Bug 1655742
Summary: | [OSP10] fixed_key value is logged in the cinder logs | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | David Hill <dhill> | |
Component: | openstack-cinder | Assignee: | Sofia Enriquez <senrique> | |
Status: | CLOSED ERRATA | QA Contact: | Tzach Shefi <tshefi> | |
Severity: | high | Docs Contact: | Kim Nylander <knylande> | |
Priority: | medium | |||
Version: | 10.0 (Newton) | CC: | abishop, eharney, mgeary | |
Target Milestone: | --- | Keywords: | Triaged, ZStream | |
Target Release: | 10.0 (Newton) | |||
Hardware: | Unspecified | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | openstack-cinder-9.1.4-45.el7ost | Doc Type: | Bug Fix | |
Doc Text: |
Previously, the cinder logs contained fixed_key value.
With this update, the fixed_key value is not logged.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1665452 1665456 (view as bug list) | Environment: | ||
Last Closed: | 2019-04-30 16:58:37 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1665452, 1665456 | |||
Bug Blocks: |
Description
David Hill
2018-12-03 19:50:45 UTC
This appears to be an OSP10 z8 regression introduced by bug 1547600. The code in OSP10 used to detect which values to mask by looking for "_key" in the config option name, but this was changed to fix another similar issue. We will need a fix like https://review.openstack.org/#/c/621686/ for this to be backported to OSP10. @Sofia, there's some background on this issue, so poke Eric or I if you have questions. @Alan, I'm waiting to https://review.openstack.org/#/c/625140/1 to be merged, so I could upstream backport to Newton and then downstream backport to OSP10. Verified on: openstack-cinder-9.1.4-49.el7ost.noarch Installed OPS10 Configured fixed_key on cinder.conf [root@controller-0 ~]# grep fixed_key /etc/cinder/cinder.conf # Deprecated group/name - [keymgr]/fixed_key #fixed_key = <None> fixed_key=04d6b077d60e323711b37813b3a68a71 restart cinder [root@controller-0 ~]# systemctl restart openstack-cinder-api.service [root@controller-0 ~]# systemctl restart openstack-cinder-volume.service grep fixed_key in cinder's log -> [root@controller-0 ~]# grep -irn fixed_key /var/log/cinder/ /var/log/cinder/api.log:1449:2019-03-31 14:46:01.610 61696 DEBUG oslo_service.service [req-2eaf0f8e-9daa-4936-94e2-152ae8af4d71 - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/api.log:2954:2019-03-31 14:50:12.670 90599 DEBUG oslo_service.service [req-81d0ac35-a3a5-44d8-a69d-069a430ecc6c - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/api.log:4459:2019-03-31 15:12:56.360 249523 DEBUG oslo_service.service [req-fcb2d120-9569-4d9b-a44b-e9381a05c736 - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/volume.log:402:2019-03-31 14:56:00.394 125458 DEBUG oslo_service.service [req-1ec85793-7155-4d50-9909-8ebb4ca58824 - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/volume.log:969:2019-03-31 15:13:35.613 252190 DEBUG oslo_service.service [req-99254f91-3c77-4a4b-89b6-33bf058b08df - - - - -] key_manager.fixed_key = **** log_opt_v As can be seen we only see ***** Lets be extra sure, look for part of the key in the logs: [root@controller-0 ~]# grep -irn 04d6b077 /var/log/cinder/ [root@controller-0 ~]# Again nothing found, looks good to verify Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0917 |