Red Hat Bugzilla – Bug 1400407
sos: Improve Samba plugin for sosreport to include missing logs
Last modified: 2017-12-18 12:07:53 EST
Hello, could you please clarify: - what other logs / directories with logs shall be collected (whole /var/log/samba ?) - what is expected size of the logs / shall be some huge logs collected only when providing some option? - can the files contain some customer secret (password, auth token,..) that we shall obfuscate first? Thanks in advance.
At the simplest, it really just means fixing the samba plugin to respect --all-logs; if there is a desire to have some portion of client logs captured even without --all-logs then a limiting scheme needs to be implemented (since the number of clients is potentially unbounded). Afaik Samba does not spray any secrets into its log files (at least at default log levels) but it doesn't hurt to check.
(In reply to Bryn M. Reeves from comment #2) > At the simplest, it really just means fixing the samba plugin to respect > --all-logs; if there is a desire to have some portion of client logs > captured even without --all-logs then a limiting scheme needs to be > implemented (since the number of clients is potentially unbounded). --all-logs sounds reasonable to me > Afaik Samba does not spray any secrets into its log files (at least at > default log levels) but it doesn't hurt to check. Correct ... except for when run with log level >= 100. In that case there are some code paths that log secrets.
(In reply to Pavel Moravec from comment #1) > Hello, > could you please clarify: > > - what other logs / directories with logs shall be collected (whole > /var/log/samba ?) Usually all logs are under /var/log/samba, but it can be configured in smb.conf. all of /var/log/samba seems a good first approximation though. > - what is expected size of the logs / shall be some huge logs collected only > when providing some option? If debugging, e.g. running with log level 10, the logs can easily become very large: 100s of MBs or even GBs. > - can the files contain some customer secret (password, auth token,..) that > we shall obfuscate first? Can only happen in log level 100 which is rarely used at all. But in oder to be safe, we'd need to handle this, I think. "git grep DEBUG\(100" in samba.git shows what messages can appear. - Michael
FYI created a PR upstream: https://github.com/sosreport/sos/pull/895
(In reply to Michael Adam from comment #5) > FYI created a PR upstream: > > https://github.com/sosreport/sos/pull/895 This has been merged.
Given Michael has provided the details back, clearing the needinfo.
Hello, would you be able / are you willing to test the fix in candidate build for RHEL7.4 (once available)? Note that the fix will appear in 7.4 due to sos rebase in bz1414879 either way.
I can confirm the changes in above mentioned PR are contained in the new plugin source. If there is no positive feedback from the customer I will verify this SanityOnly. # diff -u old/BUILD/sos-3.3/sos/plugins/samba.py /usr/lib/python2.7/site-packages/sos/plugins/samba.py --- old/BUILD/sos-3.3/sos/plugins/samba.py 2016-06-29 20:24:47.000000000 +0200 +++ /usr/lib/python2.7/site-packages/sos/plugins/samba.py 2017-05-22 22:40:13.000000000 +0200 @@ -23,16 +23,29 @@ profiles = ('services',) def setup(self): + self.limit = self.get_option("log_size") + self.add_copy_spec([ "/etc/samba/smb.conf", "/etc/samba/lmhosts", - "/var/log/samba/log.smbd", - "/var/log/samba/log.nmbd" ]) + + self.add_copy_spec("/var/log/samba/log.smbd", sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.nmbd", sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.winbindd", sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.winbindd-idmap", + sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.winbindd-dc-connet", + sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.wb-*", sizelimit=self.limit) + + if self.get_option("all_logs"): + self.add_copy_spec("/var/log/samba/", sizelimit=self.limit) + self.add_cmd_output([ "wbinfo --domain='.' -g", "wbinfo --domain='.' -u", - "testparm -s -v" + "testparm -s", ]) # rpm -qf /usr/lib/python2.7/site-packages/sos/plugins/samba.pysos-3.4-4.el7.noarch
(In reply to Miroslav Hradílek from comment #13) > I can confirm the changes in above mentioned PR are contained in the new > plugin source. If there is no positive feedback from the customer I will > verify this SanityOnly. > > # diff -u old/BUILD/sos-3.3/sos/plugins/samba.py > /usr/lib/python2.7/site-packages/sos/plugins/samba.py > --- old/BUILD/sos-3.3/sos/plugins/samba.py 2016-06-29 20:24:47.000000000 > +0200 > +++ /usr/lib/python2.7/site-packages/sos/plugins/samba.py 2017-05-22 > 22:40:13.000000000 +0200 > @@ -23,16 +23,29 @@ > profiles = ('services',) > > def setup(self): > + self.limit = self.get_option("log_size") > + > self.add_copy_spec([ > "/etc/samba/smb.conf", > "/etc/samba/lmhosts", > - "/var/log/samba/log.smbd", > - "/var/log/samba/log.nmbd" > ]) > + > + self.add_copy_spec("/var/log/samba/log.smbd", sizelimit=self.limit) > + self.add_copy_spec("/var/log/samba/log.nmbd", sizelimit=self.limit) > + self.add_copy_spec("/var/log/samba/log.winbindd", > sizelimit=self.limit) > + self.add_copy_spec("/var/log/samba/log.winbindd-idmap", > + sizelimit=self.limit) > + self.add_copy_spec("/var/log/samba/log.winbindd-dc-connet", This looks wrong, that last path needs to be: /var/log/samba/log.winbindd-dc-connect
I created a new pull request for this change: https://github.com/sosreport/sos/pull/1018
(In reply to Guenther Deschner from comment #15) > I created a new pull request for this change: > > https://github.com/sosreport/sos/pull/1018 Thanks for spotting it, already in sos downstream / sos-3.4-5.
I can confirm the changes in above mentioned PR are contained in the new plugin source including the fixed typo (log.winbindd-dc-connect). If there is no positive feedback from the customer I will verify this SanityOnly. # diff -u old/BUILD/sos-3.3/sos/plugins/samba.py /usr/lib/python2.7/site-packages/sos/plugins/samba.py --- old/BUILD/sos-3.3/sos/plugins/samba.py 2016-06-29 20:24:47.000000000 +0200 +++ /usr/lib/python2.7/site-packages/sos/plugins/samba.py 2017-05-30 13:07:18.000000000 +0200 @@ -23,16 +23,29 @@ profiles = ('services',) def setup(self): + self.limit = self.get_option("log_size") + self.add_copy_spec([ "/etc/samba/smb.conf", "/etc/samba/lmhosts", - "/var/log/samba/log.smbd", - "/var/log/samba/log.nmbd" ]) + + self.add_copy_spec("/var/log/samba/log.smbd", sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.nmbd", sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.winbindd", sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.winbindd-idmap", + sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.winbindd-dc-connect", + sizelimit=self.limit) + self.add_copy_spec("/var/log/samba/log.wb-*", sizelimit=self.limit) + + if self.get_option("all_logs"): + self.add_copy_spec("/var/log/samba/", sizelimit=self.limit) + self.add_cmd_output([ "wbinfo --domain='.' -g", "wbinfo --domain='.' -u", - "testparm -s -v" + "testparm -s", ]) # rpm -qf /usr/lib/python2.7/site-packages/sos/plugins/samba.py sos-3.4-5.el7.noarch
Verifying Sanity Only (based just on code). See comment 17.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2203