action #110227
closed
coordination #105624: [saga][epic] Reconsider how openQA handles secrets
Stop showing ipmi passwords in autoinst.txt from a ipmi backend job in O3
Added by Julie_CAO about 2 years ago.
Updated almost 2 years ago.
Category:
Feature requests
Description
Current situation¶
In the case of a job failing with ipmi connection, the ipmitool command is outputed in autoinst.txt. It is helpful for debug, but for security reasons in O3, we request to stop disclosing the ipmi password in any log as the logs are open to public.
fg.
[2022-04-24T15:40:32.162147+08:00] [debug] IPMI: Selftest: passed
[2022-04-24T15:40:44.339280+08:00] [debug] IPMI: Chassis Power is on
[2022-04-24T15:40:48.399101+08:00] [debug] IPMI: Chassis Power Control: Down/Off
[2022-04-24T15:41:05.546723+08:00] [info] ::: backend::baseclass::die_handler: Backend process died, backend errors are reported below in the following lines:
**ipmitool -I lanplus -H 10.67.135.1 -U <user> -P <password_need_to_be_secret_here> chassis power status**: Error: Unable to establish IPMI v2 / RMCP+ session at /usr/lib/os-autoinst/backend/ipmi.pm line 45, <$fh> line 6.
[2022-04-24T15:41:09.604149+08:00] [debug] IPMI: Chassis Power Control: Down/Off
- Related to action #105594: Two new machines for OSD and o3, meant for bare-metal virtualization size:M added
- Tags set to reactive work
- Priority changed from Normal to Low
- Target version set to Ready
- Tags deleted (
reactive work)
- Target version changed from Ready to future
- Parent task set to #105405
As the ipxe bootloader issue in O3 is fixed, We are going to deploy virtualization tests in O3 for factory-first project, but the ipmi password exposure will be the blocker. Hi @okurz, can this have higher priority to be handled?
Julie_CAO wrote:
Hi @okurz, can this have higher priority to be handled?
I am sorry but I do not see the SUSE QE Tools team working on this anytime soon. This is quite limited in scope to only os-autoinst and maybe really only the IPMI backend so it should be feasible to be solved by external contributors e.g. you within your team. We are happy to support when you take over. Feel welcome to also open draft pull requests and ask questions in there if anything is unclear.
I'll evaluate if I can handle this and how is the effort after I finish the ipxe boot issue.
Julie_CAO wrote:
I'll evaluate if I can handle this and how is the effort after I finish the ipxe boot issue.
From a brief look at the code invovled, I think bmwqemu::diag calls could be updated to use masked => $password_variable. There's some stderr handling so you probably want to check if that can expose the password and might need to be handled additionally.
thank for the pointer, @cdywan! It helps a lot that I need not begin with it from scrach.
- Status changed from New to In Progress
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
PR merged. Close the ticket. Thank you all.
Also available in: Atom
PDF