action #110227
closedcoordination #105624: [saga][epic] Reconsider how openQA handles secrets
Stop showing ipmi passwords in autoinst.txt from a ipmi backend job in O3
100%
Description
Current situation¶
In the case of a job failing with ipmi connection, the ipmitool command is outputed in autoinst.txt. It is helpful for debug, but for security reasons in O3, we request to stop disclosing the ipmi password in any log as the logs are open to public.
fg.
[2022-04-24T15:40:32.162147+08:00] [debug] IPMI: Selftest: passed
[2022-04-24T15:40:44.339280+08:00] [debug] IPMI: Chassis Power is on
[2022-04-24T15:40:48.399101+08:00] [debug] IPMI: Chassis Power Control: Down/Off
[2022-04-24T15:41:05.546723+08:00] [info] ::: backend::baseclass::die_handler: Backend process died, backend errors are reported below in the following lines:
**ipmitool -I lanplus -H 10.67.135.1 -U <user> -P <password_need_to_be_secret_here> chassis power status**: Error: Unable to establish IPMI v2 / RMCP+ session at /usr/lib/os-autoinst/backend/ipmi.pm line 45, <$fh> line 6.
[2022-04-24T15:41:09.604149+08:00] [debug] IPMI: Chassis Power Control: Down/Off
Updated by Julie_CAO about 2 years ago
- Related to action #105594: Two new machines for OSD and o3, meant for bare-metal virtualization size:M added
Updated by okurz about 2 years ago
- Tags set to reactive work
- Priority changed from Normal to Low
- Target version set to Ready
Updated by okurz about 2 years ago
- Tags deleted (
reactive work) - Target version changed from Ready to future
- Parent task set to #105405
Updated by Julie_CAO almost 2 years ago
As the ipxe bootloader issue in O3 is fixed, We are going to deploy virtualization tests in O3 for factory-first project, but the ipmi password exposure will be the blocker. Hi @okurz, can this have higher priority to be handled?
Updated by okurz almost 2 years ago
Julie_CAO wrote:
Hi @okurz, can this have higher priority to be handled?
I am sorry but I do not see the SUSE QE Tools team working on this anytime soon. This is quite limited in scope to only os-autoinst and maybe really only the IPMI backend so it should be feasible to be solved by external contributors e.g. you within your team. We are happy to support when you take over. Feel welcome to also open draft pull requests and ask questions in there if anything is unclear.
Updated by Julie_CAO almost 2 years ago
I'll evaluate if I can handle this and how is the effort after I finish the ipxe boot issue.
Updated by livdywan almost 2 years ago
Julie_CAO wrote:
I'll evaluate if I can handle this and how is the effort after I finish the ipxe boot issue.
From a brief look at the code invovled, I think bmwqemu::diag calls could be updated to use masked => $password_variable. There's some stderr handling so you probably want to check if that can expose the password and might need to be handled additionally.
Updated by Julie_CAO almost 2 years ago
thank for the pointer, @cdywan! It helps a lot that I need not begin with it from scrach.
Updated by Julie_CAO almost 2 years ago
https://github.com/os-autoinst/os-autoinst/pull/2118 is submitted. welcome review.
Updated by Julie_CAO almost 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
PR merged. Close the ticket. Thank you all.