Re: [Qemu-devel] [PATCH] iSCSI: add configuration variables for iSCSI

[ronnie sahlberg]

Fair enough.

I will send a separate tiny patch to add 'fd:<n>' support to specify
to qemu to -readconfig from a preexisting filedescriptor.

Other protocols like 'exec:' can easily be added later as needed.


regards
ronnie sahlberg

On Thu, Jan 26, 2012 at 2:57 AM, Eric Blake <address@hidden> wrote:
> On 01/24/2012 11:47 PM, ronnie sahlberg wrote:
>> Read from an arbitrary filedescriptor inherited from the parent process :
>> 9<iscsi.conf ./x86_64-softmmu/qemu-system-x86_64 -enable-kvm -display
>> vnc=127.0.0.1:0 -drive file=iscsi://127.0.0.1/iqn.ronnie.test/1
>> -readconfig /proc/self/fd/9
>
> That requires the existence of procfs, which is not portable (although
> it does work on Linux).  I'd rather see:
>
> -readconfig fd:9
>
> which matches things for -incoming; that is, if -readconfig starts with
> '/' or '.', it is a filename; otherwise, it is a protocol:value
> designation, where we recognize at least the fd: protocol where a value
> is the incoming fd, but we could also recognize things like exec:
> protocol which is an arbitrary command to use via popen.
>
>> I imagine you would pipe() then fork() and pass the read side of your
>> pipe to qemu here ?
>
> Yes, the idea is that libvirt would rather pipe() and then pass the read
> size fd to qemu, so that libvirt's handling of the decrypted secret
> information is only ever passed over the pipe and not stored on disk.
>
>> If this works well or at least in some acceptable form it might be
>> useful for other users needing to pass sensitive config data into QEMU
>> too?
>
> Yes, the fd: notation of -incoming should be reusable in multiple
> contexsts, including any other location where sensitive information must
> be passed in.
>
> --
> Eric Blake   address@hidden    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
>