On Tue, Nov 02, 2021 at 10:26:24AM +0100, Peter Krempa wrote:
On Tue, Nov 02, 2021 at 12:28:29 +0800, longguang.yue wrote:
Firstly I'd like to ask you to follow mailing list posting netiquette
and don't drop the mailing list on replies from the CC list. My reply
would then not end up in the archives and the community would not be
able to refer to it later.
> i use kata on kubernetes. kata manages qemu via qmp directly.
So this makes this out of scope for libvirt. A better forum to ask
qemu-only related questions is the qemu mailing list.
You can also make this a case for the Kata community to adopt usage of
libvirt, as libvirt gives you a stable, secure and tested way to manage
a qemu process. I think the Kata project would benefit from libvirt
usage and could focus their efforts on adding features rather than
reinventing what libvirt has for a long time already.
> suppose secret object does not have keyid and iv, can i store base64-coded
ceph-auth-ring into data?
> could you tell me a complete command to add rbd disk ? no encrypt
Note that would be insecure as anybody with access to the host could
read the commandline and know your secret.
Let's rephrase your question to: "How does libvirt securely pass
passwords to qemu on the commandline?"
Libvirt uses two kinds of secrets, which both are secure when used
properly:
(Note that libvirt nowadays uses direct JSON with -object as it's
possible starting with qemu-6.0, thus my examples will use the new
format)
1) Secret stored in a file:
-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}'
libvirt uses this format to pass the master key, which is used to
encrypt other secrets, but any other secret can be passed this way. It's
a bit tedious, and that's the reason why libvirt passes only the master
key using the file.
When the access permissions are set properly this way is secure.
2) Inline (base64) encrypted secrets
-object
'{"qom-type":"secret","id":"libvirt-5-storage-auth-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwU6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
This secret is encrypted using the master key (as you can see above).
When inspecting the commandline an attacker can't tell the original
value.
Theoretically when using the monitor (QMP) it's also secure to pass a
plaintext secret, but that's tricky if the monitor traffic is logged, so
libvirt opted to use encrypted secrets also in that case.
Yep, there is a rich history of log files compromising secret data
resulting in CVEs, so absolutely don't pass secrets in clear text
over QMP at any time for production environments.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|