From: "Daniel P. Berrange" <berrange@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: Eric Blake <eblake@redhat.com>,
kwolf@redhat.com, jdurgin@redhat.com,
Jeff Cody <jcody@redhat.com>,
qemu-devel@nongnu.org, mreitz@redhat.com, dillaman@redhat.com
Subject: Re: [Qemu-devel] [PATCH for-2.9 4/5] rbd: Peel off redundant RbdAuthMethod wrapper struct
Date: Mon, 3 Apr 2017 12:25:25 +0100 [thread overview]
Message-ID: <20170403112525.GO2768@redhat.com> (raw)
In-Reply-To: <87h92ffeg4.fsf@dusky.pond.sub.org>
On Mon, Mar 27, 2017 at 07:58:51AM +0200, Markus Armbruster wrote:
> = What to do for 2.9 =
>
> I propose to
>
> * drop both "auth_supported" and "password-secret" from the QAPI schema
>
> * drop "password-secret" from QemuOpts
>
> * hide "keyvalue-pairs" in QemuOpts
>
> No existing usage is affected, since all these things are new in 2.9.
Maybe I'm mis-understanding what you're suggesting wrt QemuOpts, but
'password-secret' with RBD is not new in 2.9.0
It was added in 2.6.0 in this commit:
commit 60390a2192e7b38aee18db6ce7fb740498709737
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Thu Jan 21 14:19:19 2016 +0000
rbd: add support for getting password from QCryptoSecret object
Currently RBD passwords must be provided on the command line
via
$QEMU -drive file=rbd:pool/image:id=myname:\
key=QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=:\
auth_supported=cephx
This is insecure because the key is visible in the OS process
listing.
This adds support for an 'password-secret' parameter in the RBD
parameters that can be used with the QCryptoSecret object to
provide the password via a file:
echo "QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=" > poolkey.b64
$QEMU -object secret,id=secret0,file=poolkey.b64,format=base64 \
-drive driver=rbd,filename=rbd:pool/image:id=myname:\
auth_supported=cephx,password-secret=secret0
Reviewed-by: Josh Durgin <jdurgin@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1453385961-10718-2-git-send-email-berrange@redhat.com
Signed-off-by: Jeff Cody <jcody@redhat.com>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
next prev parent reply other threads:[~2017-04-03 11:25 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-23 10:55 [Qemu-devel] [PATCH for-2.9 0/5] rbd: Clean up API and code Markus Armbruster
2017-03-23 10:55 ` [Qemu-devel] [PATCH for-2.9 1/5] rbd: Clean up runtime_opts Markus Armbruster
2017-03-23 14:03 ` Eric Blake
2017-03-23 20:49 ` Kevin Wolf
2017-03-23 10:55 ` [Qemu-devel] [PATCH for-2.9 2/5] rbd: Clean up qemu_rbd_create()'s detour through QemuOpts Markus Armbruster
2017-03-23 14:47 ` Eric Blake
2017-03-23 20:50 ` Kevin Wolf
2017-03-23 10:55 ` [Qemu-devel] [PATCH for-2.9 3/5] rbd: Rewrite the code to extract list-valued options Markus Armbruster
2017-03-23 17:39 ` Eric Blake
2017-03-23 18:27 ` Markus Armbruster
2017-03-23 19:18 ` Eric Blake
2017-03-23 20:51 ` Eric Blake
2017-03-24 6:36 ` Markus Armbruster
2017-03-23 20:38 ` Kevin Wolf
2017-03-24 6:40 ` Markus Armbruster
2017-03-24 8:25 ` Markus Armbruster
2017-03-24 13:31 ` Eric Blake
2017-03-24 16:44 ` Kevin Wolf
2017-03-23 10:55 ` [Qemu-devel] [PATCH for-2.9 4/5] rbd: Peel off redundant RbdAuthMethod wrapper struct Markus Armbruster
2017-03-23 18:10 ` Eric Blake
2017-03-23 20:59 ` Eric Blake
2017-03-23 21:43 ` Eric Blake
2017-03-23 21:56 ` Eric Blake
2017-03-24 3:55 ` Jeff Cody
2017-03-24 7:05 ` Markus Armbruster
2017-03-24 12:42 ` Jeff Cody
2017-03-24 13:49 ` Eric Blake
2017-03-24 14:10 ` Jeff Cody
2017-03-24 14:31 ` Eric Blake
2017-03-27 5:58 ` Markus Armbruster
2017-03-27 16:41 ` Jeff Cody
2017-03-27 18:20 ` Markus Armbruster
2017-04-03 11:25 ` Daniel P. Berrange [this message]
2017-04-03 19:03 ` Eric Blake
2017-03-24 17:54 ` Kevin Wolf
2017-03-23 20:52 ` Kevin Wolf
2017-03-23 10:55 ` [Qemu-devel] [PATCH for-2.9 5/5] rbd: Reject options server.*.{numeric, to, ipv4, ipv6} Markus Armbruster
2017-03-23 18:12 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170403112525.GO2768@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dillaman@redhat.com \
--cc=eblake@redhat.com \
--cc=jcody@redhat.com \
--cc=jdurgin@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.