[libvirt] [PATCH 2/2] qemu: Use secret objects to pass iSCSI passwords

Peter Krempa pkrempa at redhat.com
Wed Sep 13 13:24:42 UTC 2017


On Wed, Sep 13, 2017 at 09:05:43 -0400, John Ferlan wrote:
> 
> 
> On 09/13/2017 03:08 AM, Peter Krempa wrote:
> > On Tue, Sep 12, 2017 at 11:55:29 -0400, John Ferlan wrote:
> >>
> >>
> >> On 09/12/2017 09:36 AM, Peter Krempa wrote:
> >>> On Tue, Sep 05, 2017 at 15:09:35 -0400, John Ferlan wrote:
> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1425757
> >>>>
> >>>> The blockdev-add code provides a mechanism to sanely provide user
> >>>> and password-secret arguments for iscsi without placing them on the
> >>>> command line to be viewable by a 'ps -ef' type command or needing
> >>>> to create separate -iscsi devices for each disk/volume found.
> >>>>
> >>>> So modify the iSCSI command line building to check for the presence
> >>>> of the capability in order properly setup and use the domain master
> >>>> secret object to encrypt the password in a secret object and alter
> >>>> the parameters for the command line to utilize.
> >>>>
> >>>> Modify the xml2argvtest to exhibit the syntax for both disk and
> >>>> hostdev configurations.
> >>>>
> >>>> Signed-off-by: John Ferlan <jferlan at redhat.com>
> >>>> ---
> >>>>  src/qemu/qemu_command.c                            | 19 ++++++++-
> >>>>  src/qemu/qemu_domain.c                             |  4 ++
> >>>>  ...xml2argv-disk-drive-network-iscsi-auth-AES.args | 39 ++++++++++++++++++
> >>>>  ...uxml2argv-disk-drive-network-iscsi-auth-AES.xml | 43 +++++++++++++++++++
> >>>>  ...ml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args | 35 ++++++++++++++++
> >>>>  ...xml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml | 48 ++++++++++++++++++++++
> >>>>  tests/qemuxml2argvtest.c                           | 10 +++++
> >>>>  7 files changed, 196 insertions(+), 2 deletions(-)
> >>>>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.args
> >>>>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.xml
> >>>>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args
> >>>>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml
> >>>
> >>> Most of the stuff here looks reasonable but I don't think we should mix
> >>> the URI syntax with the file.param= syntax generated from the JSON
> >>> objects. Since there's a capability when this is supported, the command
> >>> line generator should use the new syntax.
> >>>
> >>> You can mark it in qemuDiskSourceNeedsProps so that it uses the new
> >>> generator if it's needed and supported and implement the JSON generator.
> >>>
> >>> The rest should then work as expected.
> >>>
> >>
> >> This is certainly where things didn't exactly match up the way I thought
> >> you have desired the virstoragefile and virstoragetest code to work.
> >>
> >> In particular, it's the "user" and "password-secret" options that cause
> >> the disconnect since they're a @disk private object and not a @disk->src
> >> object. I considered a number of different ways to cheat, but came up
> >> empty on each, so I just followed the existing RBD code.
> > 
> > Well and that is a problem. We can either consider the disk
> > authentication secrests to be the same for every single level of the
> > backing chain. In such case the user and secret are correctly placed in
> > the 'Disk' structure. In such case, still every single level of the
> > backing chain will eventually need to access them so that the
> > authentication can be done for every member.
> > 
> > We can also allow specifying a different one per every level of the
> > backing chain, which would make more sense in some configurations and
> > allow more flexibility. In such case we need to move them to the
> > virStorageSource structure so that every level can have individual
> > authentication data.
> > 
> > In the long term I think that solution 1 would bite us and we'd need to
> > add individual authentication for the volumes anyways.
> > 
> 
> caveat: my knowledge of backing chain details is quite limited...
> 
> Can different levels of the backing chain use different source servers?
> 
> IOW: Assume the top level is:
> 
> <source protocol='iscsi' name='iqn.2013-07.com.example:iscsi-nopool/2'>
>   <host name='example.com' port='3260'/>
> </source>
> 
> could some layer deeper then have:
> 
> <source protocol='iscsi'
> name='iqn.2013-07.com.example.adifferent:iscsi-nopool/1'>
>   <host name='adifferent.example.com' port='3260'/>
> </source>

Yes it could. In fact you can even change to different protocol. For now
you need to be able to express it via the "backing_file" string in the
qcow2 header. In the future, we will keep it in the XML (as we do when
you start the VM, but that is output-only currently).

> 
> ?
> 
> If so, then <auth> should be a child of <source> rather than <disk>.
> If not, then <auth> should stay as child of <disk>.

Um, yes. It should be a child of <source> in this case. At least for the
nested elements. We also need a way to add <encryption> to source, since
that is also per layer.

> 
> I would think it would be quite difficult to configure usage of multiple
> servers. Would that mean if one of the sources wasn't available or had
> some sort of failure, then the whole chain is invalid? The complexity is
> rather mind boggling, if not fragile...

You can even alternate between local files and remote storage, if you
want to get even more weird ..., still it's possible even now, so we'll
need to keep this functionality.

There are use cases where your base-image is copied to every single host
and the overlay is hosted on network, to decrease initial bandwidth.

> >> One cannot reconstruct the <auth> element properly given that all the
> >> arguments have is a username and an alias, but would need to have either
> >> a "usage" or "uuid" string. The secret object doesn't contain that
> >> either, so it'd need to be stored somehow.
> > 
> > You mean from parsing of the backing chain? That won't be necessary.
> > 
> 
> I was thinking more about virstoragefile.c and virstoragetest.c. It's
> easy enough to fetch the user/password-secret in
> virStorageSourceParseBackingJSONiSCSI:
> 
> +    const char *user = virJSONValueObjectGetString(json, "user");
> +    const char *secret = virJSONValueObjectGetString(json,
> "password-secret");
> 
> But there's not much one can do with it as you get (for example):
> 
>     user = "myname"
>     secret = "virtio-disk1-secret0"
> 
> but an <auth> would look like:
> 
>     <auth username='myname'>
>       <secret type='iscsi' usage='mycluster_myname'/>
>     </auth>
> 
> So to a degree it's not testable to build the XML as virstoragetest
> does. Sine the secret can be built up using the disk alias, it's perhaps
> not even worth storing away.

Yes, the field is rather useless. I'm even surprised that it's recorded
into the backing file string. It may be used as a notification that
authentication is required, but without actually adding the secret with
correct name, the thing won't work anyways.

> >> Perhaps if the @secinfo moved from private into source that would help,
> >> although perhaps not following the RNG. Still there'd also have to be a
> > 
> > We don't follow the RNG in internal structures. In some cases the RNG
> > does not make sense, but the strucutres can be changed to make sense.
> > 
> 
> But we only support one <auth> per <disk>, so in order to be associated
> with <source>, the RNG would need to support that and the code would
> need to be modified such that <auth> is a child of <source>.
> 
> We'd have to support "both" formats.  If <auth> was a child of <disk>,
> then perhaps it only supports one-level depth.  We could also read under
> <disk>, but move to under <source> on output if we were so inclined.
> Still that would then require every level of the backing chain to have
> it's own <auth> even if that is the same <auth> as the predecessor. I'm
> thinking and typing here, so I haven't thought through all the
> possibilities.

Well, this was probably inherited as a legacy approach. We really need
them per backing file though.

> 
> >> way to save the string used in the original <auth> element used to look
> >> up the secret (either by uuid or by usage). Having the password-secret
> >> alias is OK, but really not useful.
> > 
> > That is needed only for formatting of the command line (or monitor
> > command) and for removing the correct secret on unplug. Most of the
> > times you can infer it. We can as well as store it and not have to
> > generate it all the time. That is an implementation detail though.
> > 
> 
> Again - I was thinking of the test environment that builds the XML from
> the JSON. I had actually started down this path originally, but got
> stuck at precisely that point.  So I have code in a branch already that
> can do everything except the virstoragetest rebuild of <auth>.
> 
> >> Maybe "some future" adjustment could modify the password-secret alias to
> >> be (for example) "virtio-disk0-%s-secret0" where the %s is either a UUID
> >> or a Usage string of the secret used to generate the object. Perhaps
> >> even the unsigned char UUID too so as to not have too many extra "-"'s
> >> to parse/read.  That'd be an awful alias, but serve a purpose as well.
> > 
> > No, this is not necessary. We can store the data in the status XML. The
> > alias (in password secret) is needed only to remove them in case of
> > unplug and it's not really necessary to trace back which secret was used
> > to populate it.
> > 
> 
> OK... that's good because that would get ugly fast. Saving the secret
> alias in the status can be done, but is it useful since it's easily
> generated from the disk/drive alias?

And it will need to be generated from the node name or other backing
file specific identifier, since each level can have it's own ...

> 
> >> A similar problem exists for RBD, but the RBD code in virstoragefile and
> >> virstoragetest totally ignore the authentication pieces... That syntax
> >> is a bit more hairly because it's only the RBD password-secret field
> >> that needs the "file." (or not if -drive driver=rbd,... was supported).
> > 
> > Ummm. The test does not need to deal with this necessarily. My issue is
> > with the JSON structure generator, which should be fully used. And that
> > generator is private to the qemu driver.
> > 
> 
> Well RBD would seemingly need to be updated as well, but it's a disjoint
> thought to the iSCSI, although still related since both RBD and iSCSI
> can use secrets in this manner.
> 
> The usage of "-drive driver=XXX" was a separate thought. I wasn't sure
> if you were going down the path of converting usage of using that newer
> syntax rather than the "-drive file...". In a way, I suppose I'm
> surprised that usage of "file" was chosen over "driver=XXX".  But that's
> a different discussion. One that keeps creeping back though as all the
> QEMU examples show the driver=XXX syntax and it seems they're trying to
> move away from the "file" syntax.

The new syntax uses -blockdev to express any backing elements and then
the -drive only refers to the backing element via node name. That's the
main reason why I want to use the JSON->props style. It's the same for
-blockdev and the blockdev-add QMP command and it's more flexible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170913/ff3976fb/attachment-0001.sig>


More information about the libvir-list mailing list