Re: [PATCH 2/2] qemu: Use secret objects to pass iSCSI passwords

Peter Krempa <pkrempa@xxxxxxxxxx> · Tue, 12 Sep 2017 15:36:00 +0200

On Tue, Sep 05, 2017 at 15:09:35 -0400, John Ferlan wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1425757
> 
> The blockdev-add code provides a mechanism to sanely provide user
> and password-secret arguments for iscsi without placing them on the
> command line to be viewable by a 'ps -ef' type command or needing
> to create separate -iscsi devices for each disk/volume found.
> 
> So modify the iSCSI command line building to check for the presence
> of the capability in order properly setup and use the domain master
> secret object to encrypt the password in a secret object and alter
> the parameters for the command line to utilize.
> 
> Modify the xml2argvtest to exhibit the syntax for both disk and
> hostdev configurations.
> 
> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
> ---
>  src/qemu/qemu_command.c                            | 19 ++++++++-
>  src/qemu/qemu_domain.c                             |  4 ++
>  ...xml2argv-disk-drive-network-iscsi-auth-AES.args | 39 ++++++++++++++++++
>  ...uxml2argv-disk-drive-network-iscsi-auth-AES.xml | 43 +++++++++++++++++++
>  ...ml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args | 35 ++++++++++++++++
>  ...xml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml | 48 ++++++++++++++++++++++
>  tests/qemuxml2argvtest.c                           | 10 +++++
>  7 files changed, 196 insertions(+), 2 deletions(-)
>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.args
>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.xml
>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args
>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml

Most of the stuff here looks reasonable but I don't think we should mix
the URI syntax with the file.param= syntax generated from the JSON
objects. Since there's a capability when this is supported, the command
line generator should use the new syntax.

You can mark it in qemuDiskSourceNeedsProps so that it uses the new
generator if it's needed and supported and implement the JSON generator.

The rest should then work as expected.
Attachment:
signature.asc

Description: PGP signature
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list