Daniel P. Berrangé <berra...@redhat.com> writes: > On Fri, Apr 20, 2018 at 03:34:26PM +0200, Markus Armbruster wrote: >> Daniel P. Berrangé <berra...@redhat.com> writes: >> >> > Yeah this is a mess - I wish we had never allowed users to pass a config >> > file, and had used /dev/null all the time. Unfortunately changing either >> > of these aspects would cause backcompat problems for existing deployments >> > now :-( So we just have to accept that the global config file is always >> > in present, but none the less libvirt should try to specify things as >> > fully as possible. >> >> I'm afraid you get backward compatibility problems no matter what. >> Whenever you extend libvirt to pass configuration C "via normal per-disk >> setup for blockdev", it breaks user config files containing C, doesn't >> it? > > That's not actually a problem here. We are only passing things to QEMU > that the user already provided us in the XML file. If we gain support > for passing a new item via the blockdev schema, then we'd only be > passing that to QEMU if the user actually provided that item in the > XML too. We're not likely to pass a new config field without the > user having asked us to first.
What made me guess otherwise: "to properly protect against compromised QEMU, ideally every QEMU would use a completely separate RBD user+password, so that compromised QEMU can't then access RBD disks belonging to a different user" led me to assume libvirt would do this automatically. [...]
