[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH RFC v3 for-2.9 10/11] Revert "rbd: add support f
From: |
Markus Armbruster |
Subject: |
Re: [Qemu-devel] [PATCH RFC v3 for-2.9 10/11] Revert "rbd: add support for getting password from QCryptoSecret object" |
Date: |
Mon, 27 Mar 2017 20:36:37 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Eric Blake <address@hidden> writes:
> On 03/27/2017 08:26 AM, Markus Armbruster wrote:
>> This reverts commit 60390a2192e7b38aee18db6ce7fb740498709737.
>>
>> The commit's rationale
>>
>> Currently RBD passwords must be provided on the command line
>> via
>>
>> $QEMU -drive file=rbd:pool/image:id=myname:\
>> key=QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=:\
>> auth_supported=cephx
>>
>> This is insecure because the key is visible in the OS process
>> listing.
>>
>> is invalid. You can easily avoid passing keys on the command line by
>> using "keyfile" instead of "key". In fact, the Ceph documentation
>> calls use of key "not recommended". But the most common way to
>> provide keys is a keyring. The default keyrings should be just fine
>> for most users. When they aren't, you can configure your own keyrings
>> with "keyring" or override the key with "keyfile".
>>
>> The commit adds parameter password-secret to -drive. Support for it
>> was included in -blockdev, but reverted in the previous commit due to
>> concerns about the QMP interface. Revert it from -drive, too.
>>
>> Cc: Daniel P. Berrange <address@hidden>
>> Signed-off-by: Markus Armbruster <address@hidden>
>> ---
>> block/rbd.c | 47 -----------------------------------------------
>> 1 file changed, 47 deletions(-)
>
> Are we sure this won't be breaking existing libvirt clients?
I somehow misread the date on commit 60390a2. It's actually too late to
revert it. We'll have to live with this. I'll drop this patch and
rework 11/11.
- [Qemu-devel] [PATCH RFC v3 for-2.9 00/11] rbd: Clean up API and code, Markus Armbruster, 2017/03/27
- [Qemu-devel] [PATCH RFC v3 for-2.9 06/11] rbd: Clean up runtime_opts, fix -drive to reject filename, Markus Armbruster, 2017/03/27
- [Qemu-devel] [PATCH RFC v3 for-2.9 03/11] rbd: Don't limit length of parameter values, Markus Armbruster, 2017/03/27
- [Qemu-devel] [PATCH RFC v3 for-2.9 10/11] Revert "rbd: add support for getting password from QCryptoSecret object", Markus Armbruster, 2017/03/27
- [Qemu-devel] [PATCH RFC v3 for-2.9 04/11] rbd: Clean up after the previous commit, Markus Armbruster, 2017/03/27
- [Qemu-devel] [PATCH RFC v3 for-2.9 07/11] rbd: Clean up qemu_rbd_create()'s detour through QemuOpts, Markus Armbruster, 2017/03/27
- [Qemu-devel] [PATCH RFC v3 for-2.9 11/11] rbd: Fix bugs around -drive parameter "server", Markus Armbruster, 2017/03/27
- [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret, Markus Armbruster, 2017/03/27