libvirt/docs/formatsecret.html.in
Paolo Bonzini adba070122 secret: add iscsi to possible usage types
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-03-22 12:10:23 +08:00

92 lines
3.2 KiB
HTML

<html>
<body>
<h1>Secret XML format</h1>
<ul id="toc"></ul>
<h2><a name="SecretAttributes">Secret XML</a></h2>
<p>
Secrets stored by libvirt may have attributes associated with them, using
the <code>secret</code> element. The <code>secret</code> element has two
optional attributes, each with values '<code>yes</code>' and
'<code>no</code>', and defaulting to '<code>no</code>':
</p>
<dl>
<dt><code>ephemeral</code></dt>
<dd>This secret must only be kept in memory, never stored persistently.
</dd>
<dt><code>private</code></dt>
<dd>The value of the secret must not be revealed to any caller of libvirt,
nor to any other node.
</dd>
</dl>
<p>
The top-level <code>secret</code> element may contain the following
elements:
</p>
<dl>
<dt><code>uuid</code></dt>
<dd>
An unique identifier for this secret (not necessarily in the UUID
format). If omitted when defining a new secret, a random UUID is
generated.
</dd>
<dt><code>description</code></dt>
<dd>A human-readable description of the purpose of the secret.
</dd>
<dt><code>usage</code></dt>
<dd>
Specifies what this secret is used for. A mandatory
<code>type</code> attribute specifies the usage category, currently
only <code>volume</code> and <code>ceph</code> are defined.
Specific usage categories are described below.
</dd>
</dl>
<h3>Usage type "volume"</h3>
<p>
This secret is associated with a volume, and it is safe to delete the
secret after the volume is deleted. The <code>&lt;usage
type='volume'&gt;</code> element must contain a
single <code>volume</code> element that specifies the key of the volume
this secret is associated with.
</p>
<h3>Usage type "ceph"</h3>
<p>
This secret is associated with a Ceph RBD (rados block device).
The <code>&lt;usage type='ceph'&gt;</code> element must contain
a single <code>name</code> element that specifies a usage name
for the secret. The Ceph secret can then be used by UUID or by
this usage name via the <code>&lt;auth&gt;</code> element of
a <a href="domain.html#elementsDisks">disk
device</a>. <span class="since">Since 0.9.7</span>.
</p>
<h3>Usage type "iscsi"</h3>
<p>
This secret is associated with an iSCSI target for CHAP authentication.
The <code>&lt;usage type='iscsi'&gt;</code> element must contain
a single <code>target</code> element that specifies a usage name
for the secret. The iSCSI secret can then be used by UUID or by
this usage name via the <code>&lt;auth&gt;</code> element of
a <a href="domain.html#elementsDisks">disk
device</a>. <span class="since">Since 1.0.4</span>.
</p>
<h2><a name="example">Example</a></h2>
<pre>
&lt;secret ephemeral='no' private='yes'&gt;
&lt;description&gt;LUKS passphrase for the main hard drive of our mail server&lt;/description&gt;
&lt;usage type='volume'&gt;
&lt;volume&gt;/var/lib/libvirt/images/mail.img&lt;/volume&gt;
&lt;/usage&gt;
&lt;/secret&gt;</pre>
</body>
</html>