1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH 0/2] Use secret objects to pass iSCSI passwords
  4. View patch

[libvirt] [PATCH 1/2] qemu: Get capabilities for iscsi usage of password-secret argument

John Ferlan posted 2 patches 7 years, 8 months ago
There is a newer version of this series
[libvirt] [PATCH 1/2] qemu: Get capabilities for iscsi usage of password-secret argument
Posted by John Ferlan 7 years, 8 months ago 
Add the capability to use the blockdev-add query-qmp-schema option
to find the 'password-secret' parameter that will allow the iSCSI
code to use the master secret object (a/k/a AES) to encrypt the
secret in an object and only need to provide the object id of
tha secret on the command line thus obsfuscating the passphrase.

Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_capabilities.c                      | 4 ++++
 src/qemu/qemu_capabilities.h                      | 3 +++
 tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml | 1 +
 tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml   | 1 +
 tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml  | 1 +
 5 files changed, 10 insertions(+)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index e7ea6f4..86f27ee 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -439,6 +439,9 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
               "virtio-net.tx_queue_size",
               "chardev-reconnect",
               "virtio-gpu.max_outputs",
+
+              /* 270 */
+              "iscsi.password-secret",
     );
 
 
@@ -1811,6 +1814,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsIntelIOMMU[] = {
 static struct virQEMUCapsStringFlags virQEMUCapsQMPSchemaQueries[] = {
     { "blockdev-add/arg-type/options/+gluster/debug-level", QEMU_CAPS_GLUSTER_DEBUG_LEVEL},
     { "blockdev-add/arg-type/+gluster/debug", QEMU_CAPS_GLUSTER_DEBUG_LEVEL},
+    { "blockdev-add/arg-type/+iscsi/password-secret", QEMU_CAPS_ISCSI_PASSWORD_SECRET },
 };
 
 struct virQEMUCapsObjectTypeProps {
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index f32687d..665a772 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -426,6 +426,9 @@ typedef enum {
     QEMU_CAPS_CHARDEV_RECONNECT, /* -chardev reconnect */
     QEMU_CAPS_VIRTIO_GPU_MAX_OUTPUTS, /* -device virtio-(vga|gpu-*),max-outputs= */
 
+    /* 265 */
+    QEMU_CAPS_ISCSI_PASSWORD_SECRET, /* -drive file.driver=iscsi,...,password-secret= */
+
     QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;
 
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
index a373a6d..c5eb395 100644
--- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
@@ -172,6 +172,7 @@
   <flag name='vnc-multi-servers'/>
   <flag name='chardev-reconnect'/>
   <flag name='virtio-gpu.max_outputs'/>
+  <flag name='iscsi.password-secret'/>
   <version>2009000</version>
   <kvmVersion>0</kvmVersion>
   <package> (v2.9.0)</package>
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
index e80782c..99ad44a 100644
--- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
@@ -137,6 +137,7 @@
   <flag name='vnc-multi-servers'/>
   <flag name='chardev-reconnect'/>
   <flag name='virtio-gpu.max_outputs'/>
+  <flag name='iscsi.password-secret'/>
   <version>2009000</version>
   <kvmVersion>0</kvmVersion>
   <package></package>
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
index 3641d03..bd446ff 100644
--- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
@@ -220,6 +220,7 @@
   <flag name='vnc-multi-servers'/>
   <flag name='chardev-reconnect'/>
   <flag name='virtio-gpu.max_outputs'/>
+  <flag name='iscsi.password-secret'/>
   <version>2009000</version>
   <kvmVersion>0</kvmVersion>
   <package> (v2.9.0)</package>
-- 
2.9.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] qemu: Get capabilities for iscsi usage of password-secret argument
Posted by Peter Krempa 7 years, 8 months ago 
On Tue, Sep 05, 2017 at 15:09:34 -0400, John Ferlan wrote:
> Add the capability to use the blockdev-add query-qmp-schema option
> to find the 'password-secret' parameter that will allow the iSCSI
> code to use the master secret object (a/k/a AES) to encrypt the
> secret in an object and only need to provide the object id of
> tha secret on the command line thus obsfuscating the passphrase.
> 
> Signed-off-by: John Ferlan <jferlan@redhat.com>
> ---
>  src/qemu/qemu_capabilities.c                      | 4 ++++
>  src/qemu/qemu_capabilities.h                      | 3 +++
>  tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml | 1 +
>  tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml  | 1 +
>  5 files changed, 10 insertions(+)

ACK
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] qemu: Get capabilities for iscsi usage of password-secret argument
Posted by Peter Krempa 7 years, 8 months ago 
On Tue, Sep 05, 2017 at 15:09:34 -0400, John Ferlan wrote:
> Add the capability to use the blockdev-add query-qmp-schema option
> to find the 'password-secret' parameter that will allow the iSCSI
> code to use the master secret object (a/k/a AES) to encrypt the
> secret in an object and only need to provide the object id of
> tha secret on the command line thus obsfuscating the passphrase.
> 
> Signed-off-by: John Ferlan <jferlan@redhat.com>
> ---
>  src/qemu/qemu_capabilities.c                      | 4 ++++
>  src/qemu/qemu_capabilities.h                      | 3 +++
>  tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml | 1 +
>  tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml  | 1 +
>  5 files changed, 10 insertions(+)
> 
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index e7ea6f4..86f27ee 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -439,6 +439,9 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
>                "virtio-net.tx_queue_size",
>                "chardev-reconnect",
>                "virtio-gpu.max_outputs",
> +
> +              /* 270 */
> +              "iscsi.password-secret",

...

> diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
> index f32687d..665a772 100644
> --- a/src/qemu/qemu_capabilities.h
> +++ b/src/qemu/qemu_capabilities.h
> @@ -426,6 +426,9 @@ typedef enum {
>      QEMU_CAPS_CHARDEV_RECONNECT, /* -chardev reconnect */
>      QEMU_CAPS_VIRTIO_GPU_MAX_OUTPUTS, /* -device virtio-(vga|gpu-*),max-outputs= */
>  
> +    /* 265 */

... this is wrong.

> +    QEMU_CAPS_ISCSI_PASSWORD_SECRET, /* -drive file.driver=iscsi,...,password-secret= */
> +
>      QEMU_CAPS_LAST /* this must always be the last item */
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.