[Qemu-devel] [Qemu/Virtio-scsi]The feature of 'raw device mapping' cannot isolate the LUN to the owning virtual machine

[Qemu-devel] [Qemu/Virtio-scsi]The feature of 'raw device mapping' cannot isolate the LUN to the owning virtual machine

[Qixiaozhen]

[-- Attachment #1.1: Type: text/plain, Size: 1989 bytes --]

Hi,all

A instance was created by virsh command in the CentOS 6.4.

The LUN in the Storage Array Network(SAN) was attached to the instance with the following xml.

    <disk type='block' device='lun'>
      <driver name='qemu' type='raw' cache='none'/>
      <source dev='/dev/mapper/360022a110000ecba5db427db00000023'/>
      <target dev='vdb' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</disk>
<controller type='scsi' model='virtio-scsi'/>


A scsi report command was executed in the instance, for example "sg_luns /dev/vdb". However, It returned the list of the Luns in the SAN.


1)       The unrelated luns in the SAN were not isolated in the instance.
[root@localhost ~]# sg_luns /dev/vdb
Lun list length = 80 which imples 10 lun entries
Report luns [select_report=0]:
    0000000000000000
   0001000000000000
    0002000000000000
    0003000000000000
    0004000000000000
    0005000000000000
    0006000000000000
    0007000000000000
    0008000000000000
    0009000000000000
[root@localhost ~]#sg_map
Stopping because no sg device found
[root@localhost ~]#
[root@localhost ~]#

[cid:image009.png@01CF1B49.A36DAC30]


2)       The report lun command in the physical server:

[root@qixiaozhen sdb]# sg_luns /dev/mapper/360022a110000ecba5db427db00000023
Lun list length = 80 which imples 10 lun entries
Report luns [select_report=0x0]:
    0000000000000000
    0001000000000000
    0002000000000000
    0003000000000000
    0004000000000000
    0005000000000000
    0006000000000000
    0007000000000000
    0008000000000000
    0009000000000000
[root@qixiaozhen sdb]#


Is there any security problem if the report lun command was not isolated ?

Sincerely,

Qi

-----------------------------------------------------------
Xiaozhen Qi
Huawei Technologies Co.,LTD.
IT Product Line CloudOS PDU
China, Xi'an
Mobile: +86-13609283376
Email: qixiaozhen@huawei.com

[-- Attachment #1.2: Type: text/html, Size: 12353 bytes --]

[-- Attachment #2: image009.png --]
[-- Type: image/png, Size: 22043 bytes --]

Re: [Qemu-devel] [Qemu/Virtio-scsi]The feature of 'raw device mapping' cannot isolate the LUN to the owning virtual machine

[Paolo Bonzini]

Il 27/01/2014 03:50, Qixiaozhen ha scritto:
> A scsi report command was executed in the instance, for example “sg_luns
> /dev/vdb”. However, It returned the list of the Luns in the SAN.

This is a known problem in virtio-blk's SCSI emulation.  Just don't use 
it, use virtio-scsi or another SCSI adapter instead.

Paolo

Re: [Qemu-devel] [Qemu/Virtio-scsi]The feature of 'raw device mapping' cannot isolate the LUN to the owning virtual machine

[Qixiaozhen]

> 
> Il 27/01/2014 03:50, Qixiaozhen ha scritto:
> > A scsi report command was executed in the instance, for example
> > "sg_luns /dev/vdb". However, It returned the list of the Luns in the SAN.
> 
> This is a known problem in virtio-blk's SCSI emulation.  Just don't use it, use
> virtio-scsi or another SCSI adapter instead.

