Provide unique non-dictionary passwords for all our IPMI/HMC interfaces size:S
bmwiedemann from SUSE-IT informed me that security scans have shown openqaworkers to be vulnerable due to the default IPMI passwords. We should provide a unique password for that purpose, potentially unique for each host.
- AC1: No IPMI/BMC connection in https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls references the default password anymore
Generate a password for each host withJust use the same password we have for sp.openqaw8-vmware.qa.suse.de where bmwiedemann recently set a new password
- Set password from each host, e.g. with
rcipmi start ipmitool user list ipmitool user set password 2 'FOOBAR'
#2 Updated by okurz about 2 months ago
I added a hint on https://progress.opensuse.org/projects/openqav3/wiki/Wiki/diff?utf8=%E2%9C%93&version=135&version_from=134&commit=View+differences to add new IPMI password for new machines
#5 Updated by mkittler about 2 months ago
- Status changed from Workable to Feedback
Everything should be updated, including web hooks and documentation on https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/373.
I could not access
fsp1-malbec.arch.suse.de from the outside (before and after the update) but I could change the password locally.
#9 Updated by mkittler about 2 months ago
I've checked with a web hook that just logs the env (see https://gitlab.suse.de/openqa/grafana-webhook-actions/-/commit/e0741e8b329b094756e15693171f5f0c35ef6e65) and could clearly reproduce the problem and that the URL-encoding helps.
#10 Updated by mkittler about 2 months ago
- Status changed from Feedback to Resolved
Looks like the recovery works again, e.g. https://gitlab.suse.de/openqa/grafana-webhook-actions/-/jobs/742232