On 03 Feb 2016, at 06:36, zhukaijie <kjzhu14@is.ac.cn> wrote:

________________________________________ 发件人: Michal Skrivanek [mskrivan@redhat.com] 发送时间: 2016年2月2日 17:55 收件人: zhukaijie 抄送: devel@ovirt.org 主题: Re: [ovirt-devel] Hello and A Question about oVirt

On 02 Feb 2016, at 10:40, Yaniv Dary <ydary@redhat.com<mailto:ydary@redhat.com>> wrote:

I don't think we have a option like this. Michal?

Yaniv Dary Technical Product Manager Red Hat Israel Ltd. 34 Jerusalem Road Building A, 4th floor Ra'anana, Israel 4350109

Tel : +972 (9) 7692306 8272306 Email: ydary@redhat.com<mailto:ydary@redhat.com> IRC : ydary

On Mon, Feb 1, 2016 at 5:16 AM, zhukaijie <kjzhu14@is.ac.cn<mailto:kjzhu14@is.ac.cn>> wrote: Hello, now I have defined a custom property named 'A' in oVirt Engine. Administrator is responsible for entering the value (and arbitrary string ) of 'A' before starting the VM. After an users trys to start the VM in oVirt, VDSM will add the value of 'A' in the qemu:arg of libvirt domain xml, so that the value of 'A' will be added into the QEMU Cmd as a param. However, just like the password of VNC or SPICE, I want to hide the value of 'A' in '*' format in both Libvirt domain xml and QEMU Cmd, So could you please tell me how to achieve it? Thank you very much and happy 2016.

No, I don’t think you would be able to make libvirt and qemu to hide it. Unfortunately it would be exposed…for log files you are protected by file access permissions, but if there is anything sensitive on the command line and you have a user who can get a shell on that machine one can always see that in process listing

do you perhaps need to pass some secret to a VM? Might be better via payload, it can be accessed in the guest as a file then.

Thanks, michal

_______________________________________________ Devel mailing list Devel@ovirt.org<mailto:Devel@ovirt.org> http://lists.ovirt.org/mailman/listinfo/devel

Thank you. But there is still a doubt for me. In vdsm/graphics.py, function _setPasswd uses "*****" format to hide the true password of VNC and SPICE if disableticketing feature is not used. So later how can Libvirt translates the "*****" format into true password? Thank you.

for password field it’s an exception and it’s explicitly logged with *. of course the proper secret password is supplied to libvirt. But as a generic field elsewhere …they are not getting hidden….all the parameters would look like ***** which is not helpful:)