[pve-devel] [PATCH qemu-server] config: add system and service credentials support
Maximiliano Sandoval
m.sandoval at proxmox.com
Thu Apr 3 10:48:26 CEST 2025
Thomas Lamprecht <t.lamprecht at proxmox.com> writes:
> Am 03.04.25 um 09:49 schrieb Thomas Lamprecht:
>> Am 02.04.25 um 16:36 schrieb Maximiliano Sandoval:
>>> Allows to pass system and service credentials to a VM. See [1] for a
>>> description of credentials. This can be potentially used to provision a
>>> VM as per [2]. Values can be passed either as plain text or as a base64
>>> encoded string when the base64 flag is set.
>>
>> Would this also make sense for Containers?
>>
>> If it's something we can expose for all guests, we could also (later) look
>> into implementing some simple registry (like a mappings type) fulfilling
>> what the snippets approach would provide one while having it nicely
>> integrated into our access control system.
>>
>>>
>>> A VM configuration file which, for example, contains:
>>>
>>> systemd-cred0: name=foo,value=bar
>>> systemd-cred1: name=encoded-foo,value=YmFy,base64=1
>>
>> Tangentially related: Moving the VM config fully over to section config
>> parsing would get us list/array support for free – albeit the move might be
>> rather costly..
> Oh, and one alternative would be to provide just one `systemd-credenentials` key
> here that always refers to such a credential mapping, which has then an array
> of all the credentials with their name and value.
>
> As I checked [fdo-sc] and there are like 50 supported credentials, some with
> a glob to allow sets of credentials per type like for network or udev rules,
> so 15 might not cut it quite fast even if the use-case is not _that_ complex.
>
> [fdo-sc] https://www.freedesktop.org/software/systemd/man/latest/systemd.system-credentials.html
The number 16 was picked at random, we can certainly bump it. The
credentials in [fdo-sc] are just some well-known credentials which are
picked up at boot by systemd and which will then "do something with
them", the user might on top of them also add e.g. the newly introduced
credentials for the backup-client or Apache's or just some random data
they need in their app inside the guest.
More information about the pve-devel
mailing list