|
|
43fe83 |
From e2f88bd51503615700467ed4a15331e79d21d0fe Mon Sep 17 00:00:00 2001
|
|
|
43fe83 |
Message-Id: <e2f88bd51503615700467ed4a15331e79d21d0fe.1377873641.git.jdenemar@redhat.com>
|
|
|
43fe83 |
From: John Ferlan <jferlan@redhat.com>
|
|
|
43fe83 |
Date: Thu, 22 Aug 2013 16:56:27 -0400
|
|
|
43fe83 |
Subject: [PATCH] docs: Update formatsecrets to include more examples of each
|
|
|
43fe83 |
type
|
|
|
43fe83 |
|
|
|
43fe83 |
https://bugzilla.redhat.com/show_bug.cgi?id=1000169
|
|
|
43fe83 |
|
|
|
43fe83 |
Update formatsecret docs to describe the various options and provide examples
|
|
|
43fe83 |
in order to set up secrets for each type of secret.
|
|
|
43fe83 |
|
|
|
43fe83 |
(cherry picked from commit 4ba052907848b85d5f61144707b101ad82314674)
|
|
|
43fe83 |
---
|
|
|
43fe83 |
docs/formatsecret.html.in | 180 ++++++++++++++++++++++++++++++++++++++++++----
|
|
|
43fe83 |
1 file changed, 166 insertions(+), 14 deletions(-)
|
|
|
43fe83 |
|
|
|
43fe83 |
diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
|
|
|
43fe83 |
index 3e306b5..651f722 100644
|
|
|
43fe83 |
--- a/docs/formatsecret.html.in
|
|
|
43fe83 |
+++ b/docs/formatsecret.html.in
|
|
|
43fe83 |
@@ -46,18 +46,51 @@
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
- Usage type "volume"
|
|
|
43fe83 |
+
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
This secret is associated with a volume, and it is safe to delete the
|
|
|
43fe83 |
secret after the volume is deleted. The <usage
|
|
|
43fe83 |
type='volume'> element must contain a
|
|
|
43fe83 |
single volume element that specifies the key of the volume
|
|
|
43fe83 |
- this secret is associated with.
|
|
|
43fe83 |
+ this secret is associated with. For example, create a volume-secret.xml
|
|
|
43fe83 |
+ file as follows:
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
- Usage type "ceph"
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <secret ephemeral='no' private='yes'>
|
|
|
43fe83 |
+ <description>Super secret name of my first puppy</description>
|
|
|
43fe83 |
+ <uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f</uuid>
|
|
|
43fe83 |
+ <usage type='volume'>
|
|
|
43fe83 |
+ <volume>/var/lib/libvirt/images/puppyname.img</volume>
|
|
|
43fe83 |
+ </usage>
|
|
|
43fe83 |
+ </secret>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ Define the secret and set the pass phrase as follows:
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ # virsh secret-define volume-secret.xml
|
|
|
43fe83 |
+ Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created
|
|
|
43fe83 |
+ #
|
|
|
43fe83 |
+ # MYSECRET=`printf %s "open sesame" | base64`
|
|
|
43fe83 |
+ # virsh secret-set-value 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f $MYSECRET
|
|
|
43fe83 |
+ Secret value set
|
|
|
43fe83 |
+ #
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ The volume type secret can then be used in the XML for a storage volume
|
|
|
43fe83 |
+ encryption as follows:
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <encryption format='qcow'>
|
|
|
43fe83 |
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
|
|
|
43fe83 |
+ </encryption>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
|
|
|
43fe83 |
+
|
|
|
43fe83 |
|
|
|
43fe83 |
This secret is associated with a Ceph RBD (rados block device).
|
|
|
43fe83 |
The <usage type='ceph'> element must contain
|
|
|
43fe83 |
@@ -66,30 +99,149 @@
|
|
|
43fe83 |
this usage name via the <auth> element of
|
|
|
43fe83 |
a disk device or
|
|
|
43fe83 |
a storage pool (rbd).
|
|
|
43fe83 |
- Since 0.9.7.
|
|
|
43fe83 |
+ Since 0.9.7. The following is an example
|
|
|
43fe83 |
+ of the steps to be taken. First create a ceph-secret.xml file:
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <secret ephemeral='no' private='yes'>
|
|
|
43fe83 |
+ <description>CEPH passphrase example</description>
|
|
|
43fe83 |
+ <auth type='ceph' username='myname'/>
|
|
|
43fe83 |
+ <usage type='ceph'>
|
|
|
43fe83 |
+ <name>ceph_example</name>
|
|
|
43fe83 |
+ </usage>
|
|
|
43fe83 |
+ </secret>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ Next, use virsh secret-define ceph-secret.xml to define
|
|
|
43fe83 |
+ the secret and virsh secret-set-value using the generated
|
|
|
43fe83 |
+ UUID value and a base64 generated secret value in order to define the
|
|
|
43fe83 |
+ chosen secret pass phrase.
