From: Felix Driessler <fdriessler@inett.de>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-stoage 4/4] iscsiPlugin: add chap auth
Date: Fri, 27 Mar 2026 11:14:56 +0100 [thread overview]
Message-ID: <20260327101456.16614-5-fdriessler@inett.de> (raw)
In-Reply-To: <20260327101456.16614-1-fdriessler@inett.de>
Signed-off-by: Felix Driessler <fdriessler@inett.de>
---
src/PVE/Storage/ISCSIPlugin.pm | 122 ++++++++++++++++++++++++++++++++-
1 file changed, 119 insertions(+), 3 deletions(-)
diff --git a/src/PVE/Storage/ISCSIPlugin.pm b/src/PVE/Storage/ISCSIPlugin.pm
index bb5576b..777c3b0 100644
--- a/src/PVE/Storage/ISCSIPlugin.pm
+++ b/src/PVE/Storage/ISCSIPlugin.pm
@@ -159,13 +159,21 @@ sub iscsi_discovery {
}
sub iscsi_login {
- my ($target, $portals, $cache) = @_;
+ my ($target, $portals, $cache, $scfg, $storeid) = @_;
assert_iscsi_support();
eval { iscsi_discovery($target, $portals, $cache); };
warn $@ if $@;
+ if ($scfg->{enablechap}) {
+ eval { iscsi_chap_enable($scfg, $storeid) };
+ warn $@ if $@;
+ } else {
+ eval { iscsi_chap_disable($target); };
+ warn $@ if $@;
+ }
+
# Disable retries to avoid blocking pvestatd for too long, next iteration will retry anyway
eval {
my $cmd = [
@@ -193,9 +201,42 @@ sub iscsi_logout {
assert_iscsi_support();
+ eval { iscsi_chap_disable($target); };
+ warn $@ if $@;
+
run_command([$ISCSIADM, '--mode', 'node', '--targetname', $target, '--logout']);
}
+sub iscsi_chap_enable {
+ my ($scfg, $storeid) = @_;
+
+ my $password = iscsi_get_password($scfg, $storeid);
+ my $target = $scfg->{target};
+ my $username = $scfg->{username};
+
+ $password =~ m|^(.*)$|
+ or die "incorrect Password.";
+ $password = $1;
+
+ run_command([
+ $ISCSIADM, '--mode', 'node', '--targetname', $target,
+ '-o', 'update', '-n', 'node.session.auth.authmethod', '-v', 'CHAP',
+ '-o', 'update', '-n', 'node.session.auth.username', '-v', $username,
+ '-o', 'update', '-n', 'node.session.auth.password', '-v', $password,
+ ]);
+}
+
+sub iscsi_chap_disable {
+ my ($target) = @_;
+
+ run_command([
+ $ISCSIADM, '--mode', 'node', '--targetname', $target,
+ '-o', 'update', '-n', 'node.session.auth.authmethod', '-v', 'None',
+ '-o', 'update', '-n', 'node.session.auth.username', '-v', '""',
+ '-o', 'update', '-n', 'node.session.auth.password', '-v', '""',
+ ]);
+}
+
my $rescan_filename = "/var/run/pve-iscsi-rescan.lock";
sub iscsi_session_rescan {
@@ -342,7 +383,9 @@ sub plugindata {
return {
content => [{ images => 1, none => 1 }, { images => 1 }],
select_existing => 1,
- 'sensitive-properties' => {},
+ 'sensitive-properties' => {
+ password => 1,
+ },
};
}
@@ -357,6 +400,11 @@ sub properties {
type => 'string',
format => 'pve-storage-portal-dns',
},
+ enablechap => {
+ description => "Enable CHAP Authentication.",
+ type => 'boolean',
+ default => 0,
+ },
};
}
@@ -368,9 +416,47 @@ sub options {
disable => { optional => 1 },
content => { optional => 1 },
bwlimit => { optional => 1 },
+ enablechap => { optional => 1 },
+ username => { optional => 1 },
+ password => { optional => 1 },
};
}
+# Helpers
+
+sub iscsi_password_file_name {
+ my ($scfg, $storeid) = @_;
+
+ return "/etc/pve/priv/storage/${storeid}.pw";
+}
+
+sub iscsi_set_password {
+ my ($scfg, $storeid, $password) = @_;
+
+ my $pwfile = iscsi_password_file_name($scfg, $storeid);
+ mkdir "/etc/pve/priv/storage";
+
+ PVE::Tools::file_set_contents($pwfile, "$password\n", 0600, 1);
