[ovirt-users] [ovirt-devel] Hello and A Question about oVirt

Michal Skrivanek mskrivan at redhat.com
Wed Feb 3 10:30:58 UTC 2016 

> On 03 Feb 2016, at 06:36, zhukaijie <kjzhu14 at is.ac.cn> wrote:
> 
> 
> ________________________________________
> 发件人: Michal Skrivanek [mskrivan at redhat.com]
> 发送时间: 2016年2月2日 17:55
> 收件人: zhukaijie
> 抄送: devel at ovirt.org
> 主题: Re: [ovirt-devel] Hello and A Question about oVirt
> 
> On 02 Feb 2016, at 10:40, Yaniv Dary <ydary at redhat.com<mailto:ydary at redhat.com>> wrote:
> 
> I don't think we have a option like this. Michal?
> 
> 
> Yaniv Dary
> Technical Product Manager
> Red Hat Israel Ltd.
> 34 Jerusalem Road
> Building A, 4th floor
> Ra'anana, Israel 4350109
> 
> Tel : +972 (9) 7692306
>        8272306
> Email: ydary at redhat.com<mailto:ydary at redhat.com>
> IRC : ydary
> 
> On Mon, Feb 1, 2016 at 5:16 AM, zhukaijie <kjzhu14 at is.ac.cn<mailto:kjzhu14 at is.ac.cn>> wrote:
> Hello, now I have defined a custom property named 'A' in oVirt Engine. Administrator is responsible for entering the value (and arbitrary string ) of 'A' before starting the VM. After an users trys to start the VM in oVirt, VDSM will add the value of 'A' in the qemu:arg of libvirt domain xml, so that the value of 'A' will be added into the QEMU Cmd as a param. However, just like the password of VNC or SPICE, I want to hide the value of 'A' in '*' format in both Libvirt domain xml and QEMU Cmd, So could you please tell me how to achieve it? Thank you very much and happy 2016.
> 
> No, I don’t think you would be able to make libvirt and qemu to hide it. Unfortunately it would be exposed…for log files you are protected by file access permissions, but if there is anything sensitive on the command line and you have a user who can get a shell on that machine one can always see that in process listing
> 
> do you perhaps need to pass some secret to a VM? Might be better via payload, it can be accessed in the guest as a file then.
> 
> Thanks,
> michal
> 
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org<mailto:Devel at ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/devel
> 
> Thank you. But there is still a doubt for me. In vdsm/graphics.py, function _setPasswd uses "*****" format to hide the true password of VNC and SPICE if disableticketing feature is not used. So later how can Libvirt translates the "*****" format into true password? Thank you.

for password field it’s an exception and it’s explicitly logged with *. of course the proper secret password is supplied to libvirt. 
But as a generic field elsewhere …they are not getting hidden….all the parameters would look like ***** which is not helpful:)

More information about the Users mailing list