On Wed, Mar 23, 2016 at 08:36:30AM -0400, John Ferlan wrote:
On 03/22/2016 10:08 AM, Daniel P. Berrange wrote:
On Mon, Mar 21, 2016 at 02:29:00PM -0400, John Ferlan wrote:
Add a masterKey to _qemuDomainObjPrivate to store a base64 encoded domain master key in order to support the ability to encrypt/decrypt sensitive data shared between libvirt and qemu. The base64 encoded value will be written to the domain XML file for consistency between domain restarts.
Ohh, no, we don't want the master key to ever appear in any XML file, because that in turn leads to compromise of user data when reporting bugs. For example if the user provides the CLI args + runtime XML then you can decrypt their passwords from the CLI args. The master key must only ever be in its own file, which minimises the chance of the user ever uploading the master key for their VM with bug reports.
OK - well that simplifies certain things; however, I would think that means on libvirtd restart we would then have to read the master key file in order to repopulate the priv->masterKey, right?
Yes, that's correct.
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 9f9fae3..507ae9e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -23,6 +23,7 @@
#include <config.h>
+#include <assert.h>
We have a general rule that libvirt should never assert() in its code, so don't add this. Errors should always propagate back to a virErrorPtr.
OK - although it is used today in virsh/vsh and remote_driver...
Using it in virsh is ok as that's a client app. We shouldn't use it in the remote_driver though - I'd not noticed that actually. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|