+}
+
+sub iscsi_delete_password {
+ my ($scfg, $storeid) = @_;
+
+ my $pwfile = iscsi_password_file_name($scfg, $storeid);
+
+ unlink $pwfile;
+}
+
+sub iscsi_get_password {
+ my ($scfg, $storeid) = @_;
+
+ my $pwfile = iscsi_password_file_name($scfg, $storeid);
+
+ my $contents = PVE::Tools::file_read_firstline($pwfile);
+
+ return eval { decode('UTF-8', $contents, 1) } // $contents;
+}
+
# Storage implementation
sub parse_volname {
@@ -505,7 +591,7 @@ sub activate_storage {
}
if ($do_login) {
- eval { iscsi_login($scfg->{target}, $portals, $cache); };
+ eval { iscsi_login($scfg->{target}, $portals, $cache, $scfg, $storeid); };
warn $@ if $@;
} else {
# make sure we get all devices
@@ -711,4 +797,34 @@ sub volume_import {
die "volume import is not possible on iscsi storage\n";
}
+sub on_add_hook {
+ my ($class, $storeid, $scfg, %param) = @_;
+ if (defined(my $password = $param{password}) && $scfg->{enablechap}) {
+ iscsi_set_password($scfg, $storeid, $password);
+ }
+ else {
+ iscsi_delete_password($scfg, $storeid);
+ }
+}
+
+sub on_update_hook {
+ return if !assert_iscsi_support(1);
+
+ my ($class, $storeid, $scfg, %param) = @_;
+ if (exists($param{password})) {
+ if (defined(my $password = $param{password}) && $scfg->{enablechap}) {
+ if ($password != "") {
+ iscsi_set_password($scfg, $storeid, $password);
+ }
+ }
+ else {
+ iscsi_delete_password($scfg, $storeid);
+ }
+ }
+
+ eval { iscsi_logout($scfg->{target}); };
+ activate_storage($class, $storeid, $scfg)
+}
+
+
1;
--
2.52.0
Felix Driessler
Junior Systems Engineer // #GernPerDU
Linux - Open Source - IT Solutions
T: +49-681-410993-0
E: fdriessler@inett.de
https://www.inett.de
inett GmbH | Altenkesseler Strasse 17 / B8 | 66115 Saarbrücken | Germany
Vertrieb: vertrieb@inett.de // +49-681-410993-33
Support: support@inett.de // +49-681-410993-42
Geschäftsführung: Marco Gabriel | Amtsgericht Saarbrücken HRB 16588
prev parent reply other threads:[~2026-03-27 10:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <f53ca227-2275-443f-84f8-48b2785269b2.2bc2ceb6-a3a3-4c49-9566-519c7d2ab20e.21103ee5-34fe-43b6-b130-08f8ab2b25ae@emailsignatures365.codetwo.com>
2026-03-27 10:14 ` [PATCH pve-manager/pve-storage 0/4] extend iscsi configuration Felix Driessler
[not found] ` <f53ca227-2275-443f-84f8-48b2785269b2.2bc2ceb6-a3a3-4c49-9566-519c7d2ab20e.d935a384-10c1-4974-ba2a-7adab51bb127@emailsignatures365.codetwo.com>
2026-03-27 10:14 ` [PATCH pve-manager 1/4] ui: Add Display of WWID for ISCSI Felix Driessler
[not found] ` <f53ca227-2275-443f-84f8-48b2785269b2.2bc2ceb6-a3a3-4c49-9566-519c7d2ab20e.5ac71d0a-bc32-41c3-8898-7681716f7a92@emailsignatures365.codetwo.com>
2026-03-27 10:14 ` [PATCH pve-manager 2/4] ui: Add CHAP Authentication " Felix Driessler
[not found] ` <f53ca227-2275-443f-84f8-48b2785269b2.2bc2ceb6-a3a3-4c49-9566-519c7d2ab20e.24fbb610-73bc-4d0e-8ec7-c0b5fbde4ff8@emailsignatures365.codetwo.com>
2026-03-27 10:14 ` [PATCH pve-stoage 3/4] iscsiPlugin: add wwid Felix Driessler
[not found] ` <f53ca227-2275-443f-84f8-48b2785269b2.2bc2ceb6-a3a3-4c49-9566-519c7d2ab20e.6c58b149-eb37-45dd-84d7-651f4453edab@emailsignatures365.codetwo.com>
2026-03-27 10:14 ` Felix Driessler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260327101456.16614-5-fdriessler@inett.de \
--to=fdriessler@inett.de \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.