I am not sure whether there was something wrong with my xml. The content of the configuration xml lists:

[root@qixiaozhen sdb]# virsh dumpxml 6
<domain type='kvm' id='6'>
  <name>instance-00000qxz</name>
  <uuid>2052f60e-a273-42b4-bdb7-e633f41e1624</uuid>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <sysinfo type='smbios'>
    <system>
      <entry name='manufacturer'>Red Hat Inc.</entry>
      <entry name='product'>OpenStack Nova</entry>
      <entry name='version'>2013.2-5.el6</entry>
      <entry name='serial'>1b800e36-ed60-117b-8567-000000821800</entry>
      <entry name='uuid'>2052f60e-a273-42b4-bdb7-e633f41e1624</entry>
    </system>
  </sysinfo>
  <os>
    <type arch='x86_64' machine='rhel6.4.0'>hvm</type>
    <boot dev='hd'/>
    <smbios mode='sysinfo'/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-model'>
    <model fallback='allow'/>
  </cpu>
  <clock offset='utc'>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='rtc' tickpolicy='catchup'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none'/>
      <source file='/home/sdb/centos64.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <!-- #############Raw Device Mapping with virtio-scsi################## -->
    <disk type='block' device='lun'>
      <driver name='qemu' type='raw' cache='none'/>
      <source dev='/dev/mapper/360022a110000ecba5db427db00000023'/>
      <target dev='vdb' bus='virtio'/>
      <alias name='virtio-disk1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </disk>
    <!-- ########### Compare with the above one ################## -->
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source dev='/dev/mapper/360022a110000ecba5db4074800000022'/>
      <target dev='vdc' bus='virtio'/>
      <alias name='virtio-disk2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </disk>
    <controller type='usb' index='0'>
      <alias name='usb0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <!-- #################virtio-scsi controller##################### -->
    <controller type='scsi' index='0' model='virtio-scsi'>
      <alias name='scsi0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </controller>
    <serial type='pty'>
      <source path='/dev/pts/2'/>
      <target port='1'/>
      <alias name='serial0'/>
    </serial>
    <console type='pty'>
      <source path='/dev/pts/2'/>
      <target type='serial' port='1'/>
      <alias name='serial0'/>
    </console>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='5900' autoport='yes' listen='186.100.8.169' keymap='en-us'>
      <listen type='address' address='186.100.8.169'/>
    </graphics>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>unconfined_u:system_r:svirt_t:s0:c156,c614</label>
    <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c156,c614</imagelabel>
  </seclabel>
</domain>

[root@qixiaozhen sdb]#


Paolo, would you mind to give me some advice to fix my xml? And I am not familiar with this.

Sincerely,

Re: [Qemu-devel] [Qemu/Virtio-scsi]The feature of 'raw device mapping' cannot isolate the LUN to the owning virtual machine

[Paolo Bonzini]

Il 27/01/2014 13:22, Qixiaozhen ha scritto:
>     <!-- #############Raw Device Mapping with virtio-scsi################## -->
>     <disk type='block' device='lun'>
>       <driver name='qemu' type='raw' cache='none'/>
>       <source dev='/dev/mapper/360022a110000ecba5db427db00000023'/>
>       <target dev='vdb' bus='virtio'/>
>       <alias name='virtio-disk1'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
>     </disk>

This is not using virtio-scsi.

A virtio-scsi disk would appear as /devs/sda in the VM.  For example:

     <disk type='block' device='lun'>
       <driver name='qemu' type='raw' cache='none'/>
       <source dev='/dev/mapper/360022a110000ecba5db427db00000023'/>
       <target dev='sdb' bus='scsi'/>
       <address type='drive' controller='0' bus='0'/>
     </disk>

     <disk type='block' device='disk'>
       <driver name='qemu' type='raw' cache='none'/>
       <source dev='/dev/mapper/360022a110000ecba5db4074800000022'/>
       <target dev='sda' bus='scsi'/>
       <address type='drive' controller='0' bus='1'/>
     </disk>

     <controller type='scsi' index='0' model='virtio-scsi'/>

You can now try sg_inq for both disks.  One will show your NAS's product 
and vendor names, the other will show QEMU as vendor and QEMU HARD DISK 
as product.

