> Am 14.09.2015 um 08:38 schrieb Fam Zheng <[email protected]>: > >> On Fri, 09/11 08:27, ronnie sahlberg wrote: >>> On Fri, Sep 11, 2015 at 8:20 AM, Eric Blake <[email protected]> wrote: >>>> On 09/11/2015 12:00 AM, Fam Zheng wrote: >>>> Previously we use "-iscsi id=target-iqn,user=foo,password=bar,..." to >>>> specify iscsi connection parameters, unfortunately it doesn't work with >>>> qemu-img. >>>> >>>> This patch adds per drive options to iscsi driver so that at least >>>> qemu-img can use the "json:{...}" filename magic. >>>> >>>> Signed-off-by: Fam Zheng <[email protected]> >>>> --- >>>> block/iscsi.c | 83 >>>> +++++++++++++++++++++++++++++++++++++++++++++-------------- >>>> 1 file changed, 64 insertions(+), 19 deletions(-) >>> >>> It would be nice to also add a matching BlockdevOptionsIscsi to >>> qapi/block-core.json, to allow setting these structured options from >>> QMP. Separate patch is fine, but we need to do the work for ALL of the >>> remaining block devices eventually, and now that you are structuring the >>> command line is a good time to think about it. >>> >>> >>>> static void iscsi_nop_timed_event(void *opaque) >>>> @@ -1229,6 +1253,27 @@ static QemuOptsList runtime_opts = { >>>> .name = "filename", >>>> .type = QEMU_OPT_STRING, >>>> .help = "URL to the iscsi image", >>>> + },{ >>>> + .name = "user", >>>> + .type = QEMU_OPT_STRING, >>>> + .help = "username for CHAP authentication to target", >>>> + },{ >>>> + .name = "password", >>>> + .type = QEMU_OPT_STRING, >>>> + .help = "password for CHAP authentication to target", >>>> + },{ >>> >>> Also, this requires passing the password in the command line. We >>> _really_ need to solve the problem of allowing the password to be passed >>> via a fd or other QMP command, rather than on the command line. >> >> >> Passing via command line is evil. It should still be possible to pass >> all this via a config file to qemu : >> >> """ >> ... >> Howto use a configuration file to set iSCSI configuration options: >> @example >> cat >iscsi.conf <<EOF >> [iscsi "iqn.target.name"] >> user = "me" >> password = "my password" >> initiator-name = "iqn.qemu.test:my-initiator" >> header-digest = "CRC32C" >> EOF >> >> qemu-system-i386 -drive file=iscsi://127.0.0.1/iqn.qemu.test/1 \ >> -readconfig iscsi.conf >> @end example >> ... >> """ > > I agree passing password with clear text command line is bad, but -readconfig > doesn't work for qemu-img and qemu-io. Any idea how to make that work?
you can pass the secrets via environment variables (see libiscsi readme). Peter
