On Fri, Apr 22, 2016 at 01:53:47PM +0200, Kevin Wolf wrote: > Am 22.04.2016 um 13:43 hat Daniel P. Berrange geschrieben: > > On Fri, Apr 22, 2016 at 01:13:42PM +0200, Peter Lieven wrote: > > > Am 22.04.2016 um 12:59 schrieb Kevin Wolf: > > > > Am 22.04.2016 um 12:24 hat Daniel P. Berrange geschrieben: > > > >> The iSCSI block driver has ability to lookup various options, in > > > >> particular authentication info, specified by the separate -iscsi > > > >> argument. It currently uses the iSCSI IQN as the ID value for this > > > >> lookup, however, this does not work for common iSCSI IQNs as they > > > >> contain characters such as ':' which are invalid for use as IDs. > > > >> > > > >> This adds an optional 'iscsi-id' parameter to the iSCSI block > > > >> driver to allow an explicit ID string to be used to reference > > > >> the -iscsi arg. For example > > > >> > > > >> $QEMU \ > > > >> -iscsi id=my_initiator,user=fred,password-secret=sec0 \ > > > >> -drive > > > >> driver=iscsi,iscsi-id=my_initiator,file=iscsi://somehost/iqn/1 > > > >> > > > >> Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > > > > I would consider this a new feature rather than a fix appropriate for > > > > -rc4. > > > > > > +1 > > > > > > Its rather late and this might have some side effects that are not > > > obvious. > > > If you need to specify different credentials for different targets you > > > can stil > > > supply them in the iscsi URL: > > > > > > iscsi://username:password@host/iqn/0 > > > > Use of that syntax is why CVE-2015-5160 exists because it exposes the > > password to any other process on the host which can see the QEMU argv. > > -iscsi supports the new password-secret arg that lets us avoid that > > flaw. > > -iscsi is a weird thing anyway. We should do things the usual way, with > a proper BlockdevOptionsIscsi QAPI structure. Introducing a new API in > 2.6 when we know we'll deprecate it again in 2.7 doesn't seem to make > that much sense. > > Plus, it's -rc4 now. The problem isn't a crash or a regression. It > merely means that you might need to wait for another release before you > can use iscsi. Pretty much the definition of a new feature.
Ok, i thought that would probably be the response, but I wanted to be able to say I tried anyway, given it was for a libvirt security bug. We'll just have to a wait a bit longer to fix it for iscsi. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|