Paolo

Re: [Qemu-devel] [Qemu/Virtio-scsi]The feature of 'raw device mapping' cannot isolate the LUN to the owning virtual machine

[Stefan Hajnoczi]

On Mon, Jan 27, 2014 at 02:50:04AM +0000, Qixiaozhen wrote:
> A instance was created by virsh command in the CentOS 6.4.
> 
> The LUN in the Storage Array Network(SAN) was attached to the instance with the following xml.
> 
>     <disk type='block' device='lun'>
>       <driver name='qemu' type='raw' cache='none'/>
>       <source dev='/dev/mapper/360022a110000ecba5db427db00000023'/>
>       <target dev='vdb' bus='virtio'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
> </disk>
> <controller type='scsi' model='virtio-scsi'/>
> 
> 
> A scsi report command was executed in the instance, for example "sg_luns /dev/vdb". However, It returned the list of the Luns in the SAN.
> 
> 
> 1)       The unrelated luns in the SAN were not isolated in the instance.
> [root@localhost ~]# sg_luns /dev/vdb
> Lun list length = 80 which imples 10 lun entries
> Report luns [select_report=0]:
>     0000000000000000
>    0001000000000000
>     0002000000000000
>     0003000000000000
>     0004000000000000
>     0005000000000000
>     0006000000000000
>     0007000000000000
>     0008000000000000
>     0009000000000000

You are using virtio-blk with SCSI-passthrough, not virtio-scsi (it's
confusing but libvirt type='block' device='lun' means virtio-blk).  This
feature has fallen out of favor and is generally best replaced with
virtio-scsi instead of virtio-blk.

If you do not require raw SCSI commands from the guest, then change
device='lun' to device='disk'.

What exactly are you trying to do?

Stefan

Re: [Qemu-devel] [Qemu/Virtio-scsi]The feature of 'raw device mapping' cannot isolate the LUN to the owning virtual machine

[Qixiaozhen]

> On Mon, Jan 27, 2014 at 02:50:04AM +0000, Qixiaozhen wrote:
> > A instance was created by virsh command in the CentOS 6.4.
> >
> > The LUN in the Storage Array Network(SAN) was attached to the instance
> with the following xml.
> >
> >     <disk type='block' device='lun'>
> >       <driver name='qemu' type='raw' cache='none'/>
> >       <source
> dev='/dev/mapper/360022a110000ecba5db427db00000023'/>
> >       <target dev='vdb' bus='virtio'/>
> >       <address type='pci' domain='0x0000' bus='0x00' slot='0x06'
> > function='0x0'/> </disk> <controller type='scsi' model='virtio-scsi'/>
> >
> >
> > A scsi report command was executed in the instance, for example "sg_luns
> /dev/vdb". However, It returned the list of the Luns in the SAN.
> >
> >
> > 1)       The unrelated luns in the SAN were not isolated in the instance.
> > [root@localhost ~]# sg_luns /dev/vdb
> > Lun list length = 80 which imples 10 lun entries Report luns
> > [select_report=0]:
> >     0000000000000000
> >    0001000000000000
> >     0002000000000000
> >     0003000000000000
> >     0004000000000000
> >     0005000000000000
> >     0006000000000000
> >     0007000000000000
> >     0008000000000000
> >     0009000000000000
> 
> You are using virtio-blk with SCSI-passthrough, not virtio-scsi (it's confusing but
> libvirt type='block' device='lun' means virtio-blk).  This feature has fallen out of
> favor and is generally best replaced with virtio-scsi instead of virtio-blk.
> 
> If you do not require raw SCSI commands from the guest, then change
> device='lun' to device='disk'.
> 
> What exactly are you trying to do?

VMware document said that 'In physical mode, the VMkernel passes all SCSI commands to the device, with one exception: the REPORT LUNs command is virtualized so that the VMkernel can isolate the LUN to the owning virtual machine.'

So I want to test the very RDM feature in Qemu.

With Paolo's kindly help, a mistake was found in the configuration. Thanks for all your help.

Sincerely,