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ # virsh secret-define ceph-secret.xml
|
|
|
43fe83 |
+ Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created
|
|
|
43fe83 |
+ #
|
|
|
43fe83 |
+ # virsh secret-list
|
|
|
43fe83 |
+ UUID Usage
|
|
|
43fe83 |
+ -----------------------------------------------------------
|
|
|
43fe83 |
+ 1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example
|
|
|
43fe83 |
+ #
|
|
|
43fe83 |
+ # CEPHPHRASE=`printf %s "pass phrase" | base64`
|
|
|
43fe83 |
+ # virsh secret-set-value 1b40a534-8301-45d5-b1aa-11894ebb1735 $CEPHPHRASE
|
|
|
43fe83 |
+ Secret value set
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ #
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ The ceph secret can then be used by UUID or by the
|
|
|
43fe83 |
+ usage name via the <auth> element in a domain's
|
|
|
43fe83 |
+ <disk>
|
|
|
43fe83 |
+ element as follows:
|
|
|
43fe83 |
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <auth username='myname'>
|
|
|
43fe83 |
+ <secret type='ceph' usage='ceph_example'/>
|
|
|
43fe83 |
+ </auth>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ As well as the <auth> element in a
|
|
|
43fe83 |
+ storage pool (rbd)
|
|
|
43fe83 |
+ <source> element as follows:
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <auth type='ceph' username='myname'>
|
|
|
43fe83 |
+ <secret usage='ceph_example'/>
|
|
|
43fe83 |
+ </auth>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
|
|
|
43fe83 |
- Usage type "iscsi"
|
|
|
43fe83 |
+
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
This secret is associated with an iSCSI target for CHAP authentication.
|
|
|
43fe83 |
The <usage type='iscsi'> element must contain
|
|
|
43fe83 |
a single target element that specifies a usage name
|
|
|
43fe83 |
- for the secret. The iSCSI secret can then be used by UUID or by
|
|
|
43fe83 |
+ for the secret. The iSCSI secret can then be used by UUID or by
|
|
|
43fe83 |
this usage name via the <auth> element of
|
|
|
43fe83 |
a disk device or
|
|
|
43fe83 |
a storage pool (iscsi).
|
|
|
43fe83 |
- Since 1.0.4.
|
|
|
43fe83 |
+ Since 1.0.4. The following is an example
|
|
|
43fe83 |
+ of the XML that may be used to generate a secret for iSCSI CHAP
|
|
|
43fe83 |
+ authentication. Assume the following sample entry in an iSCSI
|
|
|
43fe83 |
+ authentication file:
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <target iqn.2013-07.com.example:iscsi-pool>
|
|
|
43fe83 |
+ backing-store /home/tgtd/iscsi-pool/disk1
|
|
|
43fe83 |
+ backing-store /home/tgtd/iscsi-pool/disk2
|
|
|
43fe83 |
+ incominguser myname mysecret
|
|
|
43fe83 |
+ </target>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ Define an iscsi-secret.xml file to describe the secret. Use the
|
|
|
43fe83 |
+ incominguser username used in your iSCSI authentication
|
|
|
43fe83 |
+ configuration file as the value for the username attribute.
|
|
|
43fe83 |
+ The description attribute should contain configuration
|
|
|
43fe83 |
+ specific data. The target name may be any name of your
|
|
|
43fe83 |
+ choosing to be used as the usage when used in the pool
|
|
|
43fe83 |
+ or disk XML description.
|
|
|
43fe83 |
|
|
|
43fe83 |
-
|
|
|
43fe83 |
-
|
|
|
43fe83 |
-
|
|
|
43fe83 |
|
|
|
43fe83 |
<secret ephemeral='no' private='yes'>
|
|
|
43fe83 |
- <description>LUKS passphrase for the main hard drive of our mail server</description>
|
|
|
43fe83 |
- <usage type='volume'>
|
|
|
43fe83 |
- <volume>/var/lib/libvirt/images/mail.img</volume>
|
|
|
43fe83 |
+ <description>Passphrase for the iSCSI example.com server</description>
|
|
|
43fe83 |
+ <auth type='chap' username='myname'/>
|
|
|
43fe83 |
+ <usage type='iscsi'>
|
|
|
43fe83 |
+ <target>libvirtiscsi</target>
|
|
|
43fe83 |
</usage>
|
|
|
43fe83 |
- </secret>
|
|
|
43fe83 |
+ </secret>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ Next, use virsh secret-define iscsi-secret.xml to define
|
|
|
43fe83 |
+ the secret and virsh secret-set-value using the generated
|
|
|
43fe83 |
+ UUID value and a base64 generated secret value in order to define the
|
|
|
43fe83 |
+ chosen secret pass phrase. The pass phrase must match the password
|
|
|
43fe83 |
+ used in the iSCSI authentication configuration file.
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ # virsh secret-define secret.xml
|
|
|
43fe83 |
+ Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ # virsh secret-list
|
|
|
43fe83 |
+ UUID Usage
|
|
|
43fe83 |
+ -----------------------------------------------------------
|
|
|
43fe83 |
+ c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ # MYSECRET=`printf %s "mysecret" | base64`
|
|
|
43fe83 |
+ # virsh secret-set-value c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 $MYSECRET
|
|
|
43fe83 |
+ Secret value set
|
|
|
43fe83 |
+ #
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ The iSCSI secret can then be used by UUID or by the
|
|
|
43fe83 |
+ usage name via the <auth> element in a domain's
|
|
|
43fe83 |
+ <disk>
|
|
|
43fe83 |
+ element as follows:
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <auth username='myname'>
|
|
|
43fe83 |
+ <secret type='iscsi' usage='libvirtiscsi'/>
|
|
|
43fe83 |
+ </auth>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ As well as the <auth> element in a
|
|
|
43fe83 |
+ storage pool (iscsi)
|
|
|
43fe83 |
+ <source> element as follows:
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ <auth type='chap' username='myname'>
|
|
|
43fe83 |
+ <secret usage='libvirtiscsi'/>
|
|
|
43fe83 |
+ </auth>
|
|
|
43fe83 |
+
|
|
|
43fe83 |
</body>
|
|
|
43fe83 |
</html>
|
|
|
43fe83 |
--
|
|
|
43fe83 |
1.8.3.2
|
|
|
43fe83 |
|