Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1632656
| Summary: | iSCSI Reverse CHAP authentication not working | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | lnie <lnie> | ||||||||||||||||||||
| Component: | python-blivet | Assignee: | Vojtech Trefny <vtrefny> | ||||||||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||||||||
| Priority: | unspecified | ||||||||||||||||||||||
| Version: | 29 | CC: | amulhern, anaconda-maint-list, awilliam, blivet-maint-list, gmarr, jkonecny, jonathan, kellin, lnie, mkolman, robatino, rvykydal, sbueno, vanmeeuwen+fedora, vponcova, vtrefny, wwoods | ||||||||||||||||||||
| Target Milestone: | --- | ||||||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||||
| Whiteboard: | AcceptedBlocker | ||||||||||||||||||||||
| Fixed In Version: | python-blivet-3.1.1-2 python-blivet-3.1.1-2.fc29 python-blivet-3.1.2-1.fc29 | Doc Type: | If docs needed, set a value | ||||||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||||||
| Clone Of: | |||||||||||||||||||||||
| : | 1635569 1637927 (view as bug list) | Environment: | |||||||||||||||||||||
| Last Closed: | 2018-10-11 20:28:46 UTC | Type: | Bug | ||||||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||
| Embargoed: | |||||||||||||||||||||||
| Bug Depends On: | |||||||||||||||||||||||
| Bug Blocks: | 1517013, 1635569, 1637927 | ||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||
Created attachment 1486703 [details]
screenshot2
Created attachment 1486704 [details]
anaconda.log
Created attachment 1486705 [details]
storage.log
Created attachment 1486706 [details]
syslog
Proposed as a Blocker for 29-final by Fedora user lnie using the blocker tracking app because: Seems to affect the criteria: The installer must be able to detect (if possible) and install to supported network-attached storage devices Discussed during the 2018-10-01 blocker review meeting: [1] The decision to classify this bug as an "AcceptedBlocker" was made as it violates the following criteria: "The installer must be able to detect (if possible) and install to supported network-attached storage devices" - The criterion does not explicitly say whether auth is blocking, but we believe it is sufficiently commonly used in the real world that we should accept the bug. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-10-01/f29-blocker-review.2018-10-01-16.00.txt Seems that reverse (target) CHAP authentication is not working both for discover and login. Initiator authentication should work fine for both. The same issue is present in F28 GA. On RHEL 7 reverse CHAP works. Reassigning to blivet storage library for investigating. Upstream PR: https://github.com/storaged-project/blivet/pull/728 python-blivet-3.1.1-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d610e2461a python-blivet-3.1.1-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d610e2461a lnie, can you please test the fix? Thanks! The discovery authentication works fine now,but still unable to login and use the iscsi targets when Reverse CHAP authentication is set. After click the Login button you will see the error shown in the attached screenshot. Created attachment 1491846 [details]
screenshot
Created attachment 1491847 [details]
anaconda.log
Created attachment 1491848 [details]
storage.log
I've tested this again and both discovery and login works for me. My configuration: - updates.img: https://vtrefny.fedorapeople.org/img/iscsi1632274.img - targetcli config: https://vtrefny.fedorapeople.org/misc/iscsi-discover-auth-mutual.json - initiator name: "iqn.1994-05.com.redhat:iscsi-test" - discovery credentials: "mytargetuid", "mytargetsecret", "mymutualuid", "mymutualsecret" - login credentials: "udisks-user", "udisks-password", "udisks-mutual-user", "udisks-mutual-password" lnie: Can you please share your targetcli config? Maybe I'm testing something different. Created attachment 1492032 [details]
configuration file
unable to open your configuration file,mine is attached. Thank you, I can confirm that the login doesn't work with your configuration. It works on Fedora 28 (with latest blivet and udisks), but doesn't on Fedora 29. The same happens when using iscsiadm manually, so I think it is a different problem: On Fedora 28: $ sudo iscsiadm --mode node --targetname iqn.2018-02.com.example:target --portal 10.37.176.17:3260 --login --name node.session.auth.authmethod --value=CHAP --name node.session.auth.username --value="IncomingUser2" --name node.session.auth.password --value="SomePassword3" --name node.session.auth.username_in --value="OutgoingUser2" --name node.session.auth.password_in --value="AnotherPassword4" Logging in to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260] (multiple) Login to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260] successful. On Fedora 29: $ sudo iscsiadm --mode node --targetname iqn.2018-02.com.example:target --portal 10.37.176.17:3260 --login --name node.session.auth.authmethod --value=CHAP --name node.session.auth.username --value="IncomingUser2" --name node.session.auth.password --value="SomePassword3" --name node.session.auth.username_in --value="OutgoingUser2" --name node.session.auth.password_in --value="AnotherPassword4" Logging in to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260] (multiple) iscsiadm: Could not login to [iface: default, target: iqn.2018-02.com.example:target, portal: 10.37.176.17,3260]. iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure) iscsiadm: Could not log into all portals python-blivet-3.1.1-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. python-blivet-3.1.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5827b58873 blivet-gui-2.1.10-1.fc29, python-blivet-3.1.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5827b58873 blivet-gui-2.1.10-2.fc29, python-blivet-3.1.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5827b58873 blivet-gui-2.1.10-2.fc29, python-blivet-3.1.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1486702 [details] screenshot1 Description of problem: create an iscsi target use targetcli,and set discovery and login authentication as following: /iscsi> set discovery_auth enable=1 Parameter enable is now 'True'. /iscsi> set discovery_auth userid=IncomingUser Parameter userid is now 'IncomingUser'. /iscsi> set discovery_auth password=SomePassword1 Parameter password is now 'SomePassword1'. /iscsi> set discovery_auth mutual_userid=OutgoingUser Parameter mutual_userid is now 'OutgoingUser'. /iscsi> set discovery_auth mutual_password=AnotherPassword2 Parameter mutual_password is now 'AnotherPassword2'. /iscsi> cd iqn.2018-02.com.example:target/ /iscsi/iqn.20...xample:target> cd tpg1/ /iscsi/iqn.20...e:target/tpg1> set attribute authentication=1 Parameter authentication is now '1'. /iscsi/iqn.20...e:target/tpg1> set auth userid=IncomingUser2 Parameter userid is now 'IncomingUser2'. /iscsi/iqn.20...e:target/tpg1> set auth password=SomePassword3 Parameter password is now 'SomePassword3'. /iscsi/iqn.20...e:target/tpg1> set auth mutual_userid=OutgoingUser2 Parameter mutual_userid is now 'OutgoingUser2'. /iscsi/iqn.20...e:target/tpg1> set auth mutual_password=AnotherPassword4 Parameter mutual_password is now 'AnotherPassword4'. /iscsi/iqn.20...e:target/tpg1> exit Global pref auto_save_on_exit=true Last 10 configs saved in /etc/target/backup. Configuration saved to /etc/target/saveconfig.json As shown in the attached screenshots,the installer failed to discover the target,and after I set discovery_auth enable=0,the installer can discover the target but failed to login Version-Release number of selected component (if applicable): Fedora-Server-dvd-x86_64-29_Beta-1.5.iso How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: