support auth for qemu SCSI hotplug

Message ID ccaab52a-0318-46ba-52c8-d85e6047cd6a@redhat.com
State New
Headers show

Commit Message

John Ferlan Oct. 19, 2016, 11:01 p.m.
On 10/15/2016 10:04 AM, Gema Gomez wrote:
> Hi John,

> 

> On 13/10/16 21:37, John Ferlan wrote:

>> So could you provide a bit more information about the configuration.

>> Are you indicating that you have an RBD pool with a volume that's being

>> used as a SCSI device on the guest?

> 

> We are indeed using Ceph (RBD) pool volumes, attached via virtio-scsi to

> the guests.

> 

>> Reason I ask - not modifying qemuDomainAttachSCSIDisk was by choice

>> mainly because it's generally used with the iSCSI pool which at this

>> point in time cannot support this new secret model.

> 

> Even though iSCSI doesn't support secrets this way, doesn't mean it

> isn't necessary for RBD. In particular, the current handling is

> inconsistent between domain creation and hotplugging of a volume. On

> domain creation, the secret object is added just fine.

> 

> On hotplug, when libvirt talks to the qemu monitor, it tells qemu to

> create a virtio-scsi device, rbd-backed, with the secret pointing to a

> secret object. However, that secret object is *NOT* currently being

> inserted via the qemu mon communication, and so the command fails to

> actually attach the disk.

> 

> Considering libvirt is already telling qemu on hotplug that there is

> some secret with a given name, it sounds logical to actually add that

> secret object. Plus, that's consistent, as I said, with how domain

> creation works.

> 

> As for iSCSI not supporting it - I'm not sure I see the problem. The

> patch I submitted qualifies the creation of the aes key object with

> whether secinfo is present for the disk, and it's of AES type.

> 

> And for reference, below is the conversation libvirt and the qemu

> monitor were having before this patch, including the XML. Since libvirt

> wasn't adding the scsi0-0-0-1-secret0 object, it all failed rather

> miserably.

> 

> 2016-10-07 14:09:40.974+0000: 13608: info : qemuMonitorIOWrite:534 :

> QEMU_MONITOR_IO_WRITE: mon=0x7f7c00eb60

> buf={"execute":"human-monitor-command","arguments":{"command-line":"drive_add

> 

> dummy

> file=rbd:volumes/volume-e51d02fc-7399-4e51-bdde-84577ba79990:id=nova:auth_supported=cephx\\;none:mon_host=10.10.0.101\\:6789\\;10.10.0.111\\:6789\\;10.10.0.112\\:6789,file.password-secret=scsi0-0-0-1-secret0,format=raw,if=none,id=drive-scsi0-0-0-1,serial=e51d02fc-7399-4e51-bdde-84577ba79990,cache=none"},"id":"libvirt-14"}

> 

> 

> 2016-10-07 14:09:40.987+0000: 13608: info : qemuMonitorIOProcess:429 :

> QEMU_MONITOR_IO_PROCESS: mon=0x7f7c00eb60 buf={"return": "No secret with

> id 'scsi0-0-0-1-secret0'\r\n", "id": "libvirt-14"}

>  len=79

> 

> for this XML:

> 

> <disk type="network" device="disk">

>   <driver name="qemu" type="raw" cache="none"/>

>   <source protocol="rbd"

> name="volumes/volume-e51d02fc-7399-4e51-bdde-84577ba79990">

>     <host name="10.10.0.101" port="6789"/>

>     <host name="10.10.0.111" port="6789"/>

>     <host name="10.10.0.112" port="6789"/>

>   </source>

>   <auth username="nova">

>     <secret type="ceph" uuid="some-uuid..."/>

>   </auth>

>   <target bus="scsi" dev="sdb"/>

>   <serial>e51d02fc-7399-4e51-bdde-84577ba79990</serial>

> </disk>

> 

> Thanks,

> Gema

> 


OK thanks for confirming my suspicion...

I'd like to add/merge the attached to this patch.  Essentially it's a
test that uses XML like above. Although it's added to the qemu_command
processing - it shows the need to have the SCSI hotplug code to also
have the secret processing. I still haven't figured out those hotplug
tests - if you want to take a shot, be my guest!

Just let me know and I'll merge it with yours and push.

Thanks and congrats on your first libvirt patch!

John
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patch hide | download patch | download mbox

>From b5acf85351360bedb1ddb0e66c90f0dcc730cdd2 Mon Sep 17 00:00:00 2001
From: John Ferlan <jferlan@redhat.com>
Date: Wed, 19 Oct 2016 18:54:05 -0400
Subject: [PATCH] tests: Merge test for RBD SCSI hotplug

NB: The SCSI hot unplug code will use the qemuDomainDetachDiskDevice
which calls qemuDomainRemoveDiskDevice which will make an attempt to
remove the secret object.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 .../qemuxml2argv-disk-drive-network-rbd-auth-AES.args      | 14 ++++++++++++--
 .../qemuxml2argv-disk-drive-network-rbd-auth-AES.xml       | 13 +++++++++++++
 tests/qemuxml2argvtest.c                                   |  2 +-
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
index 07d01b6..d536136 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
@@ -18,6 +18,7 @@  file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
 -monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
 -no-acpi \
 -boot c \
+-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
 -usb \
 -drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \
 -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
@@ -28,5 +29,14 @@  keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
 mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
 6322,file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
 id=drive-virtio-disk0' \
--device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
-id=virtio-disk0
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
+id=virtio-disk0 \
+-object secret,id=scsi0-0-0-0-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
+mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
+6322,file.password-secret=scsi0-0-0-0-secret0,format=raw,if=none,\
+id=drive-scsi0-0-0-0,cache=none' \
+-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\
+drive=drive-scsi0-0-0-0,id=scsi0-0-0-0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
index ac2e942..885fb11 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
@@ -32,7 +32,20 @@ 
       </source>
       <target dev='vda' bus='virtio'/>
     </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw' cache='none'/>
+      <auth username='myname'>
+        <secret type='ceph' usage='mycluster_myname'/>
+      </auth>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+      </source>
+      <target bus='scsi' dev='sda'/>
+    </disk>
     <controller type='usb' index='0'/>
+    <controller type='scsi' index='0' model='virtio-scsi'/>
     <controller type='ide' index='0'/>
     <controller type='pci' index='0' model='pci-root'/>
     <input type='mouse' bus='ps2'/>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 3e9f825..cf72966 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -864,7 +864,7 @@  mymain(void)
     DO_TEST("disk-drive-network-rbd-auth", NONE);
 # ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
     DO_TEST("disk-drive-network-rbd-auth-AES",
-            QEMU_CAPS_OBJECT_SECRET);
+            QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_VIRTIO_SCSI);
 # endif
     DO_TEST("disk-drive-network-rbd-ipv6", NONE);
     DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE);
-- 
2.7.4