Red Hat Bugzilla – Bug 1325943
[RFE] sosreport does not contain domain specific information for keystone
Last modified: 2018-04-10 14:01:23 EDT
Description of problem: Running a sosreport on a controller node does not capture the data for multi-domain configurations within the environment. If the /etc/keystone/keystone.conf file has multi-domains configured by setting option 'domain_config_dir', we should also gather the files in the directory specified by 'domain_config_dir'. Those files contain settings specific to domains created within the OpenStack environment which are valuable in troubleshooting. If the files contain LDAP information, they will also contain a password in plain-text so prior to adding the files to the tar file, we should blank out the password listed in the file by replacing it with XXXXXXXX. An example of this file can be seen in section 2.9.5b here: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/integrate-with-identity-service/#configure_the_controller_2 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Does the 'openstack-config' command also support a '--get'? We'll need something like this to retrieve the value of domain_config_dir - plugins are not in the business of parsing the configuration data of other components.
(In reply to Bryn M. Reeves from comment #2) > Does the 'openstack-config' command also support a '--get'? Yes it does, it's just a wrapper around crudini really. > We'll need something like this to retrieve the value of domain_config_dir - > plugins are not in the business of parsing the configuration data of other > components. Yeah understood, I'll take a swing at this upstream shortly.
So the change should be: - in openstack_keystone sos plugin? - with pseudocode like: dir=$(openstack-config --get /etc/keystone/keystone.conf domain_config_dir) if [ $dir ]; then copy whole $dir directory obfuscate LDAP plaintext passwords in the dir fi Is that correct? Two technical questions: - what is the openstack-config --get output in either case (variable set, variable not set)? Required for proper parsing the output - what's the string identifying LDAP password? Or ideally, can you provide regexp searching for it and replacing by series of '*' ? Example: self.do_path_regex_sub(directory, r"(AuthLDAPBindPassword)\s*(.*)", r"\1********")
Sorry, I read this comment a while ago and didn't realize it was to me... (In reply to Pavel Moravec from comment #4) > So the change should be: > > - in openstack_keystone sos plugin? I am not sure as I am not familiar with the SOS report plugin architecture? > > - with pseudocode like: > > dir=$(openstack-config --get /etc/keystone/keystone.conf domain_config_dir) > if [ $dir ]; then > copy whole $dir directory > obfuscate LDAP plaintext passwords in the dir > fi > > Is that correct? > You still need to pass the section name when doing the get as far as I know. I'd also confirm it's existence in the if statement to prevent against user error. So it would be: dir=$(openstack-config --get /etc/keystone/keystone.conf identity domain_config_dir) if [ -d $dir ]; then copy whole $dir directory obfuscate LDAP plaintext passwords in the dir fi > > Two technical questions: > - what is the openstack-config --get output in either case (variable set, > variable not set)? Required for proper parsing the output If it's not set, it is null: [root@overcloud-controller-1 keystone]# export dir=$(openstack-config --get /etc/keystone/keystone.conf identity domain_config_dir) Parameter not found: domain_config_dir [root@overcloud-controller-1 keystone]# echo ">$dir<" >< [root@overcloud-controller-1 keystone]# > > - what's the string identifying LDAP password? Or ideally, can you provide > regexp searching for it and replacing by series of '*' ? > > Example: > > self.do_path_regex_sub(directory, > r"(AuthLDAPBindPassword)\s*(.*)", > r"\1********") self.do_path_regex_sub(directory, r"^\s*(password)\s*=\s*(.*)", r"\1********") I'm not a programmer but based on your example, I think it would look like: self.do_path_regex_sub(directory, r"^\s*(password)\s*=\s*(.*)", r"\1********") You can copy the example from section 4b here to test it: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_openstack_platform/7/html-single/integrate_with_identity_service/#configure_the_controller_2
(In reply to Darin Sorrentino from comment #6) > Sorry, I read this comment a while ago and didn't realize it was to me... > > (In reply to Pavel Moravec from comment #4) > > So the change should be: > > > > - in openstack_keystone sos plugin? > > I am not sure as I am not familiar with the SOS report plugin architecture? > No problem. I meant by that question how to identify systems where the new commands shall be run - roughly saying "only on OpenStack Keystone server", technically on any system with either package: 'openstack-keystone', 'python-keystone', 'python-django-openstack-auth', 'python-keystoneclient' installed. (presence of either of those packages automatically triggers execution of openstack_keystone plugin, so this plugin shall contain the commands). Thanks for answers, I will work on patch later on. We are behind 7.4 schedule so this shall go to 7.5 by default.
Upstream PR: https://github.com/sosreport/sos/pull/1086 It would be great to pre-verify it (incl. password obfuscation) if possible.
Fixed via sos 3.5 rebase.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0963