From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: zedv@physik.fu-berlin.de
Cc: pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH backup] pbs-client: read credentials from $CREDENTIALS_DIRECTORY
Date: Wed, 26 Mar 2025 11:46:37 +0100 [thread overview]
Message-ID: <s8oldss3w3e.fsf@proxmox.com> (raw)
In-Reply-To: <Z-PRpqR2dS9Q_Edv@physik.fu-berlin.de>
Jörg Behrmann <proxmox@behrmj87m.dialup.fu-berlin.de> writes:
> Hi!
>
> Sorry to chime in from the sidelines, I just saw this patch set, which makes me
> very happy.
:)
> It would be great if everything that can be set via envvar could be set, via
> credential as well, most importantly I am thinking about the repository, since
> systemd can accept credentials passed in via smbios type 11 strings.
Makes sense, I can prepare a follow-up with some of these if this patch
is applied.
> There is a bug report against the PVE web UI open to be able to set arbitrary
> key pars for that [1]. This would allow to configure the pbs client for a VM
> directly from the PVE web UI.
>
> Another comment further down inline.
>
> Thanks for this works!
>
> best regards,
> Jörg Behrmann
>
> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=5601
>
> On Mon, Mar 24, 2025 at 01:35:42PM +0100, Maximiliano Sandoval wrote:
>> Allows to load credentials passed down by systemd. A possible use-case
>> is safely storing the server's password in a file encrypted by the
>> systems TPM, e.g. via
>>
>> ```
>> systemd-ask-password -n | systemd-creds encrypt --name=pbs-password - my-api-token.cred
>> ```
>> ...
>> +/// Gets an encryption password.
>> +///
>> +/// We first try reading from the `PBS_ENCRYPTION_PASSWORD` environment
>> +/// variable, then we try reading from the `pbs-encryption-password`
>
> The name for credentials is pretty free form and dashes are the correct
> namespacing for systemd units, but when grepping for SetCredential= and
> LoadCredential= in the systemd codebase, you'll see that dots are the more
> idiomatic way of namespacing credentials, this idiom has also spread to other
> projects, e.g. util-linux (see the credential support in agetty).
>
> The better name would therefore be pbs.encryption.password or
> pbs.encryption-password or pbs.encryption_password, depending on what exactly
> the namespacing you want to communicate is.
You are right, I will send a v3 using `proxmox-backup-client.password`
and `proxmox-backup-client.encryption-password`.
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
prev parent reply other threads:[~2025-03-26 10:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-24 12:35 Maximiliano Sandoval
2025-03-25 10:51 ` Wolfgang Bumiller
2025-03-26 9:41 ` Maximiliano Sandoval
2025-03-26 10:06 ` Jörg Behrmann
2025-03-26 10:46 ` Maximiliano Sandoval [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s8oldss3w3e.fsf@proxmox.com \
--to=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=zedv@physik.fu-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal