From: "Daniel P. Berrange" <berrange@redhat.com>
To: ronnie sahlberg <ronniesahlberg@gmail.com>
Cc: kwolf@redhat.com, fujita.tomonori@lab.ntt.co.jp,
qemu-devel@nongnu.org, Christoph Hellwig <hch@lst.de>,
Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH] This patch adds a new block driver : iSCSI
Date: Thu, 15 Sep 2011 09:02:08 +0100 [thread overview]
Message-ID: <20110915080208.GB29309@redhat.com> (raw)
In-Reply-To: <CAN05THQDtk-ZhO1LVjesM0mgcHBj7rG_Qz6GoNqc_5GW8KLy3g@mail.gmail.com>
On Thu, Sep 15, 2011 at 08:51:00AM +1000, ronnie sahlberg wrote:
> On Thu, Sep 15, 2011 at 12:36 AM, Christoph Hellwig <hch@lst.de> wrote:
> ...
> >> > +/*
> >> > + * We support iscsi url's on the form
> >> > + * iscsi://[<username>%<password>@]<host>[:<port>]/<targetname>/<lun>
> >> > + */
> >
> > Is having username + password on the command line really a that good idea?
> > Also what about the more complicated iSCSI authentification schemes?
>
> In general it is a very bad idea. For local use on a private box it is
> convenient to be able to use "<username>%<password>@" syntax.
> For use on a shared box, libiscsi supports an alternative method too
> by setting the username and/or password via environment variables :
> LIBISCSI_CHAP_USERNAME=... LIBISCSI_CHAP_PASSWORD=...
Environement variables are only a tiny bit better, since this still allows
the password to leak to any processes which can read /proc/$PID/environ.
It is also undesirable wrt many distro trouble shooting tools (eg Fedora/
RHEL's sosreport) which capture the contents of /proc/$PID/environ as part
of their data collection process. This means your passwords will end up
in attachments to bugzilla / issue tracker tickets.
For block devs with encrypted QCow2 disks (and VNC/SPICE) QEMU requires the
password to be set via the monitor. Since this iscsi: protocol is part of
the block layer, IMHO, the password should be settable the same way via the
monitor
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2011-09-15 8:03 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-10 4:23 [Qemu-devel] [PATCH] Add iSCSI support for QEMU Ronnie Sahlberg
2011-09-10 4:23 ` [Qemu-devel] [PATCH] This patch adds a new block driver : iSCSI Ronnie Sahlberg
2011-09-12 9:14 ` Stefan Hajnoczi
2011-09-14 14:36 ` Christoph Hellwig
2011-09-14 15:50 ` Stefan Hajnoczi
2011-09-16 15:53 ` Christoph Hellwig
2011-09-17 7:11 ` Stefan Hajnoczi
2011-09-14 22:51 ` ronnie sahlberg
2011-09-15 8:02 ` Daniel P. Berrange [this message]
2011-09-15 9:03 ` Kevin Wolf
2011-09-14 23:08 ` ronnie sahlberg
2011-09-15 6:04 ` Paolo Bonzini
2011-09-15 8:48 ` Dor Laor
2011-09-15 9:11 ` Paolo Bonzini
2011-09-15 11:27 ` ronnie sahlberg
2011-09-15 11:42 ` Dor Laor
2011-09-15 11:46 ` Christoph Hellwig
2011-09-15 12:01 ` Dor Laor
2011-09-15 12:04 ` Paolo Bonzini
2011-09-15 11:58 ` Paolo Bonzini
2011-09-15 12:34 ` Orit Wasserman
2011-09-15 12:58 ` Paolo Bonzini
2011-09-15 16:59 ` Orit Wasserman
2011-09-15 9:44 ` Daniel P. Berrange
2011-09-15 9:10 ` Kevin Wolf
2011-09-15 9:39 ` Paolo Bonzini
2011-09-21 9:48 ` ronnie sahlberg
2011-09-23 9:15 ` Mark Wu
2011-09-23 10:16 ` Paolo Bonzini
2011-09-12 8:56 ` [Qemu-devel] [PATCH] Add iSCSI support for QEMU Kevin Wolf
2011-09-14 12:24 ` Orit Wasserman
2011-09-14 14:33 ` Christoph Hellwig
2011-09-14 14:37 ` Christoph Hellwig
2011-09-14 15:35 ` Stefan Hajnoczi
2011-09-14 15:40 ` Christoph Hellwig
2011-09-14 15:51 ` Stefan Hajnoczi
2011-09-14 16:36 ` Orit Wasserman
2011-09-15 6:06 ` Paolo Bonzini
2011-09-15 9:52 ` Orit Wasserman
2011-09-15 9:55 ` Paolo Bonzini
2011-09-15 10:10 ` Kevin Wolf
2011-09-17 19:08 ` Laurent Vivier
2011-09-18 7:43 ` Paolo Bonzini
2011-09-14 16:37 ` Paolo Bonzini
2011-09-14 22:46 ` ronnie sahlberg
-- strict thread matches above, loose matches on Subject: below --
2011-09-21 9:37 Ronnie Sahlberg
2011-09-21 9:37 ` [Qemu-devel] [PATCH] This patch adds a new block driver : iSCSI Ronnie Sahlberg
2011-09-21 9:45 ` Paolo Bonzini
2011-09-21 9:52 ` ronnie sahlberg
2011-09-27 20:08 ` ronnie sahlberg
2011-09-28 5:54 ` Paolo Bonzini
2011-09-29 6:54 ` Stefan Hajnoczi
2011-10-09 20:46 ` ronnie sahlberg
2011-10-13 9:46 ` ronnie sahlberg
2011-10-13 9:48 ` Paolo Bonzini
2011-10-13 9:54 ` Stefan Hajnoczi
2011-10-13 10:01 ` Daniel P. Berrange
2011-10-13 10:55 ` Daniel P. Berrange
2011-10-13 10:52 ` Kevin Wolf
2011-10-24 13:33 ` Kevin Wolf
2011-10-25 8:04 ` ronnie sahlberg
2011-10-25 8:17 ` Kevin Wolf
2011-10-25 8:23 ` ronnie sahlberg
2011-10-25 8:46 ` Kevin Wolf
2011-10-28 10:46 ` Zhi Yong Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110915080208.GB29309@redhat.com \
--to=berrange@redhat.com \
--cc=fujita.tomonori@lab.ntt.co.jp \
--cc=hch@lst.de \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.