Project

General

Profile

Actions

action #110227

closed

coordination #105624: [saga][epic] Reconsider how openQA handles secrets

Stop showing ipmi passwords in autoinst.txt from a ipmi backend job in O3

Added by Julie_CAO over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Feature requests
Target version:
Start date:
2022-04-24
Due date:
% Done:

100%

Estimated time:

Description

Current situation

In the case of a job failing with ipmi connection, the ipmitool command is outputed in autoinst.txt. It is helpful for debug, but for security reasons in O3, we request to stop disclosing the ipmi password in any log as the logs are open to public.

fg.

[2022-04-24T15:40:32.162147+08:00] [debug] IPMI: Selftest: passed
[2022-04-24T15:40:44.339280+08:00] [debug] IPMI: Chassis Power is on
[2022-04-24T15:40:48.399101+08:00] [debug] IPMI: Chassis Power Control: Down/Off
[2022-04-24T15:41:05.546723+08:00] [info] ::: backend::baseclass::die_handler: Backend process died, backend errors are reported below in the following lines:
  **ipmitool -I lanplus -H 10.67.135.1 -U <user> -P <password_need_to_be_secret_here> chassis power status**: Error: Unable to establish IPMI v2 / RMCP+ session at /usr/lib/os-autoinst/backend/ipmi.pm line 45, <$fh> line 6.
[2022-04-24T15:41:09.604149+08:00] [debug] IPMI: Chassis Power Control: Down/Off

Related issues 1 (0 open1 closed)

Related to openQA Infrastructure - action #105594: Two new machines for OSD and o3, meant for bare-metal virtualization size:MResolvednicksinger2022-06-16

Actions
Actions #1

Updated by Julie_CAO over 2 years ago

  • Related to action #105594: Two new machines for OSD and o3, meant for bare-metal virtualization size:M added
Actions #2

Updated by okurz over 2 years ago

  • Tags set to reactive work
  • Priority changed from Normal to Low
  • Target version set to Ready
Actions #3

Updated by okurz over 2 years ago

  • Tags deleted (reactive work)
  • Target version changed from Ready to future
  • Parent task set to #105405
Actions #5

Updated by Julie_CAO over 2 years ago

As the ipxe bootloader issue in O3 is fixed, We are going to deploy virtualization tests in O3 for factory-first project, but the ipmi password exposure will be the blocker. Hi @okurz, can this have higher priority to be handled?

Actions #6

Updated by okurz over 2 years ago

Julie_CAO wrote:

Hi @okurz, can this have higher priority to be handled?

I am sorry but I do not see the SUSE QE Tools team working on this anytime soon. This is quite limited in scope to only os-autoinst and maybe really only the IPMI backend so it should be feasible to be solved by external contributors e.g. you within your team. We are happy to support when you take over. Feel welcome to also open draft pull requests and ask questions in there if anything is unclear.

Actions #7

Updated by Julie_CAO over 2 years ago

I'll evaluate if I can handle this and how is the effort after I finish the ipxe boot issue.

Actions #9

Updated by livdywan over 2 years ago

Julie_CAO wrote:

I'll evaluate if I can handle this and how is the effort after I finish the ipxe boot issue.

From a brief look at the code invovled, I think bmwqemu::diag calls could be updated to use masked => $password_variable. There's some stderr handling so you probably want to check if that can expose the password and might need to be handled additionally.

Actions #10

Updated by Julie_CAO over 2 years ago

thank for the pointer, @cdywan! It helps a lot that I need not begin with it from scrach.

Actions #11

Updated by Julie_CAO about 2 years ago

  • Status changed from New to In Progress
Actions #12

Updated by Julie_CAO about 2 years ago

Actions #13

Updated by Julie_CAO about 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 0 to 100

PR merged. Close the ticket. Thank you all.

Actions

Also available in: Atom PDF