Bug 1571117 - HE-VM appliance and admin password saved in the setup log file as clear text executing from cockpit
Summary: HE-VM appliance and admin password saved in the setup log file as clear text ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: cockpit-ovirt
Classification: oVirt
Component: Hosted Engine
Version: 0.11.20
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ovirt-4.2.3
: ---
Assignee: Phillip Bailey
QA Contact: Yihui Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-24 06:56 UTC by Yihui Zhao
Modified: 2018-05-10 06:29 UTC (History)
14 users (show)

Fixed In Version: cockpit-ovirt-0.11.24-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-10 06:29:25 UTC
oVirt Team: Integration
rule-engine: ovirt-4.2+
rule-engine: blocker+
cshao: testing_ack+


Attachments (Terms of Use)
bootstrap_local_vm_log (9.91 MB, text/plain)
2018-04-24 08:32 UTC, Yihui Zhao
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1540225 0 unspecified CLOSED 2_ovirt_logger.py can't filter vars passed on the command line 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1540850 0 unspecified CLOSED ansible flow needs better logging 2021-02-22 00:41:40 UTC
oVirt gerrit 90710 0 master MERGED wizard: Pass filtered var tokens and regex's to playbooks 2018-04-30 07:29:11 UTC
oVirt gerrit 90770 0 ovirt-4.2 MERGED wizard: Pass filtered var tokens and regex's to playbooks 2018-04-30 13:59:12 UTC

Internal Links: 1540225 1540850

Description Yihui Zhao 2018-04-24 06:56:02 UTC
Description of problem:
HE-VM appliance and admin  password saved in the setup log file as clear text.
"""

2018-04-23 17:24:51,796+0800 DEBUG var changed: host "localhost" var "hostvars" type "<class 'ansible.vars.hostvars.HostVars'>" value: "{u'localhost': {u'VM_IP_PREFIX': None, u'BRIDGE': u'ovirtmgmt', 'ansible_playbook_python': '/usr/bin/python2', u'NIC_UUID': None, u'BRIDGE_IF': u'eno1', u'HOST_IP': u'10.73.73.105', u'TIME_ZONE': u'Asia/Harbin', u'VCPUS': 4, u'CLOUD_INIT_DOMAIN_NAME': u'lab.eng.pek2.redhat.com', u'LOCAL_VM_DIR_PATH': u'/var/tmp', 'ansible_forks': 5, 'ansible_facts': {}, u'CPU_SOCKETS': 1, u'LOCAL_VM_DIR_PREFIX': u'localvm', 'inventory_hostname': u'localhost', 'ansible_skip_tags': [], u'EMULATED_MACHINE': None, 'playbook_dir': u'/usr/share/ovirt-hosted-engine-setup/ansible', u'FQDN': u'rhevh-hostedengine-vm-04.lab.eng.pek2.redhat.com', u'VM_IP_ADDR': None, u'HOST_NAME': u'hp-dl388g9-04.lab.eng.pek2.redhat.com', 'group_names': ['ungrouped'], u'CDROM': None, u'ROOT_SSH_ACCESS': u'yes', u'CONSOLE_TYPE': u'vnc', 'ansible_version': {'major': 2, 'full': '2.5.0', 'string': '2.5.0', 'minor': 5, 'revision': 0}, u'VM_MAC_ADDR': u'52:54:00:5e:8e:c7', 'inventory_file': u'localhost,', u'MEM_SIZE': 16348, u'GRAPHICS_DEVICE': u'vnc', u'APPLIANCE_OVA': None, u'APPLIANCE_PASSWORD': u'redhat', u'CONSOLE_UUID': None, u'VM_UUID': u'ed4d039c-eeb1-49be-a083-c59ab319a6ab', u'CPU_TYPE': u'model_Broadwell', 'groups': {'ungrouped': [u'localhost'], 'all': [u'localhost']}, u'ROOT_SSH_PUBKEY': None, u'VM_ETC_HOSTS': True, u'CLOUD_INIT_HOST_NAME': u'rhevh-hostedengine-vm-04', 'ansible_inventory_sources': [u'localhost,'], u'VIDEO_DEVICE': u'vga', 'inventory_hostname_short': u'localhost', 'inventory_dir': u'None', 'omit': '__omit_place_holder__a539486862c26f25f6ed53b2debbe3033bbb6240', 'ansible_diff_mode': False, u'CDROM_UUID': None, u'ENABLE_LIBGFAPI': None, 'ansible_check_mode': False, u'MAXVCPUS': 16, 'ansible_run_tags': [u'all'], u'HOST_ADDRESS': u'hp-dl388g9-04.lab.eng.pek2.redhat.com', u'VM_NAME': u'HostedEngine', u'ADMIN_PASSWORD': u'password'}}"

"""

Version-Release number of selected component (if applicable):
redhat-virtualization-host-4.2.2.1-0.20180420.0
cockpit-160-3.el7.x86_64
cockpit-bridge-160-3.el7.x86_64
cockpit-ws-160-3.el7.x86_64
cockpit-storaged-160-3.el7.noarch
cockpit-ovirt-dashboard-0.11.22-1.el7ev.noarch
cockpit-dashboard-160-3.el7.x86_64
cockpit-system-160-3.el7.noarch
ovirt-hosted-engine-setup-2.2.18-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.10-1.el7ev.noarch
rhvm-appliance-4.2-20180420.0.el7.noarch


How reproducible:
100%


Steps to Reproduce:
1. Clean install redhat-virtualization-host-4.2.2.1-0.20180420.0 with ks
2. Deploy HE via cockpit
3. Check the  setup log file

Actual results:
After step3, HE-VM appliance and admin  password saved in the setup log file as clear text.

Expected results:
After step3, HE-VM appliance and admin  password didn't save in the setup log file as clear text.


Additional info:

Comment 1 Ido Rosenzwig 2018-04-24 08:18:51 UTC
please attach the full log

Comment 2 Yihui Zhao 2018-04-24 08:32:46 UTC
Created attachment 1425866 [details]
bootstrap_local_vm_log

Comment 3 Yihui Zhao 2018-04-24 08:34:24 UTC
(In reply to Ido Rosenzwig from comment #1)
> please attach the full log

https://bugzilla.redhat.com/attachment.cgi?id=1425866

Comment 4 Yaniv Kaul 2018-04-25 07:16:59 UTC
How is this not a blocker?

Comment 5 Yihui Zhao 2018-04-25 09:21:54 UTC
(In reply to Yaniv Kaul from comment #4)
> How is this not a blocker?

I think it don't affect the use.

Comment 8 Simone Tiraboschi 2018-04-26 07:37:25 UTC
It's cockpit wizard specific now, 
we have to do something like this:
https://github.com/oVirt/ovirt-hosted-engine-setup/blob/master/src/ovirt_hosted_engine_setup/ansible_utils.py#L42

also on cockpit side.

Currently we cannot do much better just on playbook side as for https://bugzilla.redhat.com/show_bug.cgi?id=1540225

Comment 9 Yihui Zhao 2018-05-07 02:08:09 UTC
Tested with cockpit-ovirt-0.11.24-1 on RHEL-7.5-20180322, It works as expected.


From the log:

"""
2018-05-04 11:51:35,234+0800 DEBUG var changed: host "localhost" var "hostvars" type "<class 'ansible.vars.hostvars.HostVars'>" value: "{u'localhost': {u'VM_IP_PREFIX': None, u'BRIDGE': u'ovirtmgmt', 'ansible_playbook_python': '/usr/bin/python2', u'NIC_UUID': None, u'BRIDGE_IF': u'eno1', u'HOST_IP': u'10.73.73.19', u'TIME_ZONE': u'Asia/Shanghai', u'VCPUS': 4, u'CLOUD_INIT_DOMAIN_NAME': u'lab.eng.pek2.**FILTERED**.com', u'he_filtered_tokens_re': [u'BEGIN PRIVATE KEY**FILTERED**END PRIVