Bug 1536941

Summary: HE-VM cloudinit root password saved in the setup log file as clear text.
Product: [oVirt] ovirt-hosted-engine-setup Reporter: Yihui Zhao <yzhao>
Component: GeneralAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Yihui Zhao <yzhao>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, cshao, dguo, didi, dmoppert, huzhao, lveyde, phbailey, qiyuan, ratamir, rbarry, sbonazzo, stirabos, weiwang, yaniwang, ycui, yisong
Target Milestone: ovirt-4.2.1Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-hosted-engine-setup-2.2.7 Doc Type: Bug Fix
Doc Text:
Cause: 'hosted-engine --deploy' added some secret values to the list of items it filters out in the log, including the engine VM root password, a bit too late. Consequence: If these values were added using an answer file, they appeared in the log file as clear-text. Fix: Now 'hosted-engine --deploy' adds these items before it starts writing the log file. Result: All occurrences of the secret values are filtered in the log file. Additional information: These values are not included in answer files automatically created by 'hosted-engine --deploy'. They are included in answer files created by the cockpit plugin which provides a GUI to 'hosted-engine --deploy', since 4.2. In 4.1 they were not included. Users could still manually add them also before, although that's not documented.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-12 11:53:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1458709    
Attachments:
Description Flags
ovirt_hosted_engine_setup.log
none
/var/log/* none

Description Yihui Zhao 2018-01-22 05:31:26 UTC 
Created attachment 1384203 [details]
ovirt_hosted_engine_setup.log

Description of problem: 
HE-VM cloudinit root password saved in the setup log file as clear text.


Version-Release number of selected component (if applicable): 
cockpit-ws-157-1.el7.x86_64
cockpit-dashboard-157-1.el7.x86_64
cockpit-bridge-157-1.el7.x86_64
cockpit-157-1.el7.x86_64
cockpit-storaged-157-1.el7.noarch
cockpit-system-157-1.el7.noarch
cockpit-ovirt-dashboard-0.11.4-0.1.el7ev.noarch
rhvh-4.2.1.1-0.20180115.0+1
ovirt-hosted-engine-setup-2.2.5-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.3-1.el7ev.noarch
rhvm-appliance-4.2-20171219.0.el7.noarch

How reproducible: 
100% 


Steps to Reproduce: 
1. Clean install rhvh-4.2.1.1-0.20180115.0+1 with ks
2. Deploy HE via cockpit
3. Check the HE setup file()

Actual results: 
"""
 #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180121221950-rx9zku.log
2018-01-21 22:19:51,584-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat'
2018-01-21 22:21:19,711-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
2018-01-21 22:37:44,674-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
"""

Expected results: 
There is no HE password as clear text in the HE setup log file.

Additional info: 
The same issue in the upstream ovirt-node-ng-4.2.1-0.20180111.0+1.

Version:
ovirt-node-ng-4.2.1-0.20180111.0+1
cockpit-159-1.el7.centos.x86_64
cockpit-dashboard-159-1.el7.centos.x86_64
cockpit-bridge-159-1.el7.centos.x86_64
cockpit-system-159-1.el7.centos.noarch
cockpit-ovirt-dashboard-0.11.3-0.1.el7.centos.noarch
cockpit-ws-159-1.el7.centos.x86_64
cockpit-storaged-159-1.el7.centos.noarch
cockpit-networkmanager-159-1.el7.centos.noarch
ovirt-hosted-engine-ha-2.2.3-1.el7.centos.noarch
ovirt-hosted-engine-setup-2.2.5-1.el7.centos.noarch
rhvm-appliance-4.2-20171219.0.el7.noarch



HE admin and root password saved in the setup log file as clear text.
1.# grep 'adminPassword=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log 
2018-01-18 22:20:42,372+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'password'
2018-01-18 22:21:54,302+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**'
2018-01-18 22:37:27,189+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**'

2. #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log
2018-01-18 22:20:42,375+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat'
2018-01-18 22:21:54,318+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
2018-01-18 22:37:27,205+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
Comment 1 Yihui Zhao 2018-01-22 05:32:50 UTC 
Created attachment 1384204 [details]
/var/log/*
Comment 3 Yihui Zhao 2018-01-30 09:15:08 UTC 
The bug is fixed.

Test version:
cockpit-ws-157-1.el7.x86_64
cockpit-bridge-157-1.el7.x86_64
cockpit-storaged-157-1.el7.noarch
cockpit-dashboard-157-1.el7.x86_64
cockpit-157-1.el7.x86_64
cockpit-ovirt-dashboard-0.11.6-0.1.el7ev.noarch
cockpit-system-157-1.el7.noarch
ovirt-hosted-engine-setup-2.2.8-2.el7ev.noarch
ovirt-hosted-engine-ha-2.2.4-1.el7ev.noarch
rhvm-appliance-4.2-20180125.0.el7.noarch
rhvh-4.2.1.2-0.20180126.0+1


Test steps:
1. Clean install rhvh-4.2.1.2-0.20180126.0+1 with ks
2. Deploy HE via cockpit
3. Check the HE setup file

Test results:
There is no HE password as clear text in the HE setup log file.


So, change the bug's status to verified!
Comment 4 Sandro Bonazzola 2018-02-12 11:53:22 UTC 
This bugzilla is included in oVirt 4.2.1 release, published on Feb 12th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.