Support for referencing secret objects was added in
commit b189346eb1784df95ed6fed610411dbf23d19e1f
Author: Daniel P. Berrangé <berrange@xxxxxxxxxx>
Date: Thu Jan 21 14:19:21 2016 +0000
iscsi: add support for getting CHAP password via QCryptoSecret API
The existing 'password' option is overdue for deprecation and
subsequent removal.
Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
block/iscsi.c | 3 +++
docs/about/deprecated.rst | 11 +++++++++++
2 files changed, 14 insertions(+)
diff --git a/block/iscsi.c b/block/iscsi.c
index a316d46d96..58c0623052 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -1352,6 +1352,9 @@ static void apply_chap(struct iscsi_context *iscsi, QemuOpts *opts,
} else if (!password) {
error_setg(errp, "CHAP username specified but no password was given");
return;
+ } else {
+ warn_report("iSCSI block driver 'password' option is deprecated, "
+ "use 'password-secret' instead");
}
if (iscsi_set_initiator_username_pwd(iscsi, user, password)) {
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index 93affe3669..2cc8924fe9 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -267,6 +267,17 @@ Options are:
- move backing file to NVDIMM storage and keep ``pmem=on``
(to have NVDIMM with persistence guaranties).
+Block driver options
+--------------------
+
+``iscsi,password=xxx`` (since 8.0)
+''''''''''''''''''''''''''''''''''
+
+Specifying the iSCSI password in plain text on the command line using the
+``password`` option is insecure. The ``password-secret`` option should be
+used instead, to refer to a ``--object secret...`` instance that provides
+a password via a file, or encrypted.
+
Device options
--------------
--
2.38.1
