<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
This file is autogenerated from formatsecret.html.in
Do not edit this file. Changes will be lost.
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="main.css" />
<link rel="SHORTCUT ICON" href="32favicon.png" />
<title>libvirt: Secret XML format</title>
<meta name="description" content="libvirt, virtualization, virtualization API" />
</head>
<body>
<div id="header">
<div id="headerLogo"></div>
<div id="headerSearch">
<form action="search.php" enctype="application/x-www-form-urlencoded" method="get"><div>
<input id="query" name="query" type="text" size="12" value="" />
<input id="submit" name="submit" type="submit" value="Search" />
</div></form>
</div>
</div>
<div id="body">
<div id="menu">
<ul class="l0"><li>
<div>
<a title="Front page of the libvirt website" class="inactive" href="index.html">Home</a>
</div>
</li><li>
<div>
<a title="Details of new features and bugs fixed in each release" class="inactive" href="news.html">News</a>
</div>
</li><li>
<div>
<a title="Applications known to use libvirt" class="inactive" href="apps.html">Applications</a>
</div>
</li><li>
<div>
<a title="Get the latest source releases, binary builds and get access to the source repository" class="inactive" href="downloads.html">Downloads</a>
</div>
</li><li>
<div>
<a title="Information for users, administrators and developers" class="active" href="docs.html">Documentation</a>
<ul class="l1"><li>
<div>
<a title="How to compile libvirt" class="inactive" href="compiling.html">Compiling</a>
</div>
</li><li>
<div>
<a title="Information about deploying and using libvirt" class="inactive" href="deployment.html">Deployment</a>
</div>
</li><li>
<div>
<a title="Overview of the logical subsystems in the libvirt API" class="inactive" href="intro.html">Architecture</a>
</div>
</li><li>
<div>
<a title="Description of the XML formats used in libvirt" class="active" href="format.html">XML format</a>
<ul class="l2"><li>
<div>
<a title="The domain XML format" class="inactive" href="formatdomain.html">Domains</a>
</div>
</li><li>
<div>
<a title="The virtual network XML format" class="inactive" href="formatnetwork.html">Networks</a>
</div>
</li><li>
<div>
<a title="Network filter XML format" class="inactive" href="formatnwfilter.html">Network Filtering</a>
</div>
</li><li>
<div>
<a title="The storage pool and volume XML format" class="inactive" href="formatstorage.html">Storage</a>
</div>
</li><li>
<div>
<a title="Storage volume encryption XML format" class="inactive" href="formatstorageencryption.html">Storage Encryption</a>
</div>
</li><li>
<div>
<a title="The driver capabilities XML format" class="inactive" href="formatcaps.html">Capabilities</a>
</div>
</li><li>
<div>
<a title="The host device XML format" class="inactive" href="formatnode.html">Node Devices</a>
</div>
</li><li>
<div>
<span class="active">Secrets</span>
</div>
</li><li>
<div>
<a title="The snapshot XML format" class="inactive" href="formatsnapshot.html">Snapshots</a>
</div>
</li></ul>
</div>
</li><li>
<div>
<a title="Hypervisor specific driver information" class="inactive" href="drivers.html">Drivers</a>
</div>
</li><li>
<div>
<a title="Reference manual for the C public API" class="inactive" href="html/index.html">API reference</a>
</div>
</li><li>
<div>
<a title="Bindings of the libvirt API for other languages" class="inactive" href="bindings.html">Language bindings</a>
</div>
</li><li>
<div>
<a title="Working on the internals of libvirt API, driver and daemon code" class="inactive" href="internals.html">Internals</a>
</div>
</li><li>
<div>
<a title="A guide and reference for developing with libvirt" class="inactive" href="devguide.html">Development Guide</a>
</div>
</li><li>
<div>
<a title="Command reference for virsh" class="inactive" href="virshcmdref.html">Virsh Commands</a>
</div>
</li></ul>
</div>
</li><li>
<div>
<a title="User contributed content" class="inactive" href="http://wiki.libvirt.org">Wiki</a>
</div>
</li><li>
<div>
<a title="Frequently asked questions" class="inactive" href="http://wiki.libvirt.org/page/FAQ">FAQ</a>
</div>
</li><li>
<div>
<a title="How and where to report bugs and request features" class="inactive" href="bugs.html">Bug reports</a>
</div>
</li><li>
<div>
<a title="How to contact the developers via email and IRC" class="inactive" href="contact.html">Contact</a>
</div>
</li><li>
<div>
<a title="Available test suites for libvirt" class="inactive" href="testsuites.html">Test suites</a>
</div>
</li><li>
<div>
<a title="Miscellaneous links of interest related to libvirt" class="inactive" href="relatedlinks.html">Related Links</a>
</div>
</li><li>
<div>
<a title="Overview of all content on the website" class="inactive" href="sitemap.html">Sitemap</a>
</div>
</li></ul>
</div>
<div id="content">
<h1>Secret XML format</h1>
<ul><li>
<a href="#SecretAttributes">Secret XML</a>
<ul><li>
<a href="#VolumeUsageType">Usage type "volume"</a>
</li><li>
<a href="#CephUsageType">Usage type "ceph"</a>
</li><li>
<a href="#iSCSIUsageType">Usage type "iscsi"</a>
</li></ul>
</li></ul>
<h2>
<a name="SecretAttributes" shape="rect" id="SecretAttributes">Secret XML</a>
</h2>
<p>
Secrets stored by libvirt may have attributes associated with them, using
the <code>secret</code> element. The <code>secret</code> element has two
optional attributes, each with values '<code>yes</code>' and
'<code>no</code>', and defaulting to '<code>no</code>':
</p>
<dl><dt><code>ephemeral</code></dt><dd>This secret must only be kept in memory, never stored persistently.
</dd><dt><code>private</code></dt><dd>The value of the secret must not be revealed to any caller of libvirt,
nor to any other node.
</dd></dl>
<p>
The top-level <code>secret</code> element may contain the following
elements:
</p>
<dl><dt><code>uuid</code></dt><dd>
An unique identifier for this secret (not necessarily in the UUID
format). If omitted when defining a new secret, a random UUID is
generated.
</dd><dt><code>description</code></dt><dd>A human-readable description of the purpose of the secret.
</dd><dt><code>usage</code></dt><dd>
Specifies what this secret is used for. A mandatory
<code>type</code> attribute specifies the usage category, currently
only <code>volume</code>, <code>ceph</code> and <code>iscsi</code>
are defined. Specific usage categories are described below.
</dd></dl>
<h3>
<a name="VolumeUsageType" shape="rect" id="VolumeUsageType">Usage type "volume"</a>
</h3>
<p>
This secret is associated with a volume, and it is safe to delete the
secret after the volume is deleted. The <code><usage
type='volume'></code> element must contain a
single <code>volume</code> element that specifies the key of the volume
this secret is associated with. For example, create a volume-secret.xml
file as follows:
</p>
<pre xml:space="preserve">
<secret ephemeral='no' private='yes'>
<description>Super secret name of my first puppy</description>
<uuid>0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f</uuid>
<usage type='volume'>
<volume>/var/lib/libvirt/images/puppyname.img</volume>
</usage>
</secret>
</pre>
<p>
Define the secret and set the pass phrase as follows:
</p>
<pre xml:space="preserve">
# virsh secret-define volume-secret.xml
Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created
#
# MYSECRET=`printf %s "open sesame" | base64`
# virsh secret-set-value 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f $MYSECRET
Secret value set
#
</pre>
<p>
The volume type secret can then be used in the XML for a storage volume
<a href="formatstorageencryption.html" shape="rect">encryption</a> as follows:
</p>
<pre xml:space="preserve">
<encryption format='qcow'>
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
</pre>
<h3>
<a name="CephUsageType" shape="rect" id="CephUsageType">Usage type "ceph"</a>
</h3>
<p>
This secret is associated with a Ceph RBD (rados block device).
The <code><usage type='ceph'></code> element must contain
a single <code>name</code> element that specifies a usage name
for the secret. The Ceph secret can then be used by UUID or by
this usage name via the <code><auth></code> element of
a <a href="formatdomain.html#elementsDisks" shape="rect">disk device</a> or
a <a href="formatstorage.html" shape="rect">storage pool (rbd)</a>.
<span class="since">Since 0.9.7</span>. The following is an example
of the steps to be taken. First create a ceph-secret.xml file:
</p>
<pre xml:space="preserve">
<secret ephemeral='no' private='yes'>
<description>CEPH passphrase example</description>
<auth type='ceph' username='myname'/>
<usage type='ceph'>
<name>ceph_example</name>
</usage>
</secret>
</pre>
<p>
Next, use <code>virsh secret-define ceph-secret.xml</code> to define
the secret and <code>virsh secret-set-value</code> using the generated
UUID value and a base64 generated secret value in order to define the
chosen secret pass phrase.
</p>
<pre xml:space="preserve">
# virsh secret-define ceph-secret.xml
Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created
#
# virsh secret-list
UUID Usage
-----------------------------------------------------------
1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example
#
# CEPHPHRASE=`printf %s "pass phrase" | base64`
# virsh secret-set-value 1b40a534-8301-45d5-b1aa-11894ebb1735 $CEPHPHRASE
Secret value set
#
</pre>
<p>
The ceph secret can then be used by UUID or by the
usage name via the <code><auth></code> element in a domain's
<a href="formatdomain.html#elementsDisks" shape="rect"><code><disk></code></a>
element as follows:
</p>
<pre xml:space="preserve">
<auth username='myname'>
<secret type='ceph' usage='ceph_example'/>
</auth>
</pre>
<p>
As well as the <code><auth></code> element in a
<a href="formatstorage.html" shape="rect">storage pool (rbd)</a>
<code><source></code> element as follows:
</p>
<pre xml:space="preserve">
<auth type='ceph' username='myname'>
<secret usage='ceph_example'/>
</auth>
</pre>
<h3>
<a name="iSCSIUsageType" shape="rect" id="iSCSIUsageType">Usage type "iscsi"</a>
</h3>
<p>
This secret is associated with an iSCSI target for CHAP authentication.
The <code><usage type='iscsi'></code> element must contain
a single <code>target</code> element that specifies a usage name
for the secret. The iSCSI secret can then be used by UUID or by
this usage name via the <code><auth></code> element of
a <a href="formatdomain.html#elementsDisks" shape="rect">disk device</a> or
a <a href="formatstorage.html" shape="rect">storage pool (iscsi)</a>.
<span class="since">Since 1.0.4</span>. The following is an example
of the XML that may be used to generate a secret for iSCSI CHAP
authentication. Assume the following sample entry in an iSCSI
authentication file:
</p>
<pre xml:space="preserve">
<target iqn.2013-07.com.example:iscsi-pool>
backing-store /home/tgtd/iscsi-pool/disk1
backing-store /home/tgtd/iscsi-pool/disk2
incominguser myname mysecret
</target>
</pre>
<p>
Define an iscsi-secret.xml file to describe the secret. Use the
<code>incominguser</code> username used in your iSCSI authentication
configuration file as the value for the <code>username</code> attribute.
The <code>description</code> attribute should contain configuration
specific data. The <code>target</code> name may be any name of your
choosing to be used as the <code>usage</code> when used in the pool
or disk XML description.
</p>
<pre xml:space="preserve">
<secret ephemeral='no' private='yes'>
<description>Passphrase for the iSCSI example.com server</description>
<auth type='chap' username='myname'/>
<usage type='iscsi'>
<target>libvirtiscsi</target>
</usage>
</secret>
</pre>
<p>
Next, use <code>virsh secret-define iscsi-secret.xml</code> to define
the secret and <code>virsh secret-set-value</code> using the generated
UUID value and a base64 generated secret value in order to define the
chosen secret pass phrase. The pass phrase must match the password
used in the iSCSI authentication configuration file.
</p>
<pre xml:space="preserve">
# virsh secret-define secret.xml
Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created
# virsh secret-list
UUID Usage
-----------------------------------------------------------
c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi
# MYSECRET=`printf %s "mysecret" | base64`
# virsh secret-set-value c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 $MYSECRET
Secret value set
#
</pre>
<p>
The iSCSI secret can then be used by UUID or by the
usage name via the <code><auth></code> element in a domain's
<a href="formatdomain.html#elementsDisks" shape="rect"><code><disk></code></a>
element as follows:
</p>
<pre xml:space="preserve">
<auth username='myname'>
<secret type='iscsi' usage='libvirtiscsi'/>
</auth>
</pre>
<p>
As well as the <code><auth></code> element in a
<a href="formatstorage.html" shape="rect">storage pool (iscsi)</a>
<code><source></code> element as follows:
</p>
<pre xml:space="preserve">
<auth type='chap' username='myname'>
<secret usage='libvirtiscsi'/>
</auth>
</pre>
</div>
</div>
<div id="footer">
<p id="sponsor">
Sponsored by:<br /><a href="http://et.redhat.com/"><img src="et.png" alt="Project sponsored by Red Hat Emerging Technology" /></a></p>
</div>
</body>
</html>
