Bug 1536941 - HE-VM cloudinit root password saved in the setup log file as clear text.
Summary: HE-VM cloudinit root password saved in the setup log file as clear text.
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-hosted-engine-setup
Classification: oVirt
Component: General
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: ovirt-4.2.1
: ---
Assignee: Yedidyah Bar David
QA Contact: Yihui Zhao
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1458709
TreeView+ depends on / blocked
 
Reported: 2018-01-22 05:31 UTC by Yihui Zhao
Modified: 2018-04-01 10:05 UTC (History)
17 users (show)

(edit)
Cause: 

'hosted-engine --deploy' added some secret values to the list of items it filters out in the log, including the engine VM root password, a bit too late.

Consequence: 

If these values were added using an answer file, they appeared in the log file as clear-text.

Fix: 

Now 'hosted-engine --deploy' adds these items before it starts writing the log file.

Result: 

All occurrences of the secret values are filtered in the log file.

Additional information:

These values are not included in answer files automatically created by 'hosted-engine --deploy'.

They are included in answer files created by the cockpit plugin which provides a GUI to 'hosted-engine --deploy', since 4.2. In 4.1 they were not included. Users could still manually add them also before, although that's not documented.
Clone Of:
(edit)
Last Closed: 2018-02-12 11:53:22 UTC
rule-engine: ovirt-4.2+


Attachments (Terms of Use)
ovirt_hosted_engine_setup.log (670.91 KB, text/plain)
2018-01-22 05:31 UTC, Yihui Zhao
no flags Details
/var/log/* (746.75 KB, application/x-bzip)
2018-01-22 05:32 UTC, Yihui Zhao
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 86635 master MERGED packaging: setup: Filter passwords earlier 2018-09-03 09:36 UTC

Description Yihui Zhao 2018-01-22 05:31:26 UTC
Created attachment 1384203 [details]
ovirt_hosted_engine_setup.log

Description of problem: 
HE-VM cloudinit root password saved in the setup log file as clear text.


Version-Release number of selected component (if applicable): 
cockpit-ws-157-1.el7.x86_64
cockpit-dashboard-157-1.el7.x86_64
cockpit-bridge-157-1.el7.x86_64
cockpit-157-1.el7.x86_64
cockpit-storaged-157-1.el7.noarch
cockpit-system-157-1.el7.noarch
cockpit-ovirt-dashboard-0.11.4-0.1.el7ev.noarch
rhvh-4.2.1.1-0.20180115.0+1
ovirt-hosted-engine-setup-2.2.5-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.3-1.el7ev.noarch
rhvm-appliance-4.2-20171219.0.el7.noarch

How reproducible: 
100% 


Steps to Reproduce: 
1. Clean install rhvh-4.2.1.1-0.20180115.0+1 with ks
2. Deploy HE via cockpit
3. Check the HE setup file()

Actual results: 
"""
 #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180121221950-rx9zku.log
2018-01-21 22:19:51,584-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat'
2018-01-21 22:21:19,711-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
2018-01-21 22:37:44,674-0500 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
"""

Expected results: 
There is no HE password as clear text in the HE setup log file.

Additional info: 
The same issue in the upstream ovirt-node-ng-4.2.1-0.20180111.0+1.

Version:
ovirt-node-ng-4.2.1-0.20180111.0+1
cockpit-159-1.el7.centos.x86_64
cockpit-dashboard-159-1.el7.centos.x86_64
cockpit-bridge-159-1.el7.centos.x86_64
cockpit-system-159-1.el7.centos.noarch
cockpit-ovirt-dashboard-0.11.3-0.1.el7.centos.noarch
cockpit-ws-159-1.el7.centos.x86_64
cockpit-storaged-159-1.el7.centos.noarch
cockpit-networkmanager-159-1.el7.centos.noarch
ovirt-hosted-engine-ha-2.2.3-1.el7.centos.noarch
ovirt-hosted-engine-setup-2.2.5-1.el7.centos.noarch
rhvm-appliance-4.2-20171219.0.el7.noarch



HE admin and root password saved in the setup log file as clear text.
1.# grep 'adminPassword=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log 
2018-01-18 22:20:42,372+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'password'
2018-01-18 22:21:54,302+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**'
2018-01-18 22:37:27,189+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_ENGINE/adminPassword=str:'**FILTERED**'

2. #grep 'cloudinitRootPwd=str' ovirt-hosted-engine-setup-20180118222041-vekfv7.log
2018-01-18 22:20:42,375+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'redhat'
2018-01-18 22:21:54,318+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'
2018-01-18 22:37:27,205+0800 DEBUG otopi.context context.dumpEnvironment:833 ENV OVEHOSTED_VM/cloudinitRootPwd=str:'**FILTERED**'

Comment 1 Yihui Zhao 2018-01-22 05:32 UTC
Created attachment 1384204 [details]
/var/log/*

Comment 3 Yihui Zhao 2018-01-30 09:15:08 UTC
The bug is fixed.

Test version:
cockpit-ws-157-1.el7.x86_64
cockpit-bridge-157-1.el7.x86_64
cockpit-storaged-157-1.el7.noarch
cockpit-dashboard-157-1.el7.x86_64
cockpit-157-1.el7.x86_64
cockpit-ovirt-dashboard-0.11.6-0.1.el7ev.noarch
cockpit-system-157-1.el7.noarch
ovirt-hosted-engine-setup-2.2.8-2.el7ev.noarch
ovirt-hosted-engine-ha-2.2.4-1.el7ev.noarch
rhvm-appliance-4.2-20180125.0.el7.noarch
rhvh-4.2.1.2-0.20180126.0+1


Test steps:
1. Clean install rhvh-4.2.1.2-0.20180126.0+1 with ks
2. Deploy HE via cockpit
3. Check the HE setup file

Test results:
There is no HE password as clear text in the HE setup log file.


So, change the bug's status to verified!

Comment 4 Sandro Bonazzola 2018-02-12 11:53:22 UTC
This bugzilla is included in oVirt 4.2.1 release, published on Feb 12th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.