[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH RFC v3 for-2.9 10/11] Revert "rbd: add support f

From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH RFC v3 for-2.9 10/11] Revert "rbd: add support for getting password from QCryptoSecret object"
Date: Mon, 27 Mar 2017 12:15:05 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 03/27/2017 08:26 AM, Markus Armbruster wrote:
> This reverts commit 60390a2192e7b38aee18db6ce7fb740498709737.
> The commit's rationale
>     Currently RBD passwords must be provided on the command line
>     via
>       $QEMU -drive file=rbd:pool/image:id=myname:\
>                    key=QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=:\
>                    auth_supported=cephx
>     This is insecure because the key is visible in the OS process
>     listing.
> is invalid.  You can easily avoid passing keys on the command line by
> using "keyfile" instead of "key".  In fact, the Ceph documentation
> calls use of key "not recommended".  But the most common way to
> provide keys is a keyring.  The default keyrings should be just fine
> for most users.  When they aren't, you can configure your own keyrings
> with "keyring" or override the key with "keyfile".
> The commit adds parameter password-secret to -drive.  Support for it
> was included in -blockdev, but reverted in the previous commit due to
> concerns about the QMP interface.  Revert it from -drive, too.
> Cc: Daniel P. Berrange <address@hidden>
> Signed-off-by: Markus Armbruster <address@hidden>
> ---
>  block/rbd.c | 47 -----------------------------------------------
>  1 file changed, 47 deletions(-)

Are we sure this won't be breaking existing libvirt clients?

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]