From patchwork Wed Oct 19 23:01:48 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Ferlan X-Patchwork-Id: 78356 Delivered-To: patch@linaro.org Received: by 10.140.97.247 with SMTP id m110csp496570qge; Wed, 19 Oct 2016 16:06:02 -0700 (PDT) X-Received: by 10.25.210.198 with SMTP id j189mr7622066lfg.165.1476918362758; Wed, 19 Oct 2016 16:06:02 -0700 (PDT) Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com. [209.132.183.39]) by mx.google.com with ESMTPS id w8si4485114lff.367.2016.10.19.16.06.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Oct 2016 16:06:02 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; Authentication-Results: mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9JN1otI047522; Wed, 19 Oct 2016 19:01:51 -0400 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id u9JN1ngw020793 for ; Wed, 19 Oct 2016 19:01:49 -0400 Received: from localhost.localdomain (ovpn-116-36.phx2.redhat.com [10.3.116.36]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9JN1mI1030475 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Oct 2016 19:01:49 -0400 To: Gema Gomez , libvir-list@redhat.com References: <20161009155109.10871-1-gema.gomez-solano@linaro.org> <5e6b265d-e0c1-d107-6cdf-5faff9846a04@redhat.com> <9b958e99-9f71-453a-8c35-424b20c2fbd8@linaro.org> From: John Ferlan Message-ID: Date: Wed, 19 Oct 2016 19:01:48 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <9b958e99-9f71-453a-8c35-424b20c2fbd8@linaro.org> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-loop: libvir-list@redhat.com Subject: Re: [libvirt] [PATCH] support auth for qemu SCSI hotplug X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com On 10/15/2016 10:04 AM, Gema Gomez wrote: > Hi John, > > On 13/10/16 21:37, John Ferlan wrote: >> So could you provide a bit more information about the configuration. >> Are you indicating that you have an RBD pool with a volume that's being >> used as a SCSI device on the guest? > > We are indeed using Ceph (RBD) pool volumes, attached via virtio-scsi to > the guests. > >> Reason I ask - not modifying qemuDomainAttachSCSIDisk was by choice >> mainly because it's generally used with the iSCSI pool which at this >> point in time cannot support this new secret model. > > Even though iSCSI doesn't support secrets this way, doesn't mean it > isn't necessary for RBD. In particular, the current handling is > inconsistent between domain creation and hotplugging of a volume. On > domain creation, the secret object is added just fine. > > On hotplug, when libvirt talks to the qemu monitor, it tells qemu to > create a virtio-scsi device, rbd-backed, with the secret pointing to a > secret object. However, that secret object is *NOT* currently being > inserted via the qemu mon communication, and so the command fails to > actually attach the disk. > > Considering libvirt is already telling qemu on hotplug that there is > some secret with a given name, it sounds logical to actually add that > secret object. Plus, that's consistent, as I said, with how domain > creation works. > > As for iSCSI not supporting it - I'm not sure I see the problem. The > patch I submitted qualifies the creation of the aes key object with > whether secinfo is present for the disk, and it's of AES type. > > And for reference, below is the conversation libvirt and the qemu > monitor were having before this patch, including the XML. Since libvirt > wasn't adding the scsi0-0-0-1-secret0 object, it all failed rather > miserably. > > 2016-10-07 14:09:40.974+0000: 13608: info : qemuMonitorIOWrite:534 : > QEMU_MONITOR_IO_WRITE: mon=0x7f7c00eb60 > buf={"execute":"human-monitor-command","arguments":{"command-line":"drive_add > > dummy > file=rbd:volumes/volume-e51d02fc-7399-4e51-bdde-84577ba79990:id=nova:auth_supported=cephx\\;none:mon_host=10.10.0.101\\:6789\\;10.10.0.111\\:6789\\;10.10.0.112\\:6789,file.password-secret=scsi0-0-0-1-secret0,format=raw,if=none,id=drive-scsi0-0-0-1,serial=e51d02fc-7399-4e51-bdde-84577ba79990,cache=none"},"id":"libvirt-14"} > > > 2016-10-07 14:09:40.987+0000: 13608: info : qemuMonitorIOProcess:429 : > QEMU_MONITOR_IO_PROCESS: mon=0x7f7c00eb60 buf={"return": "No secret with > id 'scsi0-0-0-1-secret0'\r\n", "id": "libvirt-14"} > len=79 > > for this XML: > > > > name="volumes/volume-e51d02fc-7399-4e51-bdde-84577ba79990"> > > > > > > > > > e51d02fc-7399-4e51-bdde-84577ba79990 > > > Thanks, > Gema > OK thanks for confirming my suspicion... I'd like to add/merge the attached to this patch. Essentially it's a test that uses XML like above. Although it's added to the qemu_command processing - it shows the need to have the SCSI hotplug code to also have the secret processing. I still haven't figured out those hotplug tests - if you want to take a shot, be my guest! Just let me know and I'll merge it with yours and push. Thanks and congrats on your first libvirt patch! John -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list >From b5acf85351360bedb1ddb0e66c90f0dcc730cdd2 Mon Sep 17 00:00:00 2001 From: John Ferlan Date: Wed, 19 Oct 2016 18:54:05 -0400 Subject: [PATCH] tests: Merge test for RBD SCSI hotplug NB: The SCSI hot unplug code will use the qemuDomainDetachDiskDevice which calls qemuDomainRemoveDiskDevice which will make an attempt to remove the secret object. Signed-off-by: John Ferlan --- .../qemuxml2argv-disk-drive-network-rbd-auth-AES.args | 14 ++++++++++++-- .../qemuxml2argv-disk-drive-network-rbd-auth-AES.xml | 13 +++++++++++++ tests/qemuxml2argvtest.c | 2 +- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args index 07d01b6..d536136 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args @@ -18,6 +18,7 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \ -monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \ -no-acpi \ -boot c \ +-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \ -usb \ -drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \ -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \ @@ -28,5 +29,14 @@ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\ 6322,file.password-secret=virtio-disk0-secret0,format=raw,if=none,\ id=drive-virtio-disk0' \ --device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\ -id=virtio-disk0 +-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ +id=virtio-disk0 \ +-object secret,id=scsi0-0-0-0-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\ +mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\ +6322,file.password-secret=scsi0-0-0-0-secret0,format=raw,if=none,\ +id=drive-scsi0-0-0-0,cache=none' \ +-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\ +drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml index ac2e942..885fb11 100644 --- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml @@ -32,7 +32,20 @@ + + + + + + + + + + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 3e9f825..cf72966 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -864,7 +864,7 @@ mymain(void) DO_TEST("disk-drive-network-rbd-auth", NONE); # ifdef HAVE_GNUTLS_CIPHER_ENCRYPT DO_TEST("disk-drive-network-rbd-auth-AES", - QEMU_CAPS_OBJECT_SECRET); + QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_VIRTIO_SCSI); # endif DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); -- 2.7.4