi_auth_cipher'/> <backingStore type='network'> <format type='raw'/> <source protocol='iscsi' name='iqn.2020-04.com.chap.target/0'> <host name='10.66.144.87'/> <auth username='redhat'> <secret type='iscsi' usage='libvirtiscsi'/> </auth> </source> <backingStore/> <target dev='vdb' bus='virtio'/> </disk> </backingStore> 4. Attach and detach the disk to a running guest. # virsh attach-device lmn disk.xml Device attached successfully # virsh domblklist lmn Target Source --------------------------------------------- vda /var/lib/libvirt/images/lmn.qcow2 vdb /var/lib/libvirt/images/iscsi_auth_cipher # virsh detach-disk lmn vdb Disk detached successfully 5. Cold plug this disk to the guest and unplug it. # virsh attach-device lmn disk.xml --config Device attached successfully # virsh destroy lmn;virsh start lmn Domain lmn destroyed Domain lmn started # virsh detach-device lmn disk.xml --config Device detached successfully SC2: Refresh the default pool and attach the overlay image creating by iscsi uri with authentication 1. Create the overlay image: # qemu-img create -f qcow2 -o backing_fmt=raw -b iscsi://redhat:redhat.144.87/iqn.2020-04.com.chap.target/0 /var/lib/libvirt/images/iscsi_auth_cipher Formatting '/var/lib/libvirt/images/iscsi_auth_cipher', fmt=qcow2 size=10737418240 backing_file=iscsi://redhat:redhat.144.87/iqn.2020-04.com.chap.target/0 backing_fmt=raw cluster_size=65536 lazy_refcounts=off refcount_bits=16 2. Reproduced the step 2 ~ step 5 in SC1.
Hi Peter, Please help to check the following issues, thank you in advance. 1) Can you help to check which scenarios I also need to cover? I only verified two scenarios in comment 5 which mentioned at the beginning of this bug because I found most of patches are related with return value or cleanup label. 2) The <auth>..</auth> is moved out of source element after doing blockcommit which I think it's unreasonable. Please review it. SC3: Do blockcommit for the overlay image creating by iscsi json with authentication 1. Create the overlay image: # qemu-img create --object secret,data='redhat',id=sec,format=raw -f qcow2 -b 'json:{"driver":"raw", "file":{"lun":"0", "portal":"10.66.144.87", "driver":"iscsi", "transport":"tcp", "target":"iqn.2020-04.com.chap.target", "user":"redhat", "password-secret":"sec"}}' -o backing_fmt='raw' /var/lib/libvirt/images/iscsi_auth_cipher 2. Start the guest with the following disk: # virsh dumpxml lmn | grep /disk -B16 <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none'/> <source file='/var/lib/libvirt/images/iscsi_auth_cipher' index='1'/> <backingStore type='network' index='2'> <format type='raw'/> <source protocol='iscsi' name='iqn.2020-04.com.chap.target/0'> <host name='10.66.144.87' port='3260'/> <auth username='redhat'> ---->This auth element is in source element <secret type='iscsi' usage='libvirtiscsi'/> </auth> </source> <backingStore/> </backingStore> <target dev='vdb' bus='virtio'/> <alias name='virtio-disk1'/> <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> </disk> 3. Do blockcommit and check the disk xml in guest. # virsh blockcommit lmn vdb --verbose --pivot Block commit: [100 %] Successfully pivoted # virsh dumpxml lmn | grep /disk -B12 <disk type='network' device='disk'> <driver name='qemu' type='raw' cache='none'/> <auth username='redhat'> ---->This auth element is out of source element <secret type='iscsi' usage='libvirtiscsi'/> </auth> <source protocol='iscsi' name='iqn.2020-04.com.chap.target/0' index='2'> <host name='10.66.144.87' port='3260'/> </source> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='virtio-disk1'/> <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> </disk>
(In reply to Meina Li from comment #6) > Hi Peter, > > Please help to check the following issues, thank you in advance. > > 1) Can you help to check which scenarios I also need to cover? I only > verified two scenarios in comment 5 which mentioned at the beginning of this > bug because I found most of patches are related with return value or cleanup > label. That should be okay I don't really have any other ideas > 2) The <auth>..</auth> is moved out of source element after doing > blockcommit which I think it's unreasonable. Please review it. Hmm, yeah the block jobs will change it. Please file a bug, we should prefer when auth is under <source>.
Hi Peter, About the auth element, I had another issue to confirm: Does the <auth> or <encryption> outside <source> are ignored now? I found some bugs need to be verified with <auth> under in <source>. And I also found that creating rbd pool with auth outside of source element failed because it can't get related authorization. #cat rbd.pool <pool type='rbd'> <name>rbdpool</name> <source> <name>libvirt-pool</name> <host name='10.66.146.31'/> </source> <auth username='admin'> <secret type='ceph' usage='libvirtceph'/> </auth> </pool> #virsh pool-create rbd.pool error: Failed to create pool from rbd.pool error: failed to connect to the RADOS monitor on: 10.66.146.31: Success #cat /var/log/libvirt/libvirtd.conf ... ... debug : virStorageBackendRBDOpenRADOSConn:229 : Not using cephx authorization ... debug : virStorageBackendRBDRADOSConfSet:172 : Setting RADOS option 'auth_supported' to 'none' ... debug: virStorageBackendRBDOpenRADOSConn:241 : Found 1 RADOS cluster monitors in the pool configuration ... debug : virStorageBackendRBDRADOSConfSet:172 : Setting RADOS option 'mon_host' to '10.66.146.31:3300,' ... debug : virStorageBackendRBDRADOSConfSet:172 : Setting RADOS option 'client_mount_timeout' to '30' ... debug : virStorageBackendRBDRADOSConfSet:172 : Setting RADOS option 'rados_mon_op_timeout' to '30' ... debug : virStorageBackendRBDRADOSConfSet:172 : Setting RADOS option 'rados_osd_op_timeout' to '30' ... debug : virStorageBackendRBDRADOSConfSet:172 : Setting RADOS option 'rbd_default_format' to '2' ... error : virStorageBackendRBDOpenRADOSConn:323 : failed to connect to the RADOS monitor on: 10.66.146.31:3300,: Success ... debug : virStorageBackendRBDCloseRADOSConn:360 : Closing RADOS connection ... virStorageBackendRBDCloseRADOSConn:366 : RADOS connection existed for 0 seconds
(In reply to Meina Li from comment #8) > Hi Peter, > > About the auth element, I had another issue to confirm: > Does the <auth> or <encryption> outside <source> are ignored now? No, but only for <disk>. Any other place doesn't specify it in places other than <source>. > I found some bugs need to be verified with <auth> under in <source>. And I > also found that creating rbd pool with auth outside of source element failed > because it can't get related authorization. > #cat rbd.pool > <pool type='rbd'> > <name>rbdpool</name> Storage pool issues are not related to the original bug.
According to comment 5, move this bug to be verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2017