Re: [PATCH] support auth for qemu SCSI hotplug

[John Ferlan <jferlan@xxxxxxxxxx>]

On 10/15/2016 10:04 AM, Gema Gomez wrote:
> Hi John,
> 
> On 13/10/16 21:37, John Ferlan wrote:
>> So could you provide a bit more information about the configuration.
>> Are you indicating that you have an RBD pool with a volume that's being
>> used as a SCSI device on the guest?
> 
> We are indeed using Ceph (RBD) pool volumes, attached via virtio-scsi to
> the guests.
> 
>> Reason I ask - not modifying qemuDomainAttachSCSIDisk was by choice
>> mainly because it's generally used with the iSCSI pool which at this
>> point in time cannot support this new secret model.
> 
> Even though iSCSI doesn't support secrets this way, doesn't mean it
> isn't necessary for RBD. In particular, the current handling is
> inconsistent between domain creation and hotplugging of a volume. On
> domain creation, the secret object is added just fine.
> 
> On hotplug, when libvirt talks to the qemu monitor, it tells qemu to
> create a virtio-scsi device, rbd-backed, with the secret pointing to a
> secret object. However, that secret object is *NOT* currently being
> inserted via the qemu mon communication, and so the command fails to
> actually attach the disk.
> 
> Considering libvirt is already telling qemu on hotplug that there is
> some secret with a given name, it sounds logical to actually add that
> secret object. Plus, that's consistent, as I said, with how domain
> creation works.
> 
> As for iSCSI not supporting it - I'm not sure I see the problem. The
> patch I submitted qualifies the creation of the aes key object with
> whether secinfo is present for the disk, and it's of AES type.
> 
> And for reference, below is the conversation libvirt and the qemu
> monitor were having before this patch, including the XML. Since libvirt
> wasn't adding the scsi0-0-0-1-secret0 object, it all failed rather
> miserably.
> 
> 2016-10-07 14:09:40.974+0000: 13608: info : qemuMonitorIOWrite:534 :
> QEMU_MONITOR_IO_WRITE: mon=0x7f7c00eb60
> buf={"execute":"human-monitor-command","arguments":{"command-line":"drive_add
> 
> dummy
> file=rbd:volumes/volume-e51d02fc-7399-4e51-bdde-84577ba79990:id=nova:auth_supported=cephx\\;none:mon_host=10.10.0.101\\:6789\\;10.10.0.111\\:6789\\;10.10.0.112\\:6789,file.password-secret=scsi0-0-0-1-secret0,format=raw,if=none,id=drive-scsi0-0-0-1,serial=e51d02fc-7399-4e51-bdde-84577ba79990,cache=none"},"id":"libvirt-14"}
> 
> 
> 2016-10-07 14:09:40.987+0000: 13608: info : qemuMonitorIOProcess:429 :
> QEMU_MONITOR_IO_PROCESS: mon=0x7f7c00eb60 buf={"return": "No secret with
> id 'scsi0-0-0-1-secret0'\r\n", "id": "libvirt-14"}
>  len=79
> 
> for this XML:
> 
> <disk type="network" device="disk">
>   <driver name="qemu" type="raw" cache="none"/>
>   <source protocol="rbd"
> name="volumes/volume-e51d02fc-7399-4e51-bdde-84577ba79990">
>     <host name="10.10.0.101" port="6789"/>
>     <host name="10.10.0.111" port="6789"/>
>     <host name="10.10.0.112" port="6789"/>
>   </source>
>   <auth username="nova">
>     <secret type="ceph" uuid="some-uuid..."/>
>   </auth>
>   <target bus="scsi" dev="sdb"/>
>   <serial>e51d02fc-7399-4e51-bdde-84577ba79990</serial>
> </disk>
> 
> Thanks,
> Gema
> 

OK thanks for confirming my suspicion...

I'd like to add/merge the attached to this patch.  Essentially it's a
test that uses XML like above. Although it's added to the qemu_command
processing - it shows the need to have the SCSI hotplug code to also
have the secret processing. I still haven't figured out those hotplug
tests - if you want to take a shot, be my guest!

Just let me know and I'll merge it with yours and push.

Thanks and congrats on your first libvirt patch!

John

>From b5acf85351360bedb1ddb0e66c90f0dcc730cdd2 Mon Sep 17 00:00:00 2001
From: John Ferlan <jferlan@xxxxxxxxxx>
Date: Wed, 19 Oct 2016 18:54:05 -0400
Subject: [PATCH] tests: Merge test for RBD SCSI hotplug

NB: The SCSI hot unplug code will use the qemuDomainDetachDiskDevice
which calls qemuDomainRemoveDiskDevice which will make an attempt to
remove the secret object.

Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
---
 .../qemuxml2argv-disk-drive-network-rbd-auth-AES.args      | 14 ++++++++++++--
 .../qemuxml2argv-disk-drive-network-rbd-auth-AES.xml       | 13 +++++++++++++
 tests/qemuxml2argvtest.c                                   |  2 +-
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
index 07d01b6..d536136 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
@@ -18,6 +18,7 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
 -monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
 -no-acpi \
 -boot c \
+-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
 -usb \
 -drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \
 -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
@@ -28,5 +29,14 @@ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
 mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
 6322,file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
 id=drive-virtio-disk0' \
--device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
-id=virtio-disk0
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
+id=virtio-disk0 \
+-object secret,id=scsi0-0-0-0-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
+mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
+6322,file.password-secret=scsi0-0-0-0-secret0,format=raw,if=none,\
+id=drive-scsi0-0-0-0,cache=none' \
+-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\
+drive=drive-scsi0-0-0-0,id=scsi0-0-0-0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
index ac2e942..885fb11 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
@@ -32,7 +32,20 @@
       </source>
       <target dev='vda' bus='virtio'/>
     </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw' cache='none'/>
+      <auth username='myname'>
+        <secret type='ceph' usage='mycluster_myname'/>
+      </auth>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+      </source>
+      <target bus='scsi' dev='sda'/>
+    </disk>
     <controller type='usb' index='0'/>
+    <controller type='scsi' index='0' model='virtio-scsi'/>
     <controller type='ide' index='0'/>
     <controller type='pci' index='0' model='pci-root'/>
     <input type='mouse' bus='ps2'/>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 3e9f825..cf72966 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -864,7 +864,7 @@ mymain(void)
     DO_TEST("disk-drive-network-rbd-auth", NONE);
 # ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
     DO_TEST("disk-drive-network-rbd-auth-AES",
-            QEMU_CAPS_OBJECT_SECRET);
+            QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_VIRTIO_SCSI);
 # endif
     DO_TEST("disk-drive-network-rbd-ipv6", NONE);
     DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE);
-- 
2.7.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list