[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 08/12] qemu: domain: Extract setup for disk source secrets



On Thu, Oct 26, 2017 at 11:12:08 -0400, John Ferlan wrote:
> 
> 
> On 10/20/2017 09:47 AM, Peter Krempa wrote:
> > Separate it so that it deals only with single virStorageSource, so that
> > it can later be reused for full backing chain support.
> > 
> > Two aliases are passed since authentication is more relevant to the
> > 'storage backend' whereas encryption is more relevant to the protocol
> > layer. When using node names, the aliases will be different.
> > ---
> >  src/qemu/qemu_domain.c | 49 +++++++++++++++++++++++++++++++------------------
> >  1 file changed, 31 insertions(+), 18 deletions(-)
> > 
> 
> FWIW: The @authalias would be the secret for the source to access the
> server (RBD only right now, but the iSCSI patches are on list) while the
> @encalias would be the LUKS secret.
> 
> Does the backing chain allow different "auth" sources for different
> chain members? Mind boggling, but I guess possible.
> 
> I suppose it would also be possible that some member of the chain
> doesn't use the auth, but rather it's a local LUKS encrypted file - is
> that the essential goal?
> 
> I think perhaps it'd help to add some comments for
> qemuDomainSecretStorageSourcePrepare in order to describe the parameters
> and the "expectations" for varying levels of the chain.  There's also
> some "assumptions" built into the hotplug code for at least the top level.

Yes every level can have different authentication data. (Since they can
reside on completely different storage technologies). This is possible
even now, but authentication will not work in that case.

The aliases are separate since in qemu the storage access layer and
format driver level have different node names. Authentication is
relevant to the storage access level, while encryption to the format
driver level.

I've added a comment trying to explain this.


Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]