Am 22.04.2016 um 13:43 hat Daniel P. Berrange geschrieben: > On Fri, Apr 22, 2016 at 01:13:42PM +0200, Peter Lieven wrote: > > Am 22.04.2016 um 12:59 schrieb Kevin Wolf: > > > Am 22.04.2016 um 12:24 hat Daniel P. Berrange geschrieben: > > >> The iSCSI block driver has ability to lookup various options, in > > >> particular authentication info, specified by the separate -iscsi > > >> argument. It currently uses the iSCSI IQN as the ID value for this > > >> lookup, however, this does not work for common iSCSI IQNs as they > > >> contain characters such as ':' which are invalid for use as IDs. > > >> > > >> This adds an optional 'iscsi-id' parameter to the iSCSI block > > >> driver to allow an explicit ID string to be used to reference > > >> the -iscsi arg. For example > > >> > > >> $QEMU \ > > >> -iscsi id=my_initiator,user=fred,password-secret=sec0 \ > > >> -drive driver=iscsi,iscsi-id=my_initiator,file=iscsi://somehost/iqn/1 > > >> > > >> Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > > > I would consider this a new feature rather than a fix appropriate for > > > -rc4. > > > > +1 > > > > Its rather late and this might have some side effects that are not obvious. > > If you need to specify different credentials for different targets you can > > stil > > supply them in the iscsi URL: > > > > iscsi://username:password@host/iqn/0 > > Use of that syntax is why CVE-2015-5160 exists because it exposes the > password to any other process on the host which can see the QEMU argv. > -iscsi supports the new password-secret arg that lets us avoid that > flaw.
-iscsi is a weird thing anyway. We should do things the usual way, with a proper BlockdevOptionsIscsi QAPI structure. Introducing a new API in 2.6 when we know we'll deprecate it again in 2.7 doesn't seem to make that much sense. Plus, it's -rc4 now. The problem isn't a crash or a regression. It merely means that you might need to wait for another release before you can use iscsi. Pretty much the definition of a new feature. Kevin
