From: Lukas Wagner <l.wagner@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Thomas Lamprecht <t.lamprecht@proxmox.com>,
Maximiliano Sandoval <m.sandoval@proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: Re: [pve-devel] [PATCH qemu-server] config: add system and service credentials support
Date: Thu, 3 Apr 2025 11:42:00 +0200 [thread overview]
Message-ID: <385fa21e-54b8-42b8-bc9a-b6ceebd87e20@proxmox.com> (raw)
In-Reply-To: <b67a1dbb-1737-4d7f-9487-85ec5d4432e5@proxmox.com>
On 2025-04-03 11:04, Thomas Lamprecht wrote:
> Am 03.04.25 um 10:34 schrieb Maximiliano Sandoval:
>>
>> As per systemd-exec's man page, in total one can pass up to 1MB in
>> system credentials. A VM config file is certainly not the vehicle for
>> such an amount of data and I am also not fully comfortable with putting
>> potentially sensitive data as plain-text inside config files or the
>> cluster filesystem. I am not fully sure how to approach this long term.
>>
>>
>> There is also the more-secure possibility to pass down system
>> credentials from the host to the guest (e.g. ImportCredential= or
>> LoadCredential=) but that would have the drawback that there is no
>> mechanism to sync them acros a cluster.
>
> A mapping could abstract most of that away and also use a flag to denote
> if a credential is confidential and then safe it in the root-only
> /etc/pve/priv path, IIRC we do something similar for notifications
> targets like webhooks.
For context:
With webhooks, we have 'secrets', which are dedicated key-value pairs which can be
configured via the UI. For instance, you could set up a secret with key 'password'
and value '12345'. In the URL/Body/Headers we support templating syntax that allows to
access secrets via the 'secret' namespace, e.g {{ secret.password }}.
All secrets are stored in /etc/pve/priv/notifications.cfg, which is, as you said,
only readable by root.
--
- Lukas
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2025-04-03 9:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-02 14:36 Maximiliano Sandoval
2025-04-03 7:49 ` Thomas Lamprecht
2025-04-03 7:56 ` Thomas Lamprecht
2025-04-03 8:48 ` Maximiliano Sandoval
2025-04-03 8:34 ` Maximiliano Sandoval
2025-04-03 9:04 ` Thomas Lamprecht
2025-04-03 9:42 ` Lukas Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=385fa21e-54b8-42b8-bc9a-b6ceebd87e20@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=m.sandoval@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal