From nobody Fri Dec 12 14:05:55 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1764228678; cv=none; d=zohomail.com; s=zohoarc; b=WjLYpHzpnEkug97FoOXhPKizD+rOqDJyJh0nQVJuiHMZeunTh42FEBvdh54JzIhciYvmHlLU9GGNcaqc8czTUDWydxsSTf1CWHO3o+vu4oiLEyFyM7NeiUp719C1EOMQby6i4Y9NHkdQbBs2BwE6ue4Wh4iQcxz4wPQBeY5gprw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1764228678; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=L3qIyEJrYHhFNFweIt1Sq00UzMVZ2Ij7Ox7MlQnyAoM=; b=BcLj43L6YFPSnCx4pSYz0oXYym52n6hswvAN5nysiwADYxIg7z8gA5oVhcb7hFuwmPVAwxfl1o+xevl8U3KfOJSDIKKEddwv+FD8a+fgyCG35Foibqi8aXnj7zGxnqanpK0LuGJ5INaQKop29j0uNbu0qwfZ7tYBP/JQnucuqPc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1764228678633357.8482973129413; Wed, 26 Nov 2025 23:31:18 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id F3DF14194C; Thu, 27 Nov 2025 02:31:17 -0500 (EST) Received: from [172.19.199.74] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 579EF44B0F; Thu, 27 Nov 2025 02:28:53 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id B709E442E7; Thu, 27 Nov 2025 02:22:50 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 680C3442E4 for ; Thu, 27 Nov 2025 02:22:48 -0500 (EST) Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com [209.85.214.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-407-qHameyRoOq6TnXeiUMQiEg-1; Thu, 27 Nov 2025 02:22:46 -0500 Received: by mail-pl1-f197.google.com with SMTP id d9443c01a7336-295952a4dd6so18557065ad.1 for ; Wed, 26 Nov 2025 23:22:46 -0800 (PST) Received: from armenon-kvm.armenon-thinkpadp16vgen1.bengluru.csb ([49.47.195.90]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29bce478762sm7801695ad.45.2025.11.26.23.22.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Nov 2025 23:22:44 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1764228168; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L3qIyEJrYHhFNFweIt1Sq00UzMVZ2Ij7Ox7MlQnyAoM=; b=d60ilw5t9ZVzCt2e7MzOe2e8yF5EtiIerOZp8RTvOJR/XMLyJO5IORioU6PoqWmviyyoFw rU/5kSvcLFzWz40vNI5T4bIw5JlpqJMr/XQrxST1q6p6XC53BIRE9L3EOKEtM+pNOX3Ldc NuknfvzdN5P+lmvRofdQNr5bpZXmOyo= X-MC-Unique: qHameyRoOq6TnXeiUMQiEg-1 X-Mimecast-MFC-AGG-ID: qHameyRoOq6TnXeiUMQiEg_1764228165 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764228165; x=1764832965; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=L3qIyEJrYHhFNFweIt1Sq00UzMVZ2Ij7Ox7MlQnyAoM=; b=cUugg1PfY4376GelBlrdjUWs53VrOGf2/DlyNB0nodjpsZ2Y4ChqCSePsvTncBTKPS EsAL8fX658Dgw2gjlz3/0Iq/xb5O7iGDpbnW/u9I670ervraMu49uTadvTJC7Ecam/ey McfR09YtL6G8KPrjqLSaVBgZ++Q361acHiAc7/jLkVrl1q5qDkdMuOa4E5pFYUqhLK/I YIQMdqfNkFkhpRR1Odd2mYahcCeif1b0W6GMbMQuSxurNvJps1JkPRgXzaRcUOrwl2cW XvQnv9YYiZ1b2AWCjeR/zdWUID6P1GdtD1bu44I1yRSYz5QD+kSrJVq3EVNvkHExWERh 5Viw== X-Gm-Message-State: AOJu0YwDyvQjsiQHCMh0dxx2H1FnxrT/8X/7r02HmBeMohH8kIocm+1L K5OfqAXZiqSXpMSMSjFGI6VdIvvbT4tMuFvkryCuuO4nSC99bwPDpZDak3BMpRyhWn5CH+7U9H4 Q6xp8F5q7yYRPh5PDRYOpGUvMvY0A6QX/M9H5EQeOK1qmGkrEYxUyc4jrs3y3KZ8imfu2W0+Lak gZkpJfIEHlbIyi8BQozuagdJBTO1K8+oxw7YU52swJuA== X-Gm-Gg: ASbGncvsCNz9EbdwD8RJNHBQYOJ61KaAxsMnSHvQEmFayvS5aoqHv16iE+5/E5b/5fK N2gDscPJZxRVw7z/mO3/6vquzEdi8rIi7YhCHCsbbFadobA9Lv/VGkhL7S1TN1LIt6zKEPnK7SZ BjBggdA2wQWbAfxbO2jrJ0jK74dS1Db5awGlyIvnmVf6jxG7cdGARBzlsAUwFKQOUZZLd80xCxW Jc6gR1xBI5x04CiHVQcsVJRoeOE+1Y/yPFGeoXuQti5jT4ZHza/RYKJENRUd5xN6QadibZQJHUC BG/NDYERwDhgxsHukBnRVnKAi7WYX8vTDdqT6GnB3Fr4lBNcBhpgJJtY+AkF/AzOcw9ih7YI9a1 98TBirS82FtrykdWJfLqeZY8idE9+kivuxJrlrnFmP4gt6PB4NnCjk2d5 X-Received: by 2002:a17:902:ef4f:b0:295:82d0:9baa with SMTP id d9443c01a7336-29b6bfa8cd3mr271461805ad.17.1764228165106; Wed, 26 Nov 2025 23:22:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IHTr8p6R9O2UV9etOPS9lGth2E+8r/UO/mLx4TgV2Hrr1ajzrtBVDwrFZNZhPbDUBiunHhV5g== X-Received: by 2002:a17:902:ef4f:b0:295:82d0:9baa with SMTP id d9443c01a7336-29b6bfa8cd3mr271461445ad.17.1764228164404; Wed, 26 Nov 2025 23:22:44 -0800 (PST) To: devel@lists.libvirt.org Subject: [RFC v3 3/5] secret: Add secrets.conf configuration file and parse it Date: Thu, 27 Nov 2025 12:52:30 +0530 Message-ID: <20251127072232.38426-4-armenon@redhat.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251127072232.38426-1-armenon@redhat.com> References: <20251127072232.38426-1-armenon@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: NTRNBdiPn0YnNMaDysOYqCjlgim1Uhe2fOdETtiQdOQ_1764228165 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: M536UW5NUYE5JFP37B4VWNZJB3A2ALZN X-Message-ID-Hash: M536UW5NUYE5JFP37B4VWNZJB3A2ALZN X-MailFrom: armenon@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Arun Menon X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Arun Menon via Devel Reply-To: Arun Menon X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1764228684517019200 Content-Type: text/plain; charset="utf-8"; x-default="true" A new configuration file called secrets.conf is introduced to let the user configure the path to the secrets encryption key. This key will be used to encrypt/decrypt the secrets in libvirt. By default the path is set to the runtime directory /run/libvirt/secrets, and it is commented in the config file. After parsing the file, the virtsecretd driver checks if an encryption key is present in the path and is valid. By default, if no encryption key is present in the path, then the service will by default use the encryption key stored in the CREDENTIALS_DIRECTORY. Add logic to parse the encryption key file and store the key. It also checks for the encrypt_data attribute in the config file. The encryption and decryption logic will be added in the subsequent patches. Signed-off-by: Arun Menon --- libvirt.spec.in | 3 + po/POTFILES | 1 + src/conf/meson.build | 1 + src/conf/secret_config.c | 177 +++++++++++++++++++++++++ src/conf/secret_config.h | 38 ++++++ src/libvirt_private.syms | 2 + src/secret/libvirt_secrets.aug | 40 ++++++ src/secret/meson.build | 18 +++ src/secret/secrets.conf.in | 12 ++ src/secret/test_libvirt_secrets.aug.in | 6 + 10 files changed, 298 insertions(+) create mode 100644 src/conf/secret_config.c create mode 100644 src/conf/secret_config.h create mode 100644 src/secret/libvirt_secrets.aug create mode 100644 src/secret/secrets.conf.in create mode 100644 src/secret/test_libvirt_secrets.aug.in diff --git a/libvirt.spec.in b/libvirt.spec.in index dba8a71311..01ecf7e7ca 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -2240,6 +2240,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/libvirt/virtsecretd.conf %{_datadir}/augeas/lenses/virtsecretd.aug %{_datadir}/augeas/lenses/tests/test_virtsecretd.aug +%{_datadir}/augeas/lenses/libvirt_secrets.aug +%{_datadir}/augeas/lenses/tests/test_libvirt_secrets.aug +%config(noreplace) %{_sysconfdir}/libvirt/secrets.conf %{_unitdir}/virtsecretd.service %{_unitdir}/virt-secret-init-encryption.service %{_unitdir}/virtsecretd.socket diff --git a/po/POTFILES b/po/POTFILES index f0aad35c8c..a64e4b2d87 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -53,6 +53,7 @@ src/conf/nwfilter_conf.c src/conf/nwfilter_params.c src/conf/object_event.c src/conf/secret_conf.c +src/conf/secret_config.c src/conf/snapshot_conf.c src/conf/storage_adapter_conf.c src/conf/storage_conf.c diff --git a/src/conf/meson.build b/src/conf/meson.build index 5116c23fe3..9c51e99107 100644 --- a/src/conf/meson.build +++ b/src/conf/meson.build @@ -68,6 +68,7 @@ interface_conf_sources =3D [ =20 secret_conf_sources =3D [ 'secret_conf.c', + 'secret_config.c', 'virsecretobj.c', ] =20 diff --git a/src/conf/secret_config.c b/src/conf/secret_config.c new file mode 100644 index 0000000000..5bc0b24380 --- /dev/null +++ b/src/conf/secret_config.c @@ -0,0 +1,177 @@ +/* + * secret_config.c: secrets.conf config file handling + * + * Copyright (C) 2025 Red Hat, Inc. + * SPDX-License-Identifier: LGPL-2.1-or-later + */ + +#include +#include +#include "configmake.h" +#include "datatypes.h" +#include "virlog.h" +#include "virerror.h" +#include "virfile.h" +#include "virutil.h" +#include "secret_config.h" + + +#define VIR_FROM_THIS VIR_FROM_CONF + +VIR_LOG_INIT("secret.secret_config"); + +static virClass *virSecretDaemonConfigClass; +static void virSecretDaemonConfigDispose(void *obj); + +static int +virSecretConfigOnceInit(void) +{ + if (!VIR_CLASS_NEW(virSecretDaemonConfig, virClassForObject())) + return -1; + + return 0; +} + + +VIR_ONCE_GLOBAL_INIT(virSecretConfig); + + +int +virSecretDaemonConfigFilePath(bool privileged, char **configfile) +{ + if (privileged) { + *configfile =3D g_strdup(SYSCONFDIR "/libvirt/secrets.conf"); + } else { + g_autofree char *configdir =3D NULL; + + configdir =3D virGetUserConfigDirectory(); + + *configfile =3D g_strdup_printf("%s/secrets.conf", configdir); + } + + return 0; +} + + +static int +virSecretLoadDaemonConfig(virSecretDaemonConfig *cfg, + const char *filename) +{ + g_autoptr(virConf) conf =3D NULL; + /* Encrypt secrets by default unless the configuration sets it otherwi= se */ + cfg->encrypt_data =3D 1; + + if (virFileExists(filename)) { + conf =3D virConfReadFile(filename, 0); + if (!conf) + return -1; + if (virConfGetValueBool(conf, "encrypt_data", &cfg->encrypt_data) = < 0) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("Failed to get encrypt_data from %1$s"), + filename); + return -1; + } + + if (virConfGetValueString(conf, "secrets_encryption_key", + &cfg->secretsEncryptionKeyPath) < 0) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("Failed to get secrets_encryption_key from %1= $s"), + filename); + return -1; + } + } + return 0; +} + + +static int virGetSecretsEncryptionKey(virSecretDaemonConfig *cfg, + uint8_t **secrets_encryption_key, size= _t *secrets_encryption_keylen) +{ + VIR_AUTOCLOSE fd =3D -1; + ssize_t encryption_key_length; + + if (!virFileExists(cfg->secretsEncryptionKeyPath)) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Secrets key file '%1$s' = does not exist"), + cfg->secretsEncryptionKeyPath); + return -1; + } + + if ((fd =3D open(cfg->secretsEncryptionKeyPath, O_RDONLY)) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Cannot open secrets key = file '%1$s'"), + cfg->secretsEncryptionKeyPath); + return -1; + } + + *secrets_encryption_key =3D g_new0(uint8_t, VIR_SECRETS_ENCRYPTION_KEY= _LEN); + + if ((encryption_key_length =3D saferead(fd, *secrets_encryption_key, V= IR_SECRETS_ENCRYPTION_KEY_LEN)) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Cannot read secrets key = file '%1$s'"), + cfg->secretsEncryptionKeyPath); + return -1; + } + if (encryption_key_length !