On 01/24/2012 11:47 PM, ronnie sahlberg wrote: > Read from an arbitrary filedescriptor inherited from the parent process : > 9<iscsi.conf ./x86_64-softmmu/qemu-system-x86_64 -enable-kvm -display > vnc=127.0.0.1:0 -drive file=iscsi://127.0.0.1/iqn.ronnie.test/1 > -readconfig /proc/self/fd/9
That requires the existence of procfs, which is not portable (although it does work on Linux). I'd rather see: -readconfig fd:9 which matches things for -incoming; that is, if -readconfig starts with '/' or '.', it is a filename; otherwise, it is a protocol:value designation, where we recognize at least the fd: protocol where a value is the incoming fd, but we could also recognize things like exec: protocol which is an arbitrary command to use via popen. > I imagine you would pipe() then fork() and pass the read side of your > pipe to qemu here ? Yes, the idea is that libvirt would rather pipe() and then pass the read size fd to qemu, so that libvirt's handling of the decrypted secret information is only ever passed over the pipe and not stored on disk. > If this works well or at least in some acceptable form it might be > useful for other users needing to pass sensitive config data into QEMU > too? Yes, the fd: notation of -incoming should be reusable in multiple contexsts, including any other location where sensitive information must be passed in. -- Eric Blake ebl...@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature