Re: [libvirt] [PATCH v5 4/4] qemu/rbd: improve rbd device specification

> The command line that we pass to qemu gets logged. But what happens if > the secret was marked as ephemeral - could we be violating the premise > of not exposing passwords to too broad an audience? Or are we already > safe in that the log entries created by virCommand can only be exposed > to users that already can get at the secret information by other means? The secret can be read from the command line of the running process, which is even less secure than the log. I'm working on passing the secret via the qemu monitor instead of the command line, which will avoid both issues. > Maybe this means we should we be adding capabilities into virCommand to > prevent the logging of the actual secret (whether base64-encoded or > otherwise), and instead log an alternate string? That is, should > virCommand be tracking parallel argv arrays; the real array passed to > exec() but never logged, and the alternate array (normally matching the > real one, but which can differ in this particular case of passing an > argument that contains a password)?