Bug 1538947
Summary: | [RFE] Suggest that the generating he setup answer file by cockpit don't contain HE password as clear text. | ||
---|---|---|---|
Product: | [oVirt] cockpit-ovirt | Reporter: | Yihui Zhao <yzhao> |
Component: | Hosted Engine | Assignee: | Phillip Bailey <phbailey> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Yihui Zhao <yzhao> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | --- | CC: | bugs, cshao, didi, huzhao, phbailey, qiyuan, rbarry, sbonazzo, stirabos, weiwang, yaniwang, ycui |
Target Milestone: | ovirt-4.2.2 | Keywords: | FutureFeature |
Target Release: | 0.11.12 | Flags: | rbarry:
ovirt-4.2?
rule-engine: planning_ack? sbonazzo: devel_ack+ cshao: testing_ack+ |
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | cockpit-ovirt-0.11.12-0.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-29 11:03:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1548958 | ||
Bug Blocks: |
Description
Yihui Zhao
2018-01-26 08:30:18 UTC
The answer file should be protected. Simplest is probably creating it using the equivalent of 'mktemp'. Other than that, I do not think it's worth investing in making passwords in it (strongly) encrypted. Note that if we do want that, it will require changes also in hosted-engine-setup, perhaps also in the engine. We have cleartext passwords (and other secrets) elsewhere. Having an option to get rid of all of these was discussed in the past and postponed. Also, IIRC we noticed that it's not removed in the end. It should be, also on failure. Tested cockpit-ovirt-0.11.14-0.1 on RHEL7.4. I noticed that change the answer file from prevoius /tmp/he-setup-answerfile.conf to /var/lib/ovirt-hosted-engine-setup/cockpit/heAnswerFile*.conf . Also exist the clear password, so what about your idea here or this is the design. [environment:default] OVEHOSTED_CORE/rollbackProceed=none:None OVEHOSTED_CORE/screenProceed=none:None OVEHOSTED_CORE/deployProceed=bool:true OVEHOSTED_CORE/upgradeProceed=none:None OVEHOSTED_CORE/confirmSettings=bool:true OVEHOSTED_STORAGE/domainType=str:nfs3 OVEHOSTED_STORAGE/imgSizeGB=str:58 OVEHOSTED_STORAGE/storageDomain=str:hosted_storage OVEHOSTED_STORAGE/storageDomainConnection=str:10.66.148.11:/home/yzhao/nfs2 OVEHOSTED_STORAGE/mntOptions=none:None OVEHOSTED_NETWORK/bridgeIf=str:ovirtmgmt OVEHOSTED_NETWORK/bridgeName=str:ovirtmgmt OVEHOSTED_NETWORK/firewallManager=str:iptables OVEHOSTED_NETWORK/gateway=str:10.73.75.254 OVEHOSTED_NETWORK/fqdn=str:rhevh-hostedengine-vm-04.lab.eng.pek2.redhat.com OVEHOSTED_VM/bootDevice=str:disk OVEHOSTED_VM/vmVCpus=str:4 OVEHOSTED_VM/vmMACAddr=str:52:54:00:5e:8e:c7 OVEHOSTED_VM/vmMemSizeMB=int:16384 OVEHOSTED_VM/cloudinitVMStaticCIDR=none:None OVEHOSTED_VM/cloudinitVMDNS=str: OVEHOSTED_VM/cloudinitVMTZ=str:Asia/Shanghai OVEHOSTED_VM/cloudInitISO=str:generate OVEHOSTED_VM/cloudinitInstanceHostName=str:rhevh-hostedengine-vm-04 OVEHOSTED_VM/cloudinitInstanceDomainName=str:lab.eng.pek2.redhat.com OVEHOSTED_VM/cloudinitExecuteEngineSetup=bool:true OVEHOSTED_VM/automateVMShutdown=bool:true OVEHOSTED_VM/cloudinitRootPwd=str:redhat OVEHOSTED_VM/rootSshPubkey=none:None OVEHOSTED_VM/rootSshAccess=str:yes OVEHOSTED_VM/cloudinitVMETCHOSTS=bool:true OVEHOSTED_ENGINE/hostIdentifier=str:hosted_engine_1 OVEHOSTED_ENGINE/adminUsername=str:admin@internal OVEHOSTED_ENGINE/adminPassword=str:redhat OVEHOSTED_VDSM/consoleType=str:vnc OVEHOSTED_VDSM/cpu=str:model_Opteron_G5 OVEHOSTED_NOTIF/smtpServer=str:localhost OVEHOSTED_NOTIF/smtpPort=str:25 OVEHOSTED_NOTIF/sourceEmail=str:root@localhost OVEHOSTED_NOTIF/destEmail=str:root@localhost This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |