Cause:
'hosted-engine --deploy' added some secret values to the list of items it filters out in the log, including the engine VM root password, a bit too late.
Consequence:
If these values were added using an answer file, they appeared in the log file as clear-text.
Fix:
Now 'hosted-engine --deploy' adds these items before it starts writing the log file.
Result:
All occurrences of the secret values are filtered in the log file.
Additional information:
These values are not included in answer files automatically created by 'hosted-engine --deploy'.
They are included in answer files created by the cockpit plugin which provides a GUI to 'hosted-engine --deploy', since 4.2. In 4.1 they were not included. Users could still manually add them also before, although that's not documented.
The bug is fixed.
Test version:
cockpit-ws-157-1.el7.x86_64
cockpit-bridge-157-1.el7.x86_64
cockpit-storaged-157-1.el7.noarch
cockpit-dashboard-157-1.el7.x86_64
cockpit-157-1.el7.x86_64
cockpit-ovirt-dashboard-0.11.6-0.1.el7ev.noarch
cockpit-system-157-1.el7.noarch
ovirt-hosted-engine-setup-2.2.8-2.el7ev.noarch
ovirt-hosted-engine-ha-2.2.4-1.el7ev.noarch
rhvm-appliance-4.2-20180125.0.el7.noarch
rhvh-4.2.1.2-0.20180126.0+1
Test steps:
1. Clean install rhvh-4.2.1.2-0.20180126.0+1 with ks
2. Deploy HE via cockpit
3. Check the HE setup file
Test results:
There is no HE password as clear text in the HE setup log file.
So, change the bug's status to verified!
This bugzilla is included in oVirt 4.2.1 release, published on Feb 12th 2018.
Since the problem described in this bug report should be
resolved in oVirt 4.2.1 release, it has been closed with a resolution of CURRENT RELEASE.
If the solution does not work for you, please open a new bug report.
Created attachment 1384203 [details] ovirt_hosted_engine_setup.log Description of problem: HE-VM cloudinit root password saved in the setup log file as clear text. Version-Release number of selected component (if applicable): cockpit-ws-157-1.el7.x86_64 cockpit-dashboard-157-1.el7.x86_64 cockpit-bridge-157-1.el7.x86_64 cockpit-157-1.el7.x86_64 cockpit-storaged-157-1.el7.noarch cockpit-system-157-1.el7.noarch cockpit-ovirt-dashboard-0.11.4-0.1.el7ev.noarch rhvh-4.2.1.1-0.20180115.0+1 ovirt-hosted-engine-setup-2.2.5-1.el7ev.noarch ovirt-hosted-engine-ha-2.2.3-1.el7ev.noarch rhvm-appliance-4.2-20171219.0.el7.noarch How reproducible: 100% Steps to Reproduce: 1. Clean install rhvh-4.2.1.1-0.20180115.0+1 with ks 2. Deploy HE via cockpit 3. Check the HE setup file() Actual results: """ #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180121221950-rx9zku.log 2018-01-21 22:19:51,584-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat' 2018-01-21 22:21:19,711-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**' 2018-01-21 22:37:44,674-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**' """ Expected results: There is no HE password as clear text in the HE setup log file. Additional info: The same issue in the upstream ovirt-node-ng-4.2.1-0.20180111.0+1. Version: ovirt-node-ng-4.2.1-0.20180111.0+1 cockpit-159-1.el7.centos.x86_64 cockpit-dashboard-159-1.el7.centos.x86_64 cockpit-bridge-159-1.el7.centos.x86_64 cockpit-system-159-1.el7.centos.noarch cockpit-ovirt-dashboard-0.11.3-0.1.el7.centos.noarch cockpit-ws-159-1.el7.centos.x86_64 cockpit-storaged-159-1.el7.centos.noarch cockpit-networkmanager-159-1.el7.centos.noarch ovirt-hosted-engine-ha-2.2.3-1.el7.centos.noarch ovirt-hosted-engine-setup-2.2.5-1.el7.centos.noarch rhvm-appliance-4.2-20171219.0.el7.noarch HE admin and root password saved in the setup log file as clear text. 1.# grep 'adminPassword=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log 2018-01-18 22:20:42,372+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'password' 2018-01-18 22:21:54,302+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**' 2018-01-18 22:37:27,189+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**' 2. #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log 2018-01-18 22:20:42,375+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat' 2018-01-18 22:21:54,318+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**' 2018-01-18 22:37:27,205+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'