From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id A69101FF140 for ; Fri, 27 Mar 2026 11:15:31 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E6E1C36DB; Fri, 27 Mar 2026 11:15:54 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QnaCfHqfBRYj0c4dRaSR6YY4ImBB4/CtVGGB30OFpKpgRSDAj0LroQ16K3+XBaP5szJ2b7vGQ6AoIYIPeuImt1D3MhrGgm1YMc2T+BlAkg7J+IHcXExfHrjoqYmtCjsEBQxbYXlYUM/Q7pFv0htEawvpQyyvLg8lPYY3bZg1qZPLPu8An4N6gSm36M4aWju/vZiLdBI5ANJ/jC9Z6GEfAs9xFjrcSDOr22khEeokrZxNOo60js/uj6v/rWhwP1stC8nad9l3pmMGX8EG6vHC0smFu5P+3qpOWj9Ac91jqNod0qUnQszDEHuEVVvwCatYAx6VRSm2ASBBncXBnTPmpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ho4HR7djj+Eus+/TGpSYAtdiQDonHlrgbwyGj466chk=; b=tUrjuXjb2MBMNoqad6ZFYdlVT+me3YbpF29Pg5LQFjd07R6eI57zL367bUTsRkDQfM6x/JgVQbID+ltcccYWhAzz5wxalsBnX1Jjni31q5hFpmgyhWhk89JqVqrI6FV1xCnsxRtN2sBcWVm6UqBLH9ejqcC6QpIup7KFYNQKtwkQUFPEJw+h/QUj3vpMPZwRMnKhDJrhDqa1tUZTr+3suGpbHuIDyPNYfYxzPLqNQmATiUNDuyQNEnUzaTL3iikrtZszuQAhQxig0xeFhyln0RuZQAOovIuVI57H8bD44+dAtx+MSJiLnFZ5nB4ZXa7XsXXDtyHxsrTfNHcp+1YzCw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 13.93.42.39) smtp.rcpttodomain=lists.proxmox.com smtp.mailfrom=inett.de; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=inett.de; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inett.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ho4HR7djj+Eus+/TGpSYAtdiQDonHlrgbwyGj466chk=; b=YNVT+VWcmqoyaPl3Cqt4lMXA7chJ+Ysrl3B0ww4BD6KV8HMOjQByFWRgLWMHcU9xtVN2Mv/lk338pZT7hPqe0U+Eczepd/XmoseckgkgtdSVvTdfG5uo1R7jnop/I2w10NU6PjtOub8eY4DUhUShy5ccxFt+kifiREYGW4ktbgg= X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 13.93.42.39) smtp.mailfrom=inett.de; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=inett.de; Received-SPF: Pass (protection.outlook.com: domain of inett.de designates 13.93.42.39 as permitted sender) receiver=protection.outlook.com; client-ip=13.93.42.39; helo=westeu12-emailsignatures-cloud.codetwo.com; pr=C Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=inett.de; From: Felix Driessler To: pve-devel@lists.proxmox.com Subject: [PATCH pve-stoage 4/4] iscsiPlugin: add chap auth Date: Fri, 27 Mar 2026 11:14:56 +0100 Message-ID: <20260327101456.16614-5-fdriessler@inett.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260327101456.16614-1-fdriessler@inett.de> References: <20260327101456.16614-1-fdriessler@inett.de> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain X-ClientProxiedBy: FR2P281CA0163.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:99::6) To VI1PR05MB5071.eurprd05.prod.outlook.com (2603:10a6:803:52::24) MIME-Version: 1.0 X-MS-TrafficTypeDiagnostic: VI1PR05MB5071:EE_|PA4PR05MB7662:EE_|AM4PEPF00027A64:EE_|PA6PR05MB11215:EE_ X-MS-Office365-Filtering-Correlation-Id: 272d2790-1f12-472a-c0eb-08de8be9bbe5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|52116014|10070799003|376014|366016|1800799024|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info-Original: JUwzFhb1f7scEvUX1MHplZlzH3qCJl83Zt588D8a9KP2s8Um+hlU4+ACfjUYuolsyQ0UoxWtDWKS4T7EHv16rtuPyiWPds7PO4PeryGSY7dNYl+sJVpc3DP6m7C7sh+QUqh2/vTghoIUcRhUI13xfvHGZos4X2uRBS9+42LS4r8SKxCmNjr0qGMTFFq54wd4lOzIViSWDh6O8D1OJ013dwu0VwEnmAqBLBpqlAbpj0VczgYr0C1lijlC5S6DDjIs+49Z5zdC45XnzAOUDNt3hbqEkAN9q7eMYHLJgxIA6uztty5Gmx03U/aoUPqoI/6B30Mm+IaZyYMJ5yKZuaVGV+np4e7QwjP6anggKJm/0IX/sMvNE5UqY0tMTwKV7cvOYrVchu6O6tGmhPSPjRJKnvpUl4ovKV8wCsJ4hjxrWX28+BNGn5Xr5GEX2/ikWb5IbCWU7IM8a40gGCbdfn2ij19w0ynIg+163909wH6GsWZMMcnNlZHoS59rZHcmE+iRAdZh1BlR3SiKT3Ahwgew2I+2V4U864uqUjB2voPhMx6yTSyy0EejPfmXB8VjVA5NNbo3js4dW/TM+RtCIH5QsESwElfYzO/9pFBfJOt5SIbiAAabmwAhVwIAayNKR2+w6sooHpf3+gE4JkAB59xmh2RKAN77uu20pmXQPFKCOaQSSEIXkr+6AoyA9Q9PFqALR0WPhf2Om0s2E11LEHTCFHqTHDG95wpW+tNLzVUebWI= X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR05MB5071.eurprd05.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(10070799003)(376014)(366016)(1800799024)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1102; X-Exchange-RoutingPolicyChecked: FN9RWffHXuqjnP6ozRe9EukXAXOyYM9wUGhNaIzlqK/mgWlh3OR1yvbP8or7QKDgmclKXI3hpxp1F/yNFDKcsz18LnsDB8gVM+i2jH7WLz0yghOq9rlJP8o4L89pV3HpO9KTsQIbaPp0GDltfKgNcx8GiAMWZFlT+OxXKCCVoU6rBbj5LHJa7+C2BEPDMkDBwjwlbOyAdxORCKSWDTIeW+WgnEoE9ewdU8v2lseB5nc910kQRXl893BZZQIPdAP43HvC74zXWsgAN6S1gHwq66mcLpXr7gJDJjESVWK5xTpxzNOaL9J3vcbIMRmvFjQqima4XGMM/SkQgZCvP+M46Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR05MB7662 X-CodeTwo-MessageID: 1ff659cf-6242-4099-b6b6-0034605345d8.20260327101512@westeu12-emailsignatures-cloud.codetwo.com X-CodeTwoProcessed: true X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM4PEPF00027A64.eurprd04.prod.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: a9f062e9-096d-4b42-6830-08de8be9b93d X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|14060799003|1800799024|35042699022|36860700016|376014|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: 66OXCm8xE5nneVJGGu7sz3Zej/5poacLZVkGLXShN526C9YLO2xxz7hb4xek5qOfqYj7EuQqv33v8tQLX5CJhB4QcqZ3hzODWrL1kZN82E4VX4uegMpKP8k8I6sxUpysUUV1P7zJhQHgplMm7QVZaa66qVA9w14NspZvFSoibSxv8dM/tmWRysiLwofdXRreEGj5fhJEnnDLiqmlshnteGlfmF1s4Hj2b97K6HNEp6eNq8SWhz1H0r+wjloFGZcOKMD0TA+zb3MvnP6ykYdeEBG9L2NkUWEDXomWFEhD/N+sjmU1JewtmIEVol7DtA196jsRh8sBzVVHIn1gxjPwKwI/CCw3Il+Enn6pRig3i4l3MaTPSz6q6S+vknith7WqNfI6H4kZFBCgvMzpkrfqToReZvoUgoPtrng3WX84Qz7DEjBTfluXn/5kcfESe8z3avupCIzNDqswkr9BY4N7Ln0B3TNepKd3N3hMlM1y57+SytznFys/jHd7YPCqA8UyrbHz3iqIizCCrGMnAFzjHnqq1roUM2sZL6CSAGOwEAEh4MpzCs7Lt0o8EOc/eRuP4TSxW48zzsO2yHn9fFOTdD5QO6OJoDL3mSqKDaDk1iarbhyev+I4hbJjkzlN+2aYx+ggu0RIHskncL+StvfxiT93Df2Ruugo30oL6tDHj7kq9RPHXZ73zBOJIqdV7nKoqLvlcobNwCsBhD/NvpxA5w== X-Forefront-Antispam-Report: CIP:13.93.42.39;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:westeu12-emailsignatures-cloud.codetwo.com;PTR:westeu12-emailsignatures-cloud.codetwo.com;CAT:NONE;SFS:(13230040)(82310400026)(14060799003)(1800799024)(35042699022)(36860700016)(376014)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: VWjEKpVfbaTTGimul2BCXxXEiffXpl31o4JB6qnRA5p2Yqi33aPgQO8iJbO3pJ0ciE5jP0LmejhyLtW8mQ/20/q5iRiECt/Tgm6OTdVlulW/dnjbHvKvg0xH22/xxFgAymHxdF4SX0UEDZy8Be7WzqitaLiHOGSM6WD2acjUvx6jJ8Vzgv3wokFVuHQ6TF5d6auSXuY4U74pdQt/MQ31ov00PcJUtZqqnCUvELIXgvCOprSqVg4pzrwSdyObeZqoB2M3XI6PiMyubEicJViNE+opVVlgOE5NPqinhLWk10H9x3PAC+3mKnu/rwAf5CHkHIK2uW8bQzWfNDFuzjFDu6VJuUjwLvjoi++u4J2XgJX0kXMQDAEK/updvN8uY1Ya7o15jkTK230dwstBtPTiaYpFgU3l05oxJcY0uAGhvrzADtq6N9nD3IeA5+Y1MUlu