[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/3] block: deprecate iSCSI 'password' in favour of 'password
From: |
Markus Armbruster |
Subject: |
Re: [PATCH 2/3] block: deprecate iSCSI 'password' in favour of 'password-secret' |
Date: |
Thu, 01 Dec 2022 13:24:07 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Daniel P. Berrangé <berrange@redhat.com> writes:
> Support for referencing secret objects was added in
>
> commit b189346eb1784df95ed6fed610411dbf23d19e1f
> Author: Daniel P. Berrangé <berrange@redhat.com>
> Date: Thu Jan 21 14:19:21 2016 +0000
>
> iscsi: add support for getting CHAP password via QCryptoSecret API
>
> The existing 'password' option is overdue for deprecation and
> subsequent removal.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> block/iscsi.c | 3 +++
> docs/about/deprecated.rst | 11 +++++++++++
> 2 files changed, 14 insertions(+)
>
> diff --git a/block/iscsi.c b/block/iscsi.c
> index a316d46d96..58c0623052 100644
> --- a/block/iscsi.c
> +++ b/block/iscsi.c
> @@ -1352,6 +1352,9 @@ static void apply_chap(struct iscsi_context *iscsi,
> QemuOpts *opts,
> } else if (!password) {
> error_setg(errp, "CHAP username specified but no password was
> given");
> return;
> + } else {
> + warn_report("iSCSI block driver 'password' option is deprecated, "
> + "use 'password-secret' instead");
> }
>
> if (iscsi_set_initiator_username_pwd(iscsi, user, password)) {
> diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
> index 93affe3669..2cc8924fe9 100644
> --- a/docs/about/deprecated.rst
> +++ b/docs/about/deprecated.rst
> @@ -267,6 +267,17 @@ Options are:
> - move backing file to NVDIMM storage and keep ``pmem=on``
> (to have NVDIMM with persistence guaranties).
>
> +Block driver options
> +--------------------
I'm not sure about this headline. For what it's worth, -help shows
-iscsi under "Block device options".
> +
> +``iscsi,password=xxx`` (since 8.0)
> +''''''''''''''''''''''''''''''''''
> +
> +Specifying the iSCSI password in plain text on the command line using the
> +``password`` option is insecure. The ``password-secret`` option should be
> +used instead, to refer to a ``--object secret...`` instance that provides
> +a password via a file, or encrypted.
> +
> Device options
> --------------