for rbd, how to use qmp directly to add dick

Tue Nov 2 09:37:00 UTC 2021

On Tue, Nov 02, 2021 at 10:26:24AM +0100, Peter Krempa wrote:
> On Tue, Nov 02, 2021 at 12:28:29 +0800, longguang.yue wrote:
> 
> Firstly I'd like to ask you to follow mailing list posting netiquette
> and don't drop the mailing list on replies from the CC list. My reply
> would then not end up in the archives and the community would not be
> able to refer to it later.
> 
> > i use kata on kubernetes. kata manages qemu via qmp directly.
> 
> So this makes this out of scope for libvirt. A better forum to ask
> qemu-only related questions is the qemu mailing list.
> 
> You can also make this a case for the Kata community to adopt usage of
> libvirt, as libvirt gives you a stable, secure and tested way to manage
> a qemu process. I think the Kata project would benefit from libvirt
> usage and could focus their efforts on adding features rather than
> reinventing what libvirt has for a long time already.
> 
> > suppose secret object does not have keyid and iv,  can i store base64-coded ceph-auth-ring into data?
> > could you tell me a complete command to add rbd disk ?  no encrypt
> 
> Note that would be insecure as anybody with access to the host could
> read the commandline and know your secret.
> 
> Let's rephrase your question to: "How does libvirt securely pass
> passwords to qemu on the commandline?"
> 
> Libvirt uses two kinds of secrets, which both are secure when used
> properly:
> 
> (Note that libvirt nowadays uses direct JSON with -object as it's
> possible starting with qemu-6.0, thus my examples will use the new
> format)
> 
> 1) Secret stored in a file:
> 
>  -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}'
> 
> libvirt uses this format to pass the master key, which is used to
> encrypt other secrets, but any other secret can be passed this way. It's
> a bit tedious, and that's the reason why libvirt passes only the master
> key using the file.
> 
> When the access permissions are set properly this way is secure.
> 
> 2) Inline (base64) encrypted secrets
> 
> -object '{"qom-type":"secret","id":"libvirt-5-storage-auth-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwU6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
> 
> This secret is encrypted using the master key (as you can see above).
> When inspecting the commandline an attacker can't tell the original
> value.
> 
> Theoretically when using the monitor (QMP) it's also secure to pass a
> plaintext secret, but that's tricky if the monitor traffic is logged, so
> libvirt opted to use encrypted secrets also in that case.

Yep, there is a rich history of log files compromising secret data
resulting in CVEs, so absolutely don't pass secrets in clear text
over QMP at any time for production environments.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|