From: Kevin Wolf <kwolf@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Peter Lieven <pl@kamp.de>,
qemu-devel@nongnu.org, qemu-block@nongnu.org,
Ronnie Sahlberg <ronniesahlberg@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>,
John Ferlan <jferlan@redhat.com>,
Pino Toscano <ptoscano@redhat.com>
Subject: Re: [Qemu-devel] [PATCH for-2.6] block: add an 'iscsi-id' value to match -drive with -iscsi opts
Date: Fri, 22 Apr 2016 13:53:47 +0200 [thread overview]
Message-ID: <20160422115347.GE4237@noname.redhat.com> (raw)
In-Reply-To: <20160422114340.GD17478@redhat.com>
Am 22.04.2016 um 13:43 hat Daniel P. Berrange geschrieben:
> On Fri, Apr 22, 2016 at 01:13:42PM +0200, Peter Lieven wrote:
> > Am 22.04.2016 um 12:59 schrieb Kevin Wolf:
> > > Am 22.04.2016 um 12:24 hat Daniel P. Berrange geschrieben:
> > >> The iSCSI block driver has ability to lookup various options, in
> > >> particular authentication info, specified by the separate -iscsi
> > >> argument. It currently uses the iSCSI IQN as the ID value for this
> > >> lookup, however, this does not work for common iSCSI IQNs as they
> > >> contain characters such as ':' which are invalid for use as IDs.
> > >>
> > >> This adds an optional 'iscsi-id' parameter to the iSCSI block
> > >> driver to allow an explicit ID string to be used to reference
> > >> the -iscsi arg. For example
> > >>
> > >> $QEMU \
> > >> -iscsi id=my_initiator,user=fred,password-secret=sec0 \
> > >> -drive driver=iscsi,iscsi-id=my_initiator,file=iscsi://somehost/iqn/1
> > >>
> > >> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > > I would consider this a new feature rather than a fix appropriate for
> > > -rc4.
> >
> > +1
> >
> > Its rather late and this might have some side effects that are not obvious.
> > If you need to specify different credentials for different targets you can stil
> > supply them in the iscsi URL:
> >
> > iscsi://username:password@host/iqn/0
>
> Use of that syntax is why CVE-2015-5160 exists because it exposes the
> password to any other process on the host which can see the QEMU argv.
> -iscsi supports the new password-secret arg that lets us avoid that
> flaw.
-iscsi is a weird thing anyway. We should do things the usual way, with
a proper BlockdevOptionsIscsi QAPI structure. Introducing a new API in
2.6 when we know we'll deprecate it again in 2.7 doesn't seem to make
that much sense.
Plus, it's -rc4 now. The problem isn't a crash or a regression. It
merely means that you might need to wait for another release before you
can use iscsi. Pretty much the definition of a new feature.
Kevin
next prev parent reply other threads:[~2016-04-22 11:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 10:24 [Qemu-devel] [PATCH for-2.6] Fix association of -drive & -iscsi args Daniel P. Berrange
2016-04-22 10:24 ` [Qemu-devel] [PATCH for-2.6] block: add an 'iscsi-id' value to match -drive with -iscsi opts Daniel P. Berrange
2016-04-22 10:59 ` Kevin Wolf
2016-04-22 11:13 ` Peter Lieven
2016-04-22 11:43 ` Daniel P. Berrange
2016-04-22 11:53 ` Kevin Wolf [this message]
2016-04-22 11:55 ` Daniel P. Berrange
2016-04-22 12:10 ` Peter Maydell
2016-04-22 12:29 ` Daniel P. Berrange
2016-04-22 11:50 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160422115347.GE4237@noname.redhat.com \
--to=kwolf@redhat.com \
--cc=berrange@redhat.com \
--cc=jferlan@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pl@kamp.de \
--cc=ptoscano@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.