On Mon, May 28, 2012 at 04:35:26PM +0100, Daniel P. Berrange wrote: > On Mon, May 28, 2012 at 11:33:15AM -0400, Federico Simoncelli wrote: > > ----- Original Message ----- > > > From: "Daniel P. Berrange" <berra...@redhat.com> > > > To: "Federico Simoncelli" <fsimo...@redhat.com> > > > Cc: "Lei Li" <li...@linux.vnet.ibm.com>, "Adam Litke" <a...@us.ibm.com>, > > > "Dan Kenigsberg" <dan...@redhat.com>, "Ryan > > > Harper" <ry...@linux.vnet.ibm.com>, vdsm-devel@lists.fedorahosted.org, > > > "Ayal Baron" <aba...@redhat.com> > > > Sent: Monday, May 28, 2012 4:52:38 PM > > > Subject: Re: Move some of code from spec file into vdsm-tool function > > > issue > > > > > > On Mon, May 28, 2012 at 10:39:08AM -0400, Federico Simoncelli wrote: > > > > ----- Original Message ----- > > > > > From: "Lei Li" <li...@linux.vnet.ibm.com> > > > > > To: vdsm-devel@lists.fedorahosted.org > > > > > Cc: "Adam Litke" <a...@us.ibm.com>, "Dan Kenigsberg" > > > > > <dan...@redhat.com>, "Federico Simoncelli" > > > > > <fsimo...@redhat.com>, > > > > > "Ryan Harper" <ry...@linux.vnet.ibm.com> > > > > > Sent: Monday, May 28, 2012 11:18:03 AM > > > > > Subject: Move some of code from spec file into vdsm-tool function > > > > > issue > > > > > > > > > > Hi guys, > > > > > > > > > > Adam point out a problem about my patch moving some of the > > > > > post and preun section in vdsm spec file into vdsm-tool, and > > > > > I have the same concern. > > > > > > > > > > After some discussion, I'd like to ask for your suggestion > > > > > on the patch as link below. > > > > > > > > > > http://gerrit.ovirt.org/#patch,sidebyside,4528,3,vdsm.spec.in > > > > > > > > > > Please let me know your idea, thanks! > > > > Ok, then coming to your specific question, my opinion is: > > > > - vdsm should work out of the box even if libvirt doesn't require a password > > (polkit should be enough) > > - vdsm-tool should (at some point) update the sasl password with the content > > of libvirt_password (if present) > > - an admin wanting to secure libvirt will create the libvirt_password file > > and > > will use vdsm-tool to make it effective > > - if downstream wants to automate this will drop in a %config > > libvirt_password > > file (or maybe generating it runtime as we do with the certificate?) and > > will call vdsm-tool accordingly > > > > Dan? Thoughts? > > That sounds like a reasonable approach from a libvirt POV
That's fine also from a RHEV POV. However, I am not a big fan of this libvirt_password "protection", so I wouldn't spend too much time on generating a random, secret key to put there. For me, it only adds to the hassle of supporting this annoying oVirt requirement. Dan. (another one) _______________________________________________ vdsm-devel mailing list vdsm-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/vdsm-devel