=3D VIR_SECRETS_ENCRYPTION_KEY_LEN) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Secrets encryption key f= ile %1$s must be 32 bytes"), + cfg->secretsEncryptionKeyPath); + return -1; + } + + *secrets_encryption_keylen =3D (size_t)encryption_key_length; + return 0; +} + + +virSecretDaemonConfig * +virSecretDaemonConfigNew(bool privileged) +{ + g_autoptr(virSecretDaemonConfig) cfg =3D NULL; + g_autofree char *configdir =3D NULL; + g_autofree char *configfile =3D NULL; + const char *credentials_directory; + + if (virSecretConfigInitialize() < 0) + return NULL; + + if (!(cfg =3D virObjectNew(virSecretDaemonConfigClass))) + return NULL; + + cfg->secretsEncryptionKeyPath =3D NULL; + + if (virSecretDaemonConfigFilePath(privileged, &configfile) < 0) + return NULL; + + if (virSecretLoadDaemonConfig(cfg, configfile) < 0) + return NULL; + + credentials_directory =3D getenv("CREDENTIALS_DIRECTORY"); + + if (!cfg->secretsEncryptionKeyPath && credentials_directory) { + cfg->secretsEncryptionKeyPath =3D g_strdup_printf("%s/secrets-encr= yption-key", + credentials_direct= ory); + } + VIR_DEBUG("Secrets encryption key path: %s", NULLSTR(cfg->secretsEncry= ptionKeyPath)); + + if (cfg->secretsEncryptionKeyPath && virFileExists(cfg->secretsEncrypt= ionKeyPath)) { + if (virGetSecretsEncryptionKey(cfg, &cfg->secrets_encryption_key, = &cfg->secretsKeyLen) < 0) { + return NULL; + } + } + if (cfg->encrypt_data =3D=3D 1) { + if (!cfg->secretsEncryptionKeyPath) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("secretsEncryptionKeyPath must be set if encr= ypt_data is 1 in %1$s"), + configfile); + return NULL; + } + } + return g_steal_pointer(&cfg); +} + + +static void +virSecretDaemonConfigDispose(void *obj) +{ + virSecretDaemonConfig *cfg =3D obj; + + g_free(cfg->secrets_encryption_key); + g_free(cfg->secretsEncryptionKeyPath); +} diff --git a/src/conf/secret_config.h b/src/conf/secret_config.h new file mode 100644 index 0000000000..4cc6589814 --- /dev/null +++ b/src/conf/secret_config.h @@ -0,0 +1,38 @@ +/* + * secret_config.h: secrets.conf config file handling + * + * Copyright (C) 2025 Red Hat, Inc. + * SPDX-License-Identifier: LGPL-2.1-or-later + */ + +#pragma once + +#include "internal.h" +#include "virinhibitor.h" +#include "secret_event.h" +#define VIR_SECRETS_ENCRYPTION_KEY_LEN 32 + +typedef struct _virSecretDaemonConfig virSecretDaemonConfig; +struct _virSecretDaemonConfig { + virObject parent; + /* secrets encryption key path from secrets.conf file */ + char *secretsEncryptionKeyPath; + + /* Store the key to encrypt secrets on the disk */ + unsigned char *secrets_encryption_key; + + size_t secretsKeyLen; + + /* Indicates if the newly written secrets are encrypted or not. + * 0 if not encrypted and 1 if encrypted. + */ + bool encrypt_data; +}; + +G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSecretDaemonConfig, virObjectUnref); + +int virSecretDaemonConfigFilePath(bool privileged, char **configfile); +virSecretDaemonConfig *virSecretDaemonConfigNew(bool privileged); +int virSecretDaemonConfigLoadFile(virSecretDaemonConfig *data, + const char *filename, + bool allow_missing); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 63a1ae4c70..cdf5426af6 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1066,6 +1066,8 @@ virSecretDefParse; virSecretUsageTypeFromString; virSecretUsageTypeToString; =20 +# conf/secret_config.h +virSecretDaemonConfigNew; =20 # conf/secret_event.h virSecretEventLifecycleNew; diff --git a/src/secret/libvirt_secrets.aug b/src/secret/libvirt_secrets.aug new file mode 100644 index 0000000000..092cdef41f --- /dev/null +++ b/src/secret/libvirt_secrets.aug @@ -0,0 +1,40 @@ +(* /etc/libvirt/secrets.conf *) + +module Libvirt_secrets =3D + autoload xfm + + let eol =3D del /[ \t]*\n/ "\n" + let value_sep =3D del /[ \t]*=3D[ \t]*/ " =3D " + let indent =3D del /[ \t]*/ "" + + let array_sep =3D del /,[ \t\n]*/ ", " + let array_start =3D del /\[[ \t\n]*/ "[ " + let array_end =3D del /\]/ "]" + + let str_val =3D del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\"" + let bool_val =3D store /0|1/ + let int_val =3D store /[0-9]+/ + let str_array_element =3D [ seq "el" . str_val ] . del /[ \t\n]*/ "" + let str_array_val =3D counter "el" . array_start . ( str_array_element = . ( array_sep . str_array_element ) * ) ? . array_end + + let str_entry (kw:string) =3D [ key kw . value_sep . str_val ] + let bool_entry (kw:string) =3D [ key kw . value_sep . bool_val ] + let int_entry (kw:string) =3D [ key kw . value_sep . int_val ] + let str_array_entry (kw:string) =3D [ key kw . value_sep . str_array_va= l ] + + let secrets_entry =3D str_entry "secrets_encryption_key" + | bool_entry "encrypt_data" + + (* Each entry in the config is one of the following three ... *) + let entry =3D secrets_entry + let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] + let empty =3D [ label "#empty" . eol ] + + let record =3D indent . entry . eol + + let lns =3D ( record | comment | empty ) * + + let filter =3D incl "/etc/libvirt/secrets.conf" + . Util.stdexcl + + let xfm =3D transform lns filter diff --git a/src/secret/meson.build b/src/secret/meson.build index c02d1064a9..cff0f0678d 100644 --- a/src/secret/meson.build +++ b/src/secret/meson.build @@ -27,6 +27,24 @@ if conf.has('WITH_SECRETS') ], } =20 + secrets_conf =3D configure_file( + input: 'secrets.conf.in', + output: 'secrets.conf', + copy: true + ) + virt_conf_files +=3D secrets_conf + + virt_aug_files +=3D files('libvirt_secrets.aug') + + virt_test_aug_files +=3D { + 'name': 'test_libvirt_secrets.aug', + 'aug': files('test_libvirt_secrets.aug.in'), + 'conf': files('secrets.conf.in'), + 'test_name': 'libvirt_secrets', + 'test_srcdir': meson.current_source_dir(), + 'test_builddir': meson.current_build_dir(), + } + virt_daemon_confs +=3D { 'name': 'virtsecretd', } diff --git a/src/secret/secrets.conf.in b/src/secret/secrets.conf.in new file mode 100644 index 0000000000..d998940140 --- /dev/null +++ b/src/secret/secrets.conf.in @@ -0,0 +1,12 @@ +# +# Configuration file for the secrets driver. +# +# The secret encryption key is used to override default encryption +# key path. The user can create an encryption key and set the secret_encry= ption_key +# to the path on which it resides. +# The key must be 32-bytes long. +#secrets_encryption_key =3D "/run/libvirt/secrets/secret-encryption-key" + +# The encrypt_data setting is used to indicate if the encryption is on or = off. +# 0 indicates off and 1 indicates on. By default it is set to on. +#encrypt_data =3D 1 diff --git a/src/secret/test_libvirt_secrets.aug.in b/src/secret/test_libvi= rt_secrets.aug.in new file mode 100644 index 0000000000..1bb205e0f2 --- /dev/null +++ b/src/secret/test_libvirt_secrets.aug.in @@ -0,0 +1,6 @@ +module Test_libvirt_secrets =3D + @CONFIG@ + + test Libvirt_secrets.lns get conf =3D +{ "secrets_encryption_key" =3D "/run/libvirt/secrets/secret-encryption-key= " } +{ "encrypt_data" =3D "1" } --=20 2.51.1