
This is a multi-part message in MIME format. --------------458056678CBCA60D9CBDE91D Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Use case - Explain what is Virtual Machine to accountant or stockman - beyond my powers. But they understand what is Remote Desktop, and how to "Start menu->Programs->Remote Work->password->Enter". In this talk I like the fact that I learned about deprecation this packet and need to start wrote on another library instead call sub-process. About security reasons: is acceptable for our company. For who don't need this patch can easy disable it. This is not package[1], only playbook for build this. [1] https://wiki.archlinux.org/index.php/Arch_User_Repository On 11/29/2016 07:06 PM, Yaniv Kaul wrote:
On Tue, Nov 29, 2016 at 3:40 AM, Konstantin Shalygin <k0ste@k0ste.ru <mailto:k0ste@k0ste.ru>> wrote:
ovirt-shell will be deprecated and not supported or some functions on ovirt-shell (or all package ovirt-engine-cli)?
We use ovirt-shell on client desktops who connected to SPICE consoles and work (users provided by LDAP on ovirt-engine), like via RDP. For this I wrote very fast-hack patch for ovirt-shell and GUI for enter password (https://github.com/k0ste/ovirt-pygtk <https://github.com/k0ste/ovirt-pygtk>). Very simple, but via Internet people use SPICE without negative about packet loss and disconnects, instead RDP.
Can you further explain the use case? I assume the user portal is not good enough for some reason?
BTW, the ovirt-shell is something we deprecated. It is working on top of the v3 api, which we plan to remove in 4.2. So better not use it.
You can start maintain. For example I maintain packes for Arch Linux: ovirt-engine-cli (https://aur.archlinux.org/packages/ovirt-engine-cli <https://aur.archlinux.org/packages/ovirt-engine-cli>) and ovirt-engine-sdk-python (https://aur.archlinux.org/packages/ovirt-engine-sdk-python <https://aur.archlinux.org/packages/ovirt-engine-sdk-python>).
Hi,
It somehow looks like a fork of the CLI (due to the added patch[1]). I'm not sure how happy I am about it, considering the patch is adding a feature with security issues (there is a reason we do not support password passed via the command line - it's somewhat less secure). Since you are already checking for the CLI rc file[2], just add the password to it and launch with it (in a temp file in the temp directory with the right permissions, etc...)
BTW, note that the attempt to delete the password from memory[3] may or may not work. After all, it's a copy of what you got from entry.get_text() few lines before. And Python GC is not really to be relied upon to delete things ASAP anyway. There are some lovely discussions on the Internet about it. For example[4]. Y.
[1] https://github.com/k0ste/ovirt-pygtk/blob/master/add_password_option.patch [2] https://github.com/k0ste/ovirt-pygtk/blob/master/ovirt-pygtk.py#L81 [3] https://github.com/k0ste/ovirt-pygtk/blob/master/ovirt-pygtk.py#L71 [4] http://stackoverflow.com/questions/728164/securely-erasing-password-in-memor...
My workstation at work is running Ubuntu, and I do not believe that ovirt-shell is packaged for it.
-- Best regards, Konstantin Shalygin
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
-- Best regards, Konstantin Shalygin --------------458056678CBCA60D9CBDE91D Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <p><font face="Fira Sans">Use case - </font><span id="result_box" class="short_text" tabindex="-1" lang="en"><span>Explain</span> <span>what is Virtual Machine to accountant or stockman</span> <span>-</span> <span class="">beyond my powers</span><span class="">. But they understand what is Remote Desktop, and how to "Start menu->Programs->Remote Work->password->Enter".</span></span></p> <p><br> <span id="result_box" class="" tabindex="-1" lang="en"><span>In this</span> <span>talk</span> <span>I like the fact</span> <span>that</span> <span>I learned</span> <span class="">about deprecation this packet and need to start wrote on another library instead call sub-process.</span></span></p> <p>About security reasons: is acceptable for our company. For who don't need this patch can easy disable it. This is not package[1], only playbook for build this.