Red Hat Bugzilla – Bug 957293
support libiscsi for SCSI passthrough devices
Last modified: 2016-04-26 10:02:46 EDT
<disk> supports libiscsi for direct userspace access to iSCSI LUNs. This should be supported with an XML similar to this: <hostdev mode='subsystem' type='scsi'> <source protocol='iscsi'> <host name="iscsi.example.com"/> <device path='iqn.1992-01.com.example'/> <auth username='myname'> <secret type='iscsi' usage='mycluster_myname'/> </auth> </source> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </hostdev>
As of 3.10, the queue object is only exposed for SCSI disks, so there is no way to toggle unpriv_sgio on non-disk devices. If one wants to bypass the kernel's command whitelist, the choices are either iSCSI or running with CAP_SYS_RAWIO. So, this bug is required to support persistent reservation on non-disk devices (e.g. tapes or media changers), unless one is okay with running as CAP_SYS_RAWIO---which effectively means root.
Code is now posted upstream with the series starting at : http://www.redhat.com/archives/libvir-list/2014-July/msg00592.html
This has now been pushed upstream: commit 54ac483e68328b35749ed9cbdc837d541da5fabd Author: John Ferlan <jferlan@redhat.com> Date: Wed Jul 9 10:08:34 2014 -0400 hostdev: Add iSCSI hostdev XML Introduce a new structure to handle an iSCSI host device based on the existing virDomainHostdevSubsysSCSI by adding a "protocol='iscsi'" to the <source/> element. The existing scsi_host subsystem RNG was modified to read an optional "protocol='adapter'", although it won't be written out nor is it documented as an option (by choice). The new hostdev structure mimics the existing <disk/> element for an iSCSI device (network) device. New XML is: <hostdev mode='subsystem' type='scsi' managed='yes'> <source protocol='iscsi' name='iqn.1992-01.com.example'> <host name='example.org' port='3260'/> <auth username='myname'> <secret type='iscsi' usage='mycluster_myname'/> </auth> </source> <address type='drive' controller='0' bus='0' target='2' unit='5'/> </hostdev> The controller element will mimic the existing scsi_host code insomuch as when 'lsi' and 'virtio-scsi' are used. git describe : v1.2.7-21-g54ac483
Verified the bug with following scenarions. The results are expected. Change the status to VERIFIED. Version: libvirt-1.2.8-9.el7.x86_64 qemu-kvm-1.5.3-82.el7.x86_64 qemu-kvm-rhev-2.1.2-13.el7.x86_64 Scenario 1: Start guest with a iscsi device. The device can be used in guest. 1. Start guest with a iscsi device. On host: # virsh edit r7 Domain r7 XML configuration edited. # virsh start r7 Domain r7 started # virsh dumpxml r7 ... <hostdev mode='subsystem' type='scsi' managed='no'> <source protocol='iscsi' name='iqn.yy:server.target1/1'> <host name='10.66.100.101' port='3260'/> </source> <alias name='hostdev0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> # ps -axu | grep qemu ... -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x8 ... -drive file=iscsi://10.66.100.101:3260/iqn.yy%3Aserver.target1/1,if=none,format=raw,id=drive-hostdev0 -device scsi-generic,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-hostdev0,id=hostdev0 2. Using 'fdisk -l' command can find the device in guest. And the device can read and write. Scenario 2: iscsi device hot-plug/hot-unplug. 1. Start a guest and hot-plug a iscsi device. # virsh start r7 Domain r7 started # virsh attach-device r7 iscsi.xml Device attached successfully # virsh dumpxml r7 ... <hostdev mode='subsystem' type='scsi' managed='no'> <source protocol='iscsi' name='iqn.yy:server.target1/1'> <host name='10.66.100.101' port='3260'/> </source> <alias name='hostdev0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> 2. Using 'fdisk -l' command can find the device in guest. And the device can read and write. 3. Hot-unplug the device. # virsh detach-device r7 iscsi.xml Device detached successfully 4. The device can't find in guest. Scenario 3: Start guest with a iscsi device. Accessing the device need to auth. 1. Preparation. # cat secret.xml <secret ephemeral='no' private='yes'> <description>Passphrase for the iSCSI example.com server</description> <usage type='iscsi'> <target>libvirtiscsi</target> </usage> </secret> # virsh secret-define secret.xml Secret 51611f0c-9afa-44f9-9ae0-27eae978cbdd created # virsh secret-list UUID Usage -------------------------------------------------------------------------------- 51611f0c-9afa-44f9-9ae0-27eae978cbdd iscsi libvirtiscsi # virsh secret-set-value 51611f0c-9afa-44f9-9ae0-27eae978cbdd `printf %s "redhat" | base64` Secret value set 2. Start guest with the iscsi device. # virsh start r7 Domain r7 started # virsh dumpxml r7 ... <hostdev mode='subsystem' type='scsi' managed='no'> <source protocol='iscsi' name='iqn.yy:server.target2/1'> <host name='10.66.100.101' port='3260'/> <auth username='redhat'> <secret type='iscsi' usage='libvirtiscsi'/> </auth> </source> <alias name='hostdev0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> 3. Using 'fdisk -l' command can find the device in guest. And the device can read and write. 4. Remove 'auth' element from guest xml. Starting guest fail. # virsh destroy r7 Domain r7 destroyed # virsh edit r7 Domain r7 XML configuration edited. # virsh dumpxml r7 ... <hostdev mode='subsystem' type='scsi' managed='no'> <source protocol='iscsi' name='iqn.yy:server.target2/1'> <host name='10.66.100.101' port='3260'/> </source> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> # virsh start r7 error: Failed to start domain r7 error: internal error: process exited while connecting to monitor: 2014-12-03T06:18:38.900010Z qemu-kvm: -drive file=iscsi://10.66.100.101:3260/iqn.yy%3Aserver.target2/1,if=none,format=raw,id=drive-hostdev0: could not open disk image iscsi://10.66.100.101:3260/iqn.yy%3Aserver.target2/1: iSCSI: Failed to connect to LUN : Failed to log in to target. Status: Authentication failure(513) Scenario 4: iscsi device hot-plug/hot-unplug. Accessing the device need to auth. 1. Start guest. Hot-plug the iscsi device to guest. # virsh start r7 Domain r7 started # cat iscsi.xml <hostdev mode='subsystem' type='scsi' managed='no'> <source protocol='iscsi' name='iqn.yy:server.target2/1'> <host name='10.66.100.101' port='3260'/> <auth username='redhat'> <secret type='iscsi' usage='libvirtiscsi'/> </auth> </source> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> # virsh attach-device r7 iscsi.xml Device attached successfully # virsh dumpxml r7 ... <hostdev mode='subsystem' type='scsi'> <source protocol='iscsi' name='iqn.yy:server.target2/1'> <host name='10.66.100.101' port='3260'/> <auth username='redhat'> <secret type='iscsi' usage='libvirtiscsi'/> </auth> </source> <alias name='hostdev0'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> 2. Using 'fdisk -l' command can find the device in guest. And the device can read and write. 3. Hot-unplug the device. # virsh detach-device r7 iscsi.xml Device detached successfully 4. The device can't find in guest. 5. Remove 'auth' element from xml. Attaching the device fail. # cat iscsi.xml <hostdev mode='subsystem' type='scsi' managed='no'> <source protocol='iscsi' name='iqn.yy:server.target2/1'> <host name='10.66.100.101' port='3260'/> </source> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> # virsh attach-device r7 s.xml error: Failed to attach device from s.xml error: internal error: unable to execute QEMU command '__com.redhat_drive_add': Device 'drive-hostdev0' could not be initialized
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0323.html