[libvirt] [PATCH 3/4] virsh: secret: Allow setting secrets from file
Peter Krempa
pkrempa at redhat.com
Tue Jan 21 13:43:44 UTC 2020
On Tue, Jan 21, 2020 at 13:38:13 +0000, Daniel Berrange wrote:
> On Fri, Jan 10, 2020 at 04:42:43PM +0100, Peter Krempa wrote:
> > The necessity to specify the secret value as command argument is
> > insecure. Allow reading the secret from a file.
> >
> > Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> > ---
> > docs/manpages/virsh.rst | 5 +++--
> > tools/virsh-secret.c | 30 +++++++++++++++++++++++++++---
> > 2 files changed, 30 insertions(+), 5 deletions(-)
> >
> > diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
> > index fcc8ef6758..992b1daf90 100644
> > --- a/docs/manpages/virsh.rst
> > +++ b/docs/manpages/virsh.rst
> > @@ -6558,10 +6558,11 @@ secret-set-value
> >
> > .. code-block::
> >
> > - secret-set-value secret base64
> > + secret-set-value secret (--file filename | base64)
> >
> > Set the value associated with *secret* (specified by its UUID) to the value
> > -Base64-encoded value *base64*.
> > +Base64-encoded value *base64* or from file named *filename*. Note that *--file*
> > +and *base64* options are mutually exclusive.
>
> You added a --plain option to secret-get-value.
>
> It would naturally suggest that we do the same here, then we can
> support
>
> secret-set-value $BASE64STR
> secret-set-value --plain $RAWSTR
I think that both of the above should not have existed in the first
place. Adding the possibility to add plain secrets via argument looks to
me as a step back. If I could do it, I'd remove the base64 via command
line arguments as well.
> secret-set-value --file FILENAME-WITH-BASE64-STR
This seems a bit pointless to me.
> secret-set-value --plain --file FILENAME-WITH-RAW-STR
More information about the libvir-list
mailing list