1536941 – HE-VM cloudinit root password saved in the setup log file as clear text.

Bug 1536941 - HE-VM cloudinit root password saved in the setup log file as clear text.

Summary: HE-VM cloudinit root password saved in the setup log file as clear text.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-hosted-engine-setup
Classification:	oVirt
Component:	General
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.2.1
Target Release:	---
Assignee:	Yedidyah Bar David
QA Contact:	Yihui Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1458709
TreeView+	depends on / blocked

Reported:	2018-01-22 05:31 UTC by Yihui Zhao
Modified:	2018-04-01 10:05 UTC (History)
CC List:	17 users (show)
Fixed In Version:	ovirt-hosted-engine-setup-2.2.7
Clone Of:
Environment:
Last Closed:	2018-02-12 11:53:22 UTC
oVirt Team:	Integration
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.2+

Attachments	(Terms of Use)
ovirt_hosted_engine_setup.log (670.91 KB, text/plain) 2018-01-22 05:31 UTC, Yihui Zhao	no flags	Details
/var/log/* (746.75 KB, application/x-bzip) 2018-01-22 05:32 UTC, Yihui Zhao	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	86635	0	master	MERGED	packaging: setup: Filter passwords earlier	2020-12-09 14:54:12 UTC

Description Yihui Zhao 2018-01-22 05:31:26 UTC

Created attachment 1384203 [details]
ovirt_hosted_engine_setup.log

Description of problem: 
HE-VM cloudinit root password saved in the setup log file as clear text.


Version-Release number of selected component (if applicable): 
cockpit-ws-157-1.el7.x86_64
cockpit-dashboard-157-1.el7.x86_64
cockpit-bridge-157-1.el7.x86_64
cockpit-157-1.el7.x86_64
cockpit-storaged-157-1.el7.noarch
cockpit-system-157-1.el7.noarch
cockpit-ovirt-dashboard-0.11.4-0.1.el7ev.noarch
rhvh-4.2.1.1-0.20180115.0+1
ovirt-hosted-engine-setup-2.2.5-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.3-1.el7ev.noarch
rhvm-appliance-4.2-20171219.0.el7.noarch

How reproducible: 
100% 


Steps to Reproduce: 
1. Clean install rhvh-4.2.1.1-0.20180115.0+1 with ks
2. Deploy HE via cockpit
3. Check the HE setup file()

Actual results: 
"""
 #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180121221950-rx9zku.log
2018-01-21 22:19:51,584-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat'
2018-01-21 22:21:19,711-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
2018-01-21 22:37:44,674-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
"""

Expected results: 
There is no HE password as clear text in the HE setup log file.

Additional info: 
The same issue in the upstream ovirt-node-ng-4.2.1-0.20180111.0+1.

Version:
ovirt-node-ng-4.2.1-0.20180111.0+1
cockpit-159-1.el7.centos.x86_64
cockpit-dashboard-159-1.el7.centos.x86_64
cockpit-bridge-159-1.el7.centos.x86_64
cockpit-system-159-1.el7.centos.noarch
cockpit-ovirt-dashboard-0.11.3-0.1.el7.centos.noarch
cockpit-ws-159-1.el7.centos.x86_64
cockpit-storaged-159-1.el7.centos.noarch
cockpit-networkmanager-159-1.el7.centos.noarch
ovirt-hosted-engine-ha-2.2.3-1.el7.centos.noarch
ovirt-hosted-engine-setup-2.2.5-1.el7.centos.noarch
rhvm-appliance-4.2-20171219.0.el7.noarch



HE admin and root password saved in the setup log file as clear text.
1.# grep 'adminPassword=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log 
2018-01-18 22:20:42,372+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'password'
2018-01-18 22:21:54,302+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**'
2018-01-18 22:37:27,189+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**'

2. #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log
2018-01-18 22:20:42,375+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat'
2018-01-18 22:21:54,318+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
2018-01-18 22:37:27,205+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'

Comment 1 Yihui Zhao 2018-01-22 05:32:50 UTC

Created attachment 1384204 [details]
/var/log/*

Comment 3 Yihui Zhao 2018-01-30 09:15:08 UTC

The bug is fixed.

Test version:
cockpit-ws-157-1.el7.x86_64
cockpit-bridge-157-1.el7.x86_64
cockpit-storaged-157-1.el7.noarch
cockpit-dashboard-157-1.el7.x86_64
cockpit-157-1.el7.x86_64
cockpit-ovirt-dashboard-0.11.6-0.1.el7ev.noarch
cockpit-system-157-1.el7.noarch
ovirt-hosted-engine-setup-2.2.8-2.el7ev.noarch
ovirt-hosted-engine-ha-2.2.4-1.el7ev.noarch
rhvm-appliance-4.2-20180125.0.el7.noarch
rhvh-4.2.1.2-0.20180126.0+1


Test steps:
1. Clean install rhvh-4.2.1.2-0.20180126.0+1 with ks
2. Deploy HE via cockpit
3. Check the HE setup file

Test results:
There is no HE password as clear text in the HE setup log file.


So, change the bug's status to verified!

Comment 4 Sandro Bonazzola 2018-02-12 11:53:22 UTC

This bugzilla is included in oVirt 4.2.1 release, published on Feb 12th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.