X-OriginatorOrg: inett.de X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Mar 2026 10:15:12.9173 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 272d2790-1f12-472a-c0eb-08de8be9bbe5 X-MS-Exchange-CrossTenant-Id: fbb4c88a-8c06-44c8-b416-5376f93313e0 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=fbb4c88a-8c06-44c8-b416-5376f93313e0;Ip=[13.93.42.39];Helo=[westeu12-emailsignatures-cloud.codetwo.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00027A64.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA6PR05MB11215 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: E6Y6GIWBZ4MEKOB6BP6W5J7XTYC4WCQ4 X-Message-ID-Hash: E6Y6GIWBZ4MEKOB6BP6W5J7XTYC4WCQ4 X-MailFrom: fdriessler@inett.de X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Felix Driessler --- src/PVE/Storage/ISCSIPlugin.pm | 122 ++++++++++++++++++++++++++++++++- 1 file changed, 119 insertions(+), 3 deletions(-) diff --git a/src/PVE/Storage/ISCSIPlugin.pm b/src/PVE/Storage/ISCSIPlugin.p= m index bb5576b..777c3b0 100644 --- a/src/PVE/Storage/ISCSIPlugin.pm +++ b/src/PVE/Storage/ISCSIPlugin.pm @@ -159,13 +159,21 @@ sub iscsi_discovery { } =20 sub iscsi_login { - my ($target, $portals, $cache) =3D @_; + my ($target, $portals, $cache, $scfg, $storeid) =3D @_; =20 assert_iscsi_support(); =20 eval { iscsi_discovery($target, $portals, $cache); }; warn $@ if $@; =20 + if ($scfg->{enablechap}) { + eval { iscsi_chap_enable($scfg, $storeid) }; + warn $@ if $@; + } else { + eval { iscsi_chap_disable($target); }; + warn $@ if $@; + } + # Disable retries to avoid blocking pvestatd for too long, next iterat= ion will retry anyway eval { my $cmd =3D [ @@ -193,9 +201,42 @@ sub iscsi_logout { =20 assert_iscsi_support(); =20 + eval { iscsi_chap_disable($target); }; + warn $@ if $@; + run_command([$ISCSIADM, '--mode', 'node', '--targetname', $target, '--= logout']); } =20 +sub iscsi_chap_enable { + my ($scfg, $storeid) =3D @_; + + my $password =3D iscsi_get_password($scfg, $storeid); + my $target =3D $scfg->{target}; + my $username =3D $scfg->{username}; + + $password =3D~ m|^(.*)$| + or die "incorrect Password."; + $password =3D $1; + + run_command([ + $ISCSIADM, '--mode', 'node', '--targetname', $target, + '-o', 'update', '-n', 'node.session.auth.authmethod', '-v', 'CHAP'= , + '-o', 'update', '-n', 'node.session.auth.username', '-v', $usernam= e, + '-o', 'update', '-n', 'node.session.auth.password', '-v', $passwor= d, + ]); +} + +sub iscsi_chap_disable { + my ($target) =3D @_; + + run_command([ + $ISCSIADM, '--mode', 'node', '--targetname', $target, + '-o', 'update', '-n', 'node.session.auth.authmethod', '-v', 'None'= , + '-o', 'update', '-n', 'node.session.auth.username', '-v', '""', + '-o', 'update', '-n', 'node.session.auth.password', '-v', '""', + ]); +} + my $rescan_filename =3D "/var/run/pve-iscsi-rescan.lock"; =20 sub iscsi_session_rescan { @@ -342,7 +383,9 @@ sub plugindata { return { content =3D> [{ images =3D> 1, none =3D> 1 }, { images =3D> 1 }], select_existing =3D> 1, - 'sensitive-properties' =3D> {}, + 'sensitive-properties' =3D> { + password =3D> 1, + }, }; } =20 @@ -357,6 +400,11 @@ sub properties { type =3D> 'string', format =3D> 'pve-storage-portal-dns', }, + enablechap =3D> { + description =3D> "Enable CHAP Authentication.", + type =3D> 'boolean', + default =3D> 0, + }, }; } =20 @@ -368,9 +416,47 @@ sub options { disable =3D> { optional =3D> 1 }, content =3D> { optional =3D> 1 }, bwlimit =3D> { optional =3D> 1 }, + enablechap =3D> { optional =3D> 1 }, + username =3D> { optional =3D> 1 }, + password =3D> { optional =3D> 1 }, }; } =20 +# Helpers + +sub iscsi_password_file_name { + my ($scfg, $storeid) =3D @_; + + return "/etc/pve/priv/storage/${storeid}.pw"; +} + +sub iscsi_set_password { + my ($scfg, $storeid, $password) =3D @_; + + my $pwfile =3D iscsi_password_file_name($scfg, $storeid); + mkdir "/etc/pve/priv/storage"; + + PVE::Tools::file_set_contents($pwfile, "$password\n", 0600, 1); +} + +sub iscsi_delete_password { + my ($scfg, $storeid) =3D @_; + + my $pwfile =3D iscsi_password_file_name($scfg, $storeid); + + unlink $pwfile; +} + +sub iscsi_get_password { + my ($scfg, $storeid) =3D @_; + + my $pwfile =3D iscsi_password_file_name($scfg, $storeid); + + my $contents =3D PVE::Tools::file_read_firstline($pwfile); + + return eval { decode('UTF-8', $contents, 1) } // $contents; +} + # Storage implementation =20 sub parse_volname { @@ -505,7 +591,7 @@ sub activate_storage { } =20 if ($do_login) { - eval { iscsi_login($scfg->{target}, $portals, $cache); }; + eval { iscsi_login($scfg->{target}, $portals, $cache, $scfg, $stor= eid); }; warn $@ if $@; } else { # make sure we get all devices @@ -711,4 +797,34 @@ sub volume_import { die "volume import is not possible on iscsi storage\n"; } =20 +sub on_add_hook { + my ($class, $storeid, $scfg, %param) =3D @_; + if (defined(my $password =3D $param{password}) && $scfg->{enablechap})= { + iscsi_set_password($scfg, $storeid, $password); + } + else { + iscsi_delete_password($scfg, $storeid); + } +} + +sub on_update_hook { + return if !assert_iscsi_support(1); + + my ($class, $storeid, $scfg, %param) =3D @_; + if (exists($param{password})) { + if (defined(my $password =3D $param{password}) && $scfg->{enablech= ap}) { + if ($password !=3D "") { + iscsi_set_password($scfg, $storeid, $password); + } + } + else { + iscsi_delete_password($scfg, $storeid); + } + } + + eval { iscsi_logout($scfg->{target}); }; + activate_storage($class, $storeid, $scfg) +} + + 1; --=20 2.52.0 =0A= Felix Driessler=0A= Junior Systems Engineer // #GernPerDU=0A= =0A= Linux - Open Source - IT Solutions=0A= =0A= T: +49-681-410993-0=0A= E: fdriessler@inett.de=0A= https://www.inett.de=0A= =0A= =0A= =0A= inett GmbH | Altenkesseler Strasse 17 / B8 | 66115 Saarbr=FCcken | Germany= =0A= =0A= Vertrieb: vertrieb@inett.de // +49-681-410993-33=0A= Support: support@inett.de // +49-681-410993-42=0A= =0A= =0A= =0A= =0A= =0A= Gesch=E4ftsf=FChrung: Marco Gabriel | Amtsgericht Saarbr=FCcken HRB 16588= =0A=