[pve-devel] [PATCH qemu-server] config: add system and service credentials support
Lukas Wagner
l.wagner at proxmox.com
Thu Apr 3 11:42:00 CEST 2025
On 2025-04-03 11:04, Thomas Lamprecht wrote:
> Am 03.04.25 um 10:34 schrieb Maximiliano Sandoval:
>>
>> As per systemd-exec's man page, in total one can pass up to 1MB in
>> system credentials. A VM config file is certainly not the vehicle for
>> such an amount of data and I am also not fully comfortable with putting
>> potentially sensitive data as plain-text inside config files or the
>> cluster filesystem. I am not fully sure how to approach this long term.
>>
>>
>> There is also the more-secure possibility to pass down system
>> credentials from the host to the guest (e.g. ImportCredential= or
>> LoadCredential=) but that would have the drawback that there is no
>> mechanism to sync them acros a cluster.
>
> A mapping could abstract most of that away and also use a flag to denote
> if a credential is confidential and then safe it in the root-only
> /etc/pve/priv path, IIRC we do something similar for notifications
> targets like webhooks.
For context:
With webhooks, we have 'secrets', which are dedicated key-value pairs which can be
configured via the UI. For instance, you could set up a secret with key 'password'
and value '12345'. In the URL/Body/Headers we support templating syntax that allows to
access secrets via the 'secret' namespace, e.g {{ secret.password }}.
All secrets are stored in /etc/pve/priv/notifications.cfg, which is, as you said,
only readable by root.
--
- Lukas
More information about the pve-devel
mailing list