From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:46376) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Rq5EI-0001V9-Mo for qemu-devel@nongnu.org; Wed, 25 Jan 2012 10:57:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Rq5EC-0002C9-Qn for qemu-devel@nongnu.org; Wed, 25 Jan 2012 10:57:46 -0500 Received: from mx1.redhat.com ([209.132.183.28]:29625) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Rq5EC-0002B2-Ee for qemu-devel@nongnu.org; Wed, 25 Jan 2012 10:57:40 -0500 Message-ID: <4F20266F.20409@redhat.com> Date: Wed, 25 Jan 2012 08:57:35 -0700 From: Eric Blake MIME-Version: 1.0 References: <1327140203-3165-1-git-send-email-ronniesahlberg@gmail.com> <1327140203-3165-2-git-send-email-ronniesahlberg@gmail.com> <4F1DA1D5.1010600@redhat.com> In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigC9270A9311162699615F2C70" Subject: Re: [Qemu-devel] [PATCH] iSCSI: add configuration variables for iSCSI List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: ronnie sahlberg Cc: kwolf@redhat.com, qemu-devel@nongnu.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC9270A9311162699615F2C70 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 01/24/2012 11:47 PM, ronnie sahlberg wrote: > Read from an arbitrary filedescriptor inherited from the parent process= : > 9 vnc=3D127.0.0.1:0 -drive file=3Discsi://127.0.0.1/iqn.ronnie.test/1 > -readconfig /proc/self/fd/9 That requires the existence of procfs, which is not portable (although it does work on Linux). I'd rather see: -readconfig fd:9 which matches things for -incoming; that is, if -readconfig starts with '/' or '.', it is a filename; otherwise, it is a protocol:value designation, where we recognize at least the fd: protocol where a value is the incoming fd, but we could also recognize things like exec: protocol which is an arbitrary command to use via popen. > I imagine you would pipe() then fork() and pass the read side of your > pipe to qemu here ? Yes, the idea is that libvirt would rather pipe() and then pass the read size fd to qemu, so that libvirt's handling of the decrypted secret information is only ever passed over the pipe and not stored on disk. > If this works well or at least in some acceptable form it might be > useful for other users needing to pass sensitive config data into QEMU > too? Yes, the fd: notation of -incoming should be reusable in multiple contexsts, including any other location where sensitive information must be passed in. --=20 Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --------------enigC9270A9311162699615F2C70 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPICZvAAoJEKeha0olJ0NqpjsH/3W1lppd6OQKi6xG90tz5Fhj B4AqGExkZuoD4EUBPV0FY1l5fmomEGIPCUdeHBwU/IMdkZk/XwcJwahLbN3j4aRI eHWvLGqlLH6jwJMIYbwjyke6iA2LLzIyRwzGrJMQFBK/P8EPa4mYSbpQ7+06AiLh +2hP5SkARcjZzaGJP4UdHaQ5KbPF9O/IPPXAf9ZfatJ4Xc3D1rRE7jTEVjapoAZA rjvXTYbIUOdyk0Jz5IqW3lV/X4cX/NDHt+5BdJh/czFe4Dopd0Zwrf2epabwWuRQ Q0TDb72X/y3C1n9/ZhtKjPxFhwMIj3qlcV9105vmnzLZcDMhf2JqPdDtm6IDTmM= =omVh -----END PGP SIGNATURE----- --------------enigC9270A9311162699615F2C70--