Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev para

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev para

From:	Max Reitz
Subject:	Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret
Date:	Mon, 3 Apr 2017 15:06:39 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 03.04.2017 15:04, Daniel P. Berrange wrote:
> On Mon, Apr 03, 2017 at 02:42:48PM +0200, Max Reitz wrote:
>> On 03.04.2017 13:37, Daniel P. Berrange wrote:
>>> On Mon, Mar 27, 2017 at 03:26:33PM +0200, Markus Armbruster wrote:
>>>> This reverts a part of commit 8a47e8e.  We're having second thoughts
>>>> on the QAPI schema (and thus the external interface), and haven't
>>>> reached consensus, yet.  Issues include:
>>>>
>>>> * BlockdevOptionsRbd member @password-secret isn't actually a
>>>>   password, it's a key generated by Ceph.
>>>>
>>>> * We're not sure where member @password-secret belongs (see the
>>>>   previous commit).
>>>>
>>>> * How @password-secret interacts with settings from a configuration
>>>>   file specified with @conf is undocumented.  I suspect it's untested,
>>>>   too.
>>>>
>>>> Let's avoid painting ourselves into a corner now, and revert the
>>>> feature for 2.9.
>>>>
>>>> Note that users can still configure an authentication key with a
>>>> configuration file.  They probably do that anyway if they use Ceph
>>>> outside QEMU as well.
>>>
>>> NB, this makes blockdev-add largely useless for RBD from libvirt's POV,
>>> since we rely on the password-secret facility working to support apps
>>> like openstack which won't configure the global config file for RBD.
>>>
>>> Not a regression though, since blockdev-add is new - just means we won't
>>> be able to use the new feature yet :-(
>>
>> How does it make blockdev-add totally useless? The only thing you cannot
>> do is set passwords for rbd. Can this not be added as a new feature in
>> the future?
> 
> Sure, if you want to run an rbd server without any auth its usable, just
> that isn't something you really want todo from a security pov.

Indeed, but that's at least an rbd-specific issues. You can still use
blockdev-add for other block drivers just fine.

...and I just noticed that I have read your response the wrong way. I
didn't notice the "for RBD" and just read "this makes blockdev-add
largely useless from libvirt's POV" which sounded wrong. OK, I get it
then, sorry. :-)

Max

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret, Daniel P. Berrange, 2017/04/03
- Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret, Max Reitz, 2017/04/03
  - Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret, Daniel P. Berrange, 2017/04/03
    - Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret, Jeff Cody, 2017/04/03
    - Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret, Max Reitz <=
- Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret, Markus Armbruster, 2017/04/11

Prev by Date: Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret
Next by Date: Re: [Qemu-devel] [RFC v2 for-2.9 03/10] io vnc sockets: Clean up SocketAddressKind switches
Previous by thread: Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret
Next by thread: Re: [Qemu-devel] [PATCH RFC v3 for-2.9 09/11] rbd: Revert -blockdev parameter password-secret
Index(es):
- Date
- Thread