Re: [PATCH 5/5] qemu/rbd: improve rbd device specification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 16 Sep 2011, Tommi Virtanen wrote:
> On Thu, Sep 15, 2011 at 13:52, Sage Weil <sage@xxxxxxxxxxxx> wrote:
> > +static int buildRBDString(virConnectPtr conn,
> ...
> > +        /* look up secret */
> > +        snprintf(idDomain, sizeof(idDomain), "%s/%s", disk->authId,
> > +                 disk->authDomain);
> > +        sec = virSecretLookupByUsage(conn,
> > +                                     VIR_SECRET_USAGE_TYPE_CEPH,
> > +                                     idDomain);
> ...
> > +            secret = (char *)conn->secretDriver->getValue(sec, &secret_size, 0,
> > +                                   VIR_SECRET_GET_VALUE_INTERNAL_CALL);
> > +            /* qemu/librbd wants it base64 encoded */
> > +            base64_encode_alloc(secret, secret_size, &base64);
> > +            virBufferEscape(opt, ":", ":key=%s:auth_supported=cephx\\;none",
> > +                            base64);
> 
> If I'm reading this right, that puts the ceph secret on the kvm
> command line. That's not good, that makes it visible to anyone on the
> host.

Yeah, we definitely want something better, but I wanted to make sure the 
overall approach is fine before doing something too annoying with 
temporary unlinked files or environment variables or something.

sage
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]