From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
qemu-block@nongnu.org
Subject: [Qemu-devel] [PATCH v4 0/3] Use QCryptoSecret for block device passwords
Date: Thu, 21 Jan 2016 14:19:18 +0000 [thread overview]
Message-ID: <1453385961-10718-1-git-send-email-berrange@redhat.com> (raw)
This series was previously posted:
v1: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg04365.html
v2: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03809.html
v3: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03461.html
The RBD, Curl and iSCSI block device drivers all need the ability
to accept a password to authenticate with the remote network storage
server. Currently RBD and iSCSI both just take the password in clear
text as part of the block parameters which is insecure (passwords are
visible in the process listing), while Curl doesn't support auth at
all.
This series updates all three drivers so that they use the recently
merged QCryptoSecret API for getting passwords. Each driver gains
a 'passwordid' property that can be set to provide the ID of a
QCryptoSecret object instance, which in turn provides the actual
password data.
This series is required in order to fix a long standing CVE security
flaw in libvirt, whereby passwords are exposed in the command line
arguments and so visible in process listing
This series would benefit from the --object additions to qemu-img,
qemu-io and qemu-nbd, but this is not a pre-requisite for its merge
as it us still useful in the system emulator without that support:
https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03381.html
Changed in v4:
- Rename 'password-id' to 'password-secret', 'proxy-password-id'
to 'proxy-password-secret' (Paolo)
Changed in v3:
- Rename 'passwordid' to 'password-id', 'proxypasswordid'
to 'proxy-password-id' and 'proxyusername' to 'proxy-username'
(Markus)
Daniel P. Berrange (3):
rbd: add support for getting password from QCryptoSecret object
curl: add support for HTTP authentication parameters
iscsi: add support for getting CHAP password via QCryptoSecret API
block/curl.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
block/iscsi.c | 24 +++++++++++++++++++++-
block/rbd.c | 47 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 136 insertions(+), 1 deletion(-)
--
2.5.0
next reply other threads:[~2016-01-21 14:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-21 14:19 Daniel P. Berrange [this message]
2016-01-21 14:19 ` [Qemu-devel] [PATCH v4 1/3] rbd: add support for getting password from QCryptoSecret object Daniel P. Berrange
2016-01-21 14:19 ` [Qemu-devel] [PATCH v4 2/3] curl: add support for HTTP authentication parameters Daniel P. Berrange
2016-01-21 14:19 ` [Qemu-devel] [PATCH v4 3/3] iscsi: add support for getting CHAP password via QCryptoSecret API Daniel P. Berrange
2016-02-04 15:56 ` [Qemu-devel] [PATCH v4 0/3] Use QCryptoSecret for block device passwords Paolo Bonzini
2016-02-08 3:52 ` [Qemu-devel] [Qemu-block] " Jeff Cody
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1453385961-10718-1-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).