On Fri, Apr 22, 2016 at 01:13:42PM +0200, Peter Lieven wrote: > Am 22.04.2016 um 12:59 schrieb Kevin Wolf: > > Am 22.04.2016 um 12:24 hat Daniel P. Berrange geschrieben: > >> The iSCSI block driver has ability to lookup various options, in > >> particular authentication info, specified by the separate -iscsi > >> argument. It currently uses the iSCSI IQN as the ID value for this > >> lookup, however, this does not work for common iSCSI IQNs as they > >> contain characters such as ':' which are invalid for use as IDs. > >> > >> This adds an optional 'iscsi-id' parameter to the iSCSI block > >> driver to allow an explicit ID string to be used to reference > >> the -iscsi arg. For example > >> > >> $QEMU \ > >> -iscsi id=my_initiator,user=fred,password-secret=sec0 \ > >> -drive driver=iscsi,iscsi-id=my_initiator,file=iscsi://somehost/iqn/1 > >> > >> Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > > I would consider this a new feature rather than a fix appropriate for > > -rc4. > > +1 > > Its rather late and this might have some side effects that are not obvious. > If you need to specify different credentials for different targets you can > stil > supply them in the iscsi URL: > > iscsi://username:password@host/iqn/0
Use of that syntax is why CVE-2015-5160 exists because it exposes the password to any other process on the host which can see the QEMU argv. -iscsi supports the new password-secret arg that lets us avoid that flaw. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|