From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: zedv@physik.fu-berlin.de
Cc: pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH backup] pbs-client: read credentials from $CREDENTIALS_DIRECTORY
Date: Wed, 26 Mar 2025 11:46:37 +0100 [thread overview]
Message-ID: <s8oldss3w3e.fsf@proxmox.com> (raw)
In-Reply-To: <Z-PRpqR2dS9Q_Edv@physik.fu-berlin.de>
Jörg Behrmann <proxmox@behrmj87m.dialup.fu-berlin.de> writes:
> Hi!
>
> Sorry to chime in from the sidelines, I just saw this patch set, which makes me
> very happy.
:)
> It would be great if everything that can be set via envvar could be set, via
> credential as well, most importantly I am thinking about the repository, since
> systemd can accept credentials passed in via smbios type 11 strings.
Makes sense, I can prepare a follow-up with some of these if this patch
is applied.
> There is a bug report against the PVE web UI open to be able to set arbitrary
> key pars for that [1]. This would allow to configure the pbs client for a VM
> directly from the PVE web UI.
>
> Another comment further down inline.
>
> Thanks for this works!
>
> best regards,
> Jörg Behrmann
>
> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=5601
>
> On Mon, Mar 24, 2025 at 01:35:42PM +0100, Maximiliano Sandoval wrote:
>> Allows to load credentials passed down by systemd. A possible use-case
>> is safely storing the server's password in a file encrypted by the
>> systems TPM, e.g. via
>>
>> ```
>> systemd-ask-password -n | systemd-creds encrypt --name=pbs-password - my-api-token.cred
>> ```
>> ...
>> +/// Gets an encryption password.
>> +///
>> +/// We first try reading from the `PBS_ENCRYPTION_PASSWORD` environment
>> +/// variable, then we try reading from the `pbs-encryption-password`
>
> The name for credentials is pretty free form and dashes are the correct
> namespacing for systemd units, but when grepping for SetCredential= and
> LoadCredential= in the systemd codebase, you'll see that dots are the more
> idiomatic way of namespacing credentials, this idiom has also spread to other
> projects, e.g. util-linux (see the credential support in agetty).
>
> The better name would therefore be pbs.encryption.password or
> pbs.encryption-password or pbs.encryption_password, depending on what exactly
> the namespacing you want to communicate is.
You are right, I will send a v3 using `proxmox-backup-client.password`
and `proxmox-backup-client.encryption-password`.
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
prev parent reply other threads:[~2025-03-26 10:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-24 12:35 Maximiliano Sandoval
2025-03-25 10:51 ` Wolfgang Bumiller
2025-03-26 9:41 ` Maximiliano Sandoval
2025-03-26 10:06 ` Jörg Behrmann
2025-03-26 10:46 ` Maximiliano Sandoval [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s8oldss3w3e.fsf@proxmox.com \
--to=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=zedv@physik.fu-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal