Re: problem with rbd auth after switch to secret objects

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 10, 2016 at 04:01:11PM -0600, Jim Fehlig wrote:
> Hi John,
> 
> I've been having problems with rbd auth since the change to using qemu's secret
> objects. E.g. when hotplugging disk config
> 
> <disk type="network" device="disk">
>   <driver name="qemu" type="raw" cache="none"/>
>   <source protocol="rbd" name="volumes/volume-f9c33a0a-5313-44fc-9624-c3b09ed21a57">
>     <host name="xxx.xxx.xxx.xxx" port="6789"/>
>   </source>
>   <auth username="cinder">
>     <secret type="ceph" uuid="dcff478d-8021-42c4-b57a-98b5f5447e8f"/>
>   </auth>
>   <target bus="virtio" dev="vdb"/>
> </disk>
> 
> libvirt issues the following monitor commands
> 
> 2016-08-08 16:13:41.720+0000: 27504: info : qemuMonitorSend:1006 :
> QEMU_MONITOR_SEND_MSG: mon=0x7f55c4000f50
> msg={"execute":"object-add","arguments":{"qom-type":"secret","id":"virtio-disk1-secret0","props":{"data":"w6x17STyqO9tMEOpAJy9Mnx+B5R1qrsJBXZZn/uZCKU=","keyid":"masterKey0","iv":"ZAE6WkKf+jDIl9lJkXGsnQ==","format":"base64"}},"id":"libvirt-12"}
> 2016-08-08 16:13:41.722+0000: 27504: debug : qemuMonitorJSONCommandWithFd:296 :
> Send command
> '{"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy
> file=rbd:volumes/volume-f9c33a0a-5313-44fc-9624-c3b09ed21a57:id=cinder:auth_supported=cephx\\;none:mon_host=xxx.xx.xxx.xxx\\:6789,password-secret=virtio-disk1-secret0,format=raw,if=none,id=drive-virtio-disk1,cache=none"},"id":"libvirt-13"}'
> 
> The latter fails with
> 
> 2016-08-08 16:13:41.733+0000: 27499: debug : virJSONValueFromString:1604 :
> string={"return": "error connecting\r\n", "id": "libvirt-13"}
> 
> Debugging in the qemu rbd code, I found that
> 
> secretid = qemu_opt_get(opts, "password-secret");
> 
> in $qemu-src/block/rbd.c:qemu_rbd_create() returns NULL. The NULL secretid is
> later passed to qemu_rbd_set_auth(), which silently returns success when
> secretid==NULL. Later, rados_connect() fails with "error connecting" since the
> secret was not configured.
> 
> I'm not familiar with qemu option parsing, but it seems the
> ...,password-secret=xxx,... associates the password-secret option parsing with
> the drive object, whereas it needs to be associated with the rbd "file" object?
> As a quick hack test, I made the following change in libvirt and then was able
> to successfully attach the disk
> 
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 55df23d..eb478fb 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -1287,7 +1287,7 @@ qemuBuildDriveSourceStr(virDomainDiskDefPtr disk,
>      virBufferAddLit(buf, ",");
>  
>      if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
> -        virBufferAsprintf(buf, "password-secret=%s,",
> +        virBufferAsprintf(buf, "file.password-secret=%s,",
>                            secinfo->s.aes.alias);
>      }
> 
> I suspect others (including yourself) have done this successfully without that
> hack, so I'm not quite sure what the problem might be in my configuration. I'm
> using libvirt.git master and qemu 2.6, but I didn't notice any post-2.6 patches
> that would help on the qemu side.

That change is correct. I presume John just implemented libvirt based on
my QEMU commit message which had the wrong syntax shown as an example.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]