From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34899)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1atZV1-0004hv-2g
	for qemu-devel@nongnu.org; Fri, 22 Apr 2016 07:43:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1atZV0-0002C5-1a
	for qemu-devel@nongnu.org; Fri, 22 Apr 2016 07:43:51 -0400
Date: Fri, 22 Apr 2016 12:43:40 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20160422114340.GD17478@redhat.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
References: <1461320695-31372-1-git-send-email-berrange@redhat.com>
	<1461320695-31372-2-git-send-email-berrange@redhat.com>
	<20160422105928.GC4237@noname.redhat.com>
	<571A0766.9030007@kamp.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <571A0766.9030007@kamp.de>
Subject: Re: [Qemu-devel] [PATCH for-2.6] block: add an 'iscsi-id' value to
 match -drive with -iscsi opts
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Lieven <pl@kamp.de>
Cc: Kevin Wolf <kwolf@redhat.com>, qemu-devel@nongnu.org, qemu-block@nongnu.org, Ronnie Sahlberg <ronniesahlberg@gmail.com>, Paolo Bonzini <pbonzini@redhat.com>, John Ferlan <jferlan@redhat.com>, Pino Toscano <ptoscano@redhat.com>

On Fri, Apr 22, 2016 at 01:13:42PM +0200, Peter Lieven wrote:
> Am 22.04.2016 um 12:59 schrieb Kevin Wolf:
> > Am 22.04.2016 um 12:24 hat Daniel P. Berrange geschrieben:
> >> The iSCSI block driver has ability to lookup various options, in
> >> particular authentication info, specified by the separate -iscsi
> >> argument. It currently uses the iSCSI IQN as the ID value for this
> >> lookup, however, this does not work for common iSCSI IQNs as they
> >> contain characters such as ':' which are invalid for use as IDs.
> >>
> >> This adds an optional 'iscsi-id' parameter to the iSCSI block
> >> driver to allow an explicit ID string to be used to reference
> >> the -iscsi arg. For example
> >>
> >>  $QEMU \
> >>    -iscsi id=my_initiator,user=fred,password-secret=sec0 \
> >>    -drive driver=iscsi,iscsi-id=my_initiator,file=iscsi://somehost/iqn/1
> >>
> >> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > I would consider this a new feature rather than a fix appropriate for
> > -rc4.
> 
> +1
> 
> Its rather late and this might have some side effects that are not obvious.
> If you need to specify different credentials for different targets you can stil
> supply them in the iscsi URL:
> 
> iscsi://username:password@host/iqn/0

Use of that syntax is why CVE-2015-5160 exists because it exposes the
password to any other process on the host which can see the QEMU argv.
-iscsi supports the new password-secret arg that lets us avoid that
flaw.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|