coordination #105624: [saga][epic] Reconsider how openQA handles secrets
Stop showing ipmi passwords in autoinst.txt from a ipmi backend job in O3
In the case of a job failing with ipmi connection, the ipmitool command is outputed in autoinst.txt. It is helpful for debug, but for security reasons in O3, we request to stop disclosing the ipmi password in any log as the logs are open to public.
[2022-04-24T15:40:32.162147+08:00] [debug] IPMI: Selftest: passed [2022-04-24T15:40:44.339280+08:00] [debug] IPMI: Chassis Power is on [2022-04-24T15:40:48.399101+08:00] [debug] IPMI: Chassis Power Control: Down/Off [2022-04-24T15:41:05.546723+08:00] [info] ::: backend::baseclass::die_handler: Backend process died, backend errors are reported below in the following lines: **ipmitool -I lanplus -H 10.67.135.1 -U <user> -P <password_need_to_be_secret_here> chassis power status**: Error: Unable to establish IPMI v2 / RMCP+ session at /usr/lib/os-autoinst/backend/ipmi.pm line 45, <$fh> line 6. [2022-04-24T15:41:09.604149+08:00] [debug] IPMI: Chassis Power Control: Down/Off
Updated by okurz over 1 year ago
Hi @okurz, can this have higher priority to be handled?
I am sorry but I do not see the SUSE QE Tools team working on this anytime soon. This is quite limited in scope to only os-autoinst and maybe really only the IPMI backend so it should be feasible to be solved by external contributors e.g. you within your team. We are happy to support when you take over. Feel welcome to also open draft pull requests and ask questions in there if anything is unclear.
Updated by livdywan over 1 year ago
I'll evaluate if I can handle this and how is the effort after I finish the ipxe boot issue.
From a brief look at the code invovled, I think
bmwqemu::diag calls could be updated to use
masked => $password_variable. There's some stderr handling so you probably want to check if that can expose the password and might need to be handled additionally.
Updated by Julie_CAO over 1 year ago
https://github.com/os-autoinst/os-autoinst/pull/2118 is submitted. welcome review.