1. Patchew
  2. QEMU
  3. [PATCH 0/2] block/rbd: support selected key-value-pairs via QAPI
  4. View patch

[PATCH 2/2] block/rbd: support keyring option via QAPI

Fiona Ebner posted 2 patches 7 months ago
Maintainers: Ilya Dryomov <idryomov@gmail.com>, Peter Lieven <pl@dlhnet.de>, Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>, Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>
[PATCH 2/2] block/rbd: support keyring option via QAPI
Posted by Fiona Ebner 7 months ago 
In Proxmox VE, it is not always required to have a dedicated Ceph
configuration file, and using the 'key-secret' QAPI option would
require obtaining a key from the keyring first. The keyring location
is readily available however, so having support for the 'keyring'
configuration option is most convenient.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 block/rbd.c          | 8 ++++++++
 qapi/block-core.json | 5 ++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/block/rbd.c b/block/rbd.c
index 2924f23093..660224c6c8 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -306,6 +306,14 @@ static int qemu_rbd_set_key_value_pairs(rados_t cluster,
         return 0;
     }
 
+    if (key_value_pairs->keyring) {
+        int r = rados_conf_set(cluster, "keyring", key_value_pairs->keyring);
+        if (r < 0) {
+            error_setg_errno(errp, -r, "could not set 'keyring'");
+            return -EINVAL;
+        }
+    }
+
     if (key_value_pairs->has_rbd_cache_policy) {
         RbdCachePolicy value = key_value_pairs->rbd_cache_policy;
         int r = rados_conf_set(cluster, "rbd_cache_policy",
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 4666765e66..3253c6e6e9 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -4327,12 +4327,15 @@
 #
 # Key-value pairs for Ceph configuration.
 #
+# @keyring: Ceph configuration option 'keyring'.
+#
 # @rbd-cache-policy: Ceph configuration option 'rbd_cache_policy'.
 #
 # Since 10.1
 ##
 { 'struct': 'RbdKeyValuePairs',
-  'data': { '*rbd-cache-policy': 'RbdCachePolicy' } }
+  'data': { '*keyring': 'str',
+            '*rbd-cache-policy': 'RbdCachePolicy' } }
 
 ##
 # @BlockdevOptionsRbd:
-- 
2.39.5
Re: [PATCH 2/2] block/rbd: support keyring option via QAPI
Posted by Ilya Dryomov 6 months ago 
On Thu, May 15, 2025 at 1:29 PM Fiona Ebner <f.ebner@proxmox.com> wrote:
>
> In Proxmox VE, it is not always required to have a dedicated Ceph
> configuration file, and using the 'key-secret' QAPI option would
> require obtaining a key from the keyring first. The keyring location
> is readily available however, so having support for the 'keyring'
> configuration option is most convenient.

Would such a setup have a ceph.conf file that is shared between
multiple users (or no ceph.conf file at all if the monitors are
specified via QAPI option) but individual keyring files for each
user?

Thanks,

                Ilya
Re: [PATCH 2/2] block/rbd: support keyring option via QAPI
Posted by Fiona Ebner 6 months ago 
Am 16.06.25 um 11:34 schrieb Ilya Dryomov:
> On Thu, May 15, 2025 at 1:29 PM Fiona Ebner <f.ebner@proxmox.com> wrote:
>>
>> In Proxmox VE, it is not always required to have a dedicated Ceph
>> configuration file, and using the 'key-secret' QAPI option would
>> require obtaining a key from the keyring first. The keyring location
>> is readily available however, so having support for the 'keyring'
>> configuration option is most convenient.
> 
> Would such a setup have a ceph.conf file that is shared between
> multiple users (or no ceph.conf file at all if the monitors are
> specified via QAPI option) but individual keyring files for each
> user?

There is only a single Ceph user and we could create a ceph.conf file
with the 'keyring' option set. It was just not required in the past,
because we specified 'keyring' via '-drive' directly, so having this
option would be more convenient for us.

In short: we can still make it work on our side if there is no interest
in adding this option in the QAPI.

Best Regards,
Fiona
Re: [PATCH 2/2] block/rbd: support keyring option via QAPI
Posted by Ilya Dryomov 6 months ago 
On Mon, Jun 16, 2025 at 2:51 PM Fiona Ebner <f.ebner@proxmox.com> wrote:
>
> Am 16.06.25 um 11:34 schrieb Ilya Dryomov:
> > On Thu, May 15, 2025 at 1:29 PM Fiona Ebner <f.ebner@proxmox.com> wrote:
> >>
> >> In Proxmox VE, it is not always required to have a dedicated Ceph
> >> configuration file, and using the 'key-secret' QAPI option would
> >> require obtaining a key from the keyring first. The keyring location
> >> is readily available however, so having support for the 'keyring'
> >> configuration option is most convenient.
> >
> > Would such a setup have a ceph.conf file that is shared between
> > multiple users (or no ceph.conf file at all if the monitors are
> > specified via QAPI option) but individual keyring files for each
> > user?
>
> There is only a single Ceph user and we could create a ceph.conf file
> with the 'keyring' option set. It was just not required in the past,
> because we specified 'keyring' via '-drive' directly, so having this
> option would be more convenient for us.
>
> In short: we can still make it work on our side if there is no interest
> in adding this option in the QAPI.

I don't have a strong opinion, but it feels a bit like circumventing
the QAPI secret infrastructure.  It's already possible to circumvent it
indirectly through the keyring option in ceph.conf file but that is
something that falls out naturally and has always been there.  Adding
a more direct way to do it has me split...

Thanks,

                Ilya

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.