[PATCH v2 9/9] docs: secret: Unify and sanitize examples on how to set secret value
Eric Blake
eblake at redhat.com
Fri Jan 24 16:41:00 UTC 2020
On 1/24/20 10:08 AM, Peter Krempa wrote:
> Discourage passing secrets as commandline arguments.
>
> Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> ---
> docs/formatsecret.html.in | 88 +++++++++++++++++++++++++--------------
> 1 file changed, 57 insertions(+), 31 deletions(-)
>
>
> + <h2><a id="settingSecrets">Setting secret values in virsh</a></h2>
> +
> + </pre>
> +
> + <p>
> + The secret can also be set via an argument, but note that other users
> + may see it in the process listing output. The secret must be base64
> + encoded.
Is this last sentence still accurate, given that you can pass --plain to
avoid base64 encoding?
Should the note use <b> or other formatting to call attention to the
security risk of doing it this way?
> + </p>
> +
> <pre>
> # MYSECRET=`printf %s "open sesame" | base64`
> # virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 $MYSECRET
> Secret value set
> -
> </pre>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list