Re: [Qemu-devel] [PATCH for-2.6] block: add an 'iscsi-id' value to match -drive with -iscsi opts

["Daniel P. Berrange" <berrange@redhat.com>]

On Fri, Apr 22, 2016 at 01:53:47PM +0200, Kevin Wolf wrote:
> Am 22.04.2016 um 13:43 hat Daniel P. Berrange geschrieben:
> > On Fri, Apr 22, 2016 at 01:13:42PM +0200, Peter Lieven wrote:
> > > Am 22.04.2016 um 12:59 schrieb Kevin Wolf:
> > > > Am 22.04.2016 um 12:24 hat Daniel P. Berrange geschrieben:
> > > >> The iSCSI block driver has ability to lookup various options, in
> > > >> particular authentication info, specified by the separate -iscsi
> > > >> argument. It currently uses the iSCSI IQN as the ID value for this
> > > >> lookup, however, this does not work for common iSCSI IQNs as they
> > > >> contain characters such as ':' which are invalid for use as IDs.
> > > >>
> > > >> This adds an optional 'iscsi-id' parameter to the iSCSI block
> > > >> driver to allow an explicit ID string to be used to reference
> > > >> the -iscsi arg. For example
> > > >>
> > > >>  $QEMU \
> > > >>    -iscsi id=my_initiator,user=fred,password-secret=sec0 \
> > > >>    -drive driver=iscsi,iscsi-id=my_initiator,file=iscsi://somehost/iqn/1
> > > >>
> > > >> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > > > I would consider this a new feature rather than a fix appropriate for
> > > > -rc4.
> > > 
> > > +1
> > > 
> > > Its rather late and this might have some side effects that are not obvious.
> > > If you need to specify different credentials for different targets you can stil
> > > supply them in the iscsi URL:
> > > 
> > > iscsi://username:password@host/iqn/0
> > 
> > Use of that syntax is why CVE-2015-5160 exists because it exposes the
> > password to any other process on the host which can see the QEMU argv.
> > -iscsi supports the new password-secret arg that lets us avoid that
> > flaw.
> 
> -iscsi is a weird thing anyway. We should do things the usual way, with
> a proper BlockdevOptionsIscsi QAPI structure. Introducing a new API in
> 2.6 when we know we'll deprecate it again in 2.7 doesn't seem to make
> that much sense.
> 
> Plus, it's -rc4 now. The problem isn't a crash or a regression. It
> merely means that you might need to wait for another release before you
> can use iscsi. Pretty much the definition of a new feature.

Ok, i thought that would probably be the response, but I wanted to be able
to say I tried anyway, given it was for a libvirt security bug. We'll just
have to a wait a bit longer to fix it for iscsi.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|