On 09/22/2013 12:54 PM, Andrey Korolyov wrote:
Hello,
Since it was a long time from enabling cephx by default and we may
think that everyone using it, is seems worthy to introduce bits of
code hiding the key from cmdline. First applicable place for such
improvement is most-likely OpenStack envs with their sparse security
and usage of admin key as default one.
I doubt most people are using the admin keyring, since the docs for
openstack show different users for images and volumes, but it's worth
tackling this again.
Basically this requires changing QEMU and making libvirt use the new
interface when it's available. There was some discussion [1] and an rfc
[2] a while back regarding this. The same approach of modifying the
bdrv_set_key command should work, but IIRC there was a complication
that could be corrected. QEMU attempted to read the device size before
pausing the vm and waiting for the password (cephx secret in this
case), but with rbd the size isn't available until after the driver has
the secret with which to connect to the cluster. If the vm were paused
before the size of the disk was read, the patches would be simpler.
It's probably not too hard to rework those patches if anyone's
interested in picking them up.
Josh
[1] http://www.redhat.com/archives/libvir-list/2011-October/msg00998.html
[2] http://lists.gnu.org/archive/html/qemu-devel/2011-11/msg01337.html
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