<br> <span id="result_box" class="" tabindex="-1" lang="en"><span class=""></span><span></span></span></p> <br> [1] <a href="https://wiki.archlinux.org/index.php/Arch_User_Repository">https://wiki.archlinux.org/index.php/Arch_User_Repository</a><br> <br> <div class="moz-cite-prefix">On 11/29/2016 07:06 PM, Yaniv Kaul wrote:<br> </div> <blockquote cite="mid:CAJgorsY_SksEnP2jQxBgdJyKW=4_qZZGZ=DwHQ13MteEN5jG5w@mail.gmail.com" type="cite"> <div dir="ltr"><br> <div class="gmail_extra"><br> <div class="gmail_quote">On Tue, Nov 29, 2016 at 3:40 AM, Konstantin Shalygin <span dir="ltr"><<a moz-do-not-send="true" href="mailto:k0ste@k0ste.ru" target="_blank">k0ste@k0ste.ru</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">ovirt-shell will be deprecated and not supported or some functions on ovirt-shell (or all package ovirt-engine-cli)?<br> <br> We use ovirt-shell on client desktops who connected to SPICE consoles and work (users provided by LDAP on ovirt-engine), like via RDP. For this I wrote very fast-hack patch for ovirt-shell and GUI for enter password (<a moz-do-not-send="true" href="https://github.com/k0ste/ovirt-pygtk" rel="noreferrer" target="_blank">https://github.com/k0ste/ovir<wbr>t-pygtk</a>). Very simple, but via Internet people use SPICE without negative about packet loss and disconnects, instead RDP.</blockquote> <div><br> </div> <div>Can you further explain the use case? I assume the user portal is not good enough for some reason?</div> <div> </div> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-"><br> <br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> BTW, the ovirt-shell is something we deprecated. It is working on top of<br> the v3 api, which we plan to remove in 4.2.<br> So better not use it.<br> </blockquote> <br> <br> </span> You can start maintain. For example I maintain packes for Arch Linux: ovirt-engine-cli (<a moz-do-not-send="true" href="https://aur.archlinux.org/packages/ovirt-engine-cli" rel="noreferrer" target="_blank">https://aur.archlinux.org/pac<wbr>kages/ovirt-engine-cli</a>) and ovirt-engine-sdk-python (<a moz-do-not-send="true" href="https://aur.archlinux.org/packages/ovirt-engine-sdk-python" rel="noreferrer" target="_blank">https://aur.archlinux.org/pac<wbr>kages/ovirt-engine-sdk-python</a>)<wbr>.</blockquote> <div><br> </div> <div>Hi,</div> <div><br> </div> <div>It somehow looks like a fork of the CLI (due to the added patch[1]). </div> <div>I'm not sure how happy I am about it, considering the patch is adding a feature with security issues (there is a reason we do not support password passed via the command line - it's somewhat less secure).</div> <div>Since you are already checking for the CLI rc file[2], just add the password to it and launch with it (in a temp file in the temp directory with the right permissions, etc...)</div> <div><br> </div> <div>BTW, note that the attempt to delete the password from memory[3] may or may not work. After all, it's a copy of what you got from entry.get_text() few lines before.</div> <div>And Python GC is not really to be relied upon to delete things ASAP anyway. There are some lovely discussions on the Internet about it. For example[4].</div> <div>Y.</div> <div><br> </div> <div>[1] <a moz-do-not-send="true" href="https://github.com/k0ste/ovirt-pygtk/blob/master/add_password_option.patch">https://github.com/k0ste/ovirt-pygtk/blob/master/add_password_option.patch</a></div> <div>[2] <a moz-do-not-send="true" href="https://github.com/k0ste/ovirt-pygtk/blob/master/ovirt-pygtk.py#L81">https://github.com/k0ste/ovirt-pygtk/blob/master/ovirt-pygtk.py#L81</a></div> <div>[3] <a moz-do-not-send="true" href="https://github.com/k0ste/ovirt-pygtk/blob/master/ovirt-pygtk.py#L71">https://github.com/k0ste/ovirt-pygtk/blob/master/ovirt-pygtk.py#L71</a></div> <div>[4] <a moz-do-not-send="true" href="http://stackoverflow.com/questions/728164/securely-erasing-password-in-memory-python">http://stackoverflow.com/questions/728164/securely-erasing-password-in-memory-python</a></div> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-im gmail-HOEnZb"><br> <br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> My workstation at work is running Ubuntu, and I do not believe that ovirt-shell is packaged for it.<br> </blockquote> <br> </span><span class="gmail-HOEnZb"><font color="#888888"> -- <br> Best regards,<br> Konstantin Shalygin</font></span> <div class="gmail-HOEnZb"> <div class="gmail-h5"><br> <br> <br> ______________________________<wbr>_________________<br> Users mailing list<br> <a moz-do-not-send="true" href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br> <a moz-do-not-send="true" href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br> </div> </div> </blockquote> </div> <br> </div> </div> </blockquote> <br> <pre class="moz-signature" cols="72">-- Best regards, Konstantin Shalygin </pre> </body> </html> --------------458056678CBCA60D9CBDE91D--