Le 03/04/2017 à 13:41, Daniel P. Berrange a écrit : > On Mon, Mar 27, 2017 at 01:41:36PM -0500, Eric Blake wrote: >> On 03/27/2017 01:21 PM, Laurent Vivier wrote: >>> When the VM is used behind a firewall, This allows >>> to use a SOCKS5 proxy server to connect the VM IP stack >> >> "allows to $verb" is not idiomatic English; the correct forms are >> generally "allows $subject to $verb" or "allows ${verb}ing". In this >> case, I'd lean towards "this allows the use of a SOCKS5 proxy server" >> >>> directly to the Internet. >>> >>> This implementation doesn't manage UDP packets, so they >>> are simply dropped (as with restrict=on), except for >>> the localhost as we need it for DNS. >>> >>> Signed-off-by: Laurent Vivier <laur...@vivier.eu> >>> --- >> >>> +++ b/qapi-schema.json >>> @@ -3680,6 +3680,9 @@ >>> '*ipv6-dns': 'str', >>> '*smb': 'str', >>> '*smbserver': 'str', >>> + '*proxy-server': 'str', >>> + '*proxy-user': 'str', >>> + '*proxy-passwd': 'str', >> >> Why can't we spell this out as password, instead of abbreviating? >> Should this hook into the "secrets object" framework so that someone >> does not have to pass the password in plaintext? > > Yes. > >>> +@item >>> proxy-server=@var{addr}:@var{port}[,proxy-user=@var{user},proxy-passwd=@var{passwd}]] >> >> Yes, you DEFINITELY need to hook into the "secrets object" framework to >> avoid having to pass a password in plaintext on the command line. Dan >> Berrange may have more advice on doing that. > > Agreed, this needs to use the secrets framework. > > Rename 'proxy-password' to 'proxy-password-secret'. It'll provide the ID of > a secret's object. Given that you can use qcrypto_secret_lookup_as_utf8() > to get the associated password data. There's a few examples in the code > eg crypto/tlscredsx509.c is a fairly simple example. Ping me if you want > more help
Please see the v2: https://patchwork.ozlabs.org/patch/744497/ I forgot the to cc' you and Eric. Laurent