[libvirt PATCH v5 27/32] schema: add password configuration for ssh disk

Jonathon Jongsma jjongsma at redhat.com
Thu Feb 16 22:51:46 UTC 2023 

On 2/16/23 10:43 AM, Peter Krempa wrote:
> On Tue, Feb 14, 2023 at 11:08:14 -0600, Jonathon Jongsma wrote:
>> Right now, ssh network disks are not usable. There is some basic support
>> in libvirt that is meant to support disk chains that have backing disks
>> located at ssh urls, but there is no real way for a user to configure a
>> ssh-based disk.  This commit allows users to configure an ssh disk with
>> password authentication. Implementation will follow.
>>
>> <disk type='network'>
>>    <source  protocol='ssh' ...>
>>      <auth username='myusername'>
>>        <secret type='iscsi' usage='secretname'/>
>>      </auth>
>> </disk>
>>
>> Signed-off-by: Jonathon Jongsma <jjongsma at redhat.com>
>> ---
>>   docs/formatdomain.rst             | 27 ++++++++++++++-------------
>>   src/conf/schemas/domaincommon.rng | 23 ++++++++++++++++++++++-
>>   2 files changed, 36 insertions(+), 14 deletions(-)
>>
>> diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
>> index 36c6d87907..bf071255c5 100644
>> --- a/docs/formatdomain.rst
>> +++ b/docs/formatdomain.rst
>> @@ -2718,7 +2718,7 @@ paravirtualized driver is specified via the ``disk`` element.
>>      ``network``
>>         The ``protocol`` attribute specifies the protocol to access to the
>>         requested image. Possible values are "nbd", "iscsi", "rbd", "sheepdog",
>> -      "gluster", "vxhs", "nfs", "http", "https", "ftp", ftps", or "tftp".
>> +      "gluster", "vxhs", "nfs", "http", "https", "ftp", ftps", "tftp", or "ssh".
>>   
>>         For any ``protocol`` other than ``nbd`` an additional attribute ``name``
>>         is mandatory to specify which volume/image will be used.
>> @@ -2870,18 +2870,19 @@ paravirtualized driver is specified via the ``disk`` element.
>>      ``auth``
>>         :since:`Since libvirt 3.9.0` , the ``auth`` element is supported for a
>>         disk ``type`` "network" that is using a ``source`` element with the
>> -      ``protocol`` attributes "rbd" or "iscsi". If present, the ``auth`` element
>> -      provides the authentication credentials needed to access the source. It
>> -      includes a mandatory attribute ``username``, which identifies the username
>> -      to use during authentication, as well as a sub-element ``secret`` with
>> -      mandatory attribute ``type``, to tie back to a `libvirt secret
>> -      object <formatsecret.html>`__ that holds the actual password or other
>> -      credentials (the domain XML intentionally does not expose the password,
>> -      only the reference to the object that does manage the password). Known
>> -      secret types are "ceph" for Ceph RBD network sources and "iscsi" for CHAP
>> -      authentication of iSCSI targets. Both will require either a ``uuid``
>> -      attribute with the UUID of the secret object or a ``usage`` attribute
>> -      matching the key that was specified in the secret object.
>> +      ``protocol`` attributes "rbd", "iscsi", or "ssh". If present, the
>> +      ``auth`` element provides the authentication credentials needed to access
>> +      the source. It includes a mandatory attribute ``username``, which
>> +      identifies the username to use during authentication, as well as a
>> +      sub-element ``secret`` with mandatory attribute ``type``, to tie back to
>> +      a `libvirt secret object <formatsecret.html>`__ that holds the actual
>> +      password or other credentials (the domain XML intentionally does not
>> +      expose the password, only the reference to the object that does manage
>> +      the password). Known secret types are "ceph" for Ceph RBD network sources
>> +      and "iscsi" for CHAP authentication of iSCSI targets. Both will require
>> +      either a ``uuid`` attribute with the UUID of the secret object or a
>> +      ``usage`` attribute matching the key that was specified in the secret
>> +      object.
> 
> This paragraph doesn't really state what to put into 'type' for ssh as
> 'ceph' and 'iscsi' are only mentioned. For 'ssh' we need a 'ssh' type.

Hmm, do we also need a separate type for http auth as well, then? At the 
moment we seem to just re-use the 'iscsi' type for all of the http auth 
in our tests (e.g. disk-cdrom-network.xml, etc).

> 
> This will also tie nicely in case you want to do ssh key authentication
> with encrypted key, where you can pass the key via a different type
> 'ssh-key' or something like that to unlock the key.
>

More information about the libvir-list mailing list