On Tue, Jan 21, 2020 at 13:38:13 +0000, Daniel Berrange wrote: > On Fri, Jan 10, 2020 at 04:42:43PM +0100, Peter Krempa wrote: > > The necessity to specify the secret value as command argument is > > insecure. Allow reading the secret from a file. > > > > Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> > > --- > > docs/manpages/virsh.rst | 5 +++-- > > tools/virsh-secret.c | 30 +++++++++++++++++++++++++++--- > > 2 files changed, 30 insertions(+), 5 deletions(-) > > > > diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst > > index fcc8ef6758..992b1daf90 100644 > > --- a/docs/manpages/virsh.rst > > +++ b/docs/manpages/virsh.rst > > @@ -6558,10 +6558,11 @@ secret-set-value > > > > .. code-block:: > > > > - secret-set-value secret base64 > > + secret-set-value secret (--file filename | base64) > > > > Set the value associated with *secret* (specified by its UUID) to the value > > -Base64-encoded value *base64*. > > +Base64-encoded value *base64* or from file named *filename*. Note that *--file* > > +and *base64* options are mutually exclusive. > > You added a --plain option to secret-get-value. > > It would naturally suggest that we do the same here, then we can > support > > secret-set-value $BASE64STR > secret-set-value --plain $RAWSTR I think that both of the above should not have existed in the first place. Adding the possibility to add plain secrets via argument looks to me as a step back. If I could do it, I'd remove the base64 via command line arguments as well. > secret-set-value --file FILENAME-WITH-BASE64-STR This seems a bit pointless to me. > secret-set-value --plain --file FILENAME-WITH-RAW-STR
