[PATCH 21/24] conf: backup: Store 'tlsAlias' and 'tlsSecretAlias' as internals of a backup
Eric Blake
eblake at redhat.com
Thu Jul 2 19:48:14 UTC 2020
On 7/2/20 9:40 AM, Peter Krempa wrote:
> Add fields for storing the aliases necessary to clean up the TLS env for
> a backup job after it finishes.
>
> Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> ---
> +++ b/tests/domainbackupxml2xmlin/backup-pull-internal-invalid.xml
> @@ -0,0 +1,36 @@
> +<domainbackup mode='pull'>
> + <incremental>1525889631</incremental>
> + <server transport='tcp' name='localhost' port='10809'/>
Are you also planning on encrypting the NBD server? As written, this is
still a plain-text NBD server.
> + <disks>
> + <disk name='vda' backup='yes' state='running' type='file' exportname='test-vda' exportbitmap='blah'>
> + <driver type='qcow2'/>
> + <scratch file='/path/to/file'>
> + <encryption format='luks'>
> + <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
It looks like this patch is just encrypting the temporary file (ensuring
that guest data cannot be read at rest on the host machine).
But even without NBD encryption, this is a nice improvement.
Reviewed-by: Eric Blake <eblake at redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list