Re: [Qemu-devel] [PATCH] iSCSI: add configuration variables for iSCSI

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1507 bytes --]

On 01/24/2012 11:47 PM, ronnie sahlberg wrote:
> Read from an arbitrary filedescriptor inherited from the parent process :
> 9<iscsi.conf ./x86_64-softmmu/qemu-system-x86_64 -enable-kvm -display
> vnc=127.0.0.1:0 -drive file=iscsi://127.0.0.1/iqn.ronnie.test/1
> -readconfig /proc/self/fd/9

That requires the existence of procfs, which is not portable (although
it does work on Linux).  I'd rather see:

-readconfig fd:9

which matches things for -incoming; that is, if -readconfig starts with
'/' or '.', it is a filename; otherwise, it is a protocol:value
designation, where we recognize at least the fd: protocol where a value
is the incoming fd, but we could also recognize things like exec:
protocol which is an arbitrary command to use via popen.

> I imagine you would pipe() then fork() and pass the read side of your
> pipe to qemu here ?

Yes, the idea is that libvirt would rather pipe() and then pass the read
size fd to qemu, so that libvirt's handling of the decrypted secret
information is only ever passed over the pipe and not stored on disk.

> If this works well or at least in some acceptable form it might be
> useful for other users needing to pass sensitive config data into QEMU
> too?

Yes, the fd: notation of -incoming should be reusable in multiple
contexsts, including any other location where sensitive information must
be passed in.

-- 
Eric Blake   eblake@redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 620 bytes --]