[PATCH 21/24] conf: backup: Store 'tlsAlias' and 'tlsSecretAlias' as internals of a backup

Eric Blake eblake at redhat.com
Thu Jul 2 19:48:14 UTC 2020


On 7/2/20 9:40 AM, Peter Krempa wrote:
> Add fields for storing the aliases necessary to clean up the TLS env for
> a backup job after it finishes.
> 
> Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> ---

> +++ b/tests/domainbackupxml2xmlin/backup-pull-internal-invalid.xml
> @@ -0,0 +1,36 @@
> +<domainbackup mode='pull'>
> +  <incremental>1525889631</incremental>
> +  <server transport='tcp' name='localhost' port='10809'/>

Are you also planning on encrypting the NBD server?  As written, this is 
still a plain-text NBD server.

> +  <disks>
> +    <disk name='vda' backup='yes' state='running' type='file' exportname='test-vda' exportbitmap='blah'>
> +      <driver type='qcow2'/>
> +      <scratch file='/path/to/file'>
> +        <encryption format='luks'>
> +          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>

It looks like this patch is just encrypting the temporary file (ensuring 
that guest data cannot be read at rest on the host machine).

But even without NBD encryption, this is a nice improvement.

Reviewed-by: Eric Blake <eblake at redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org




More information about the libvir-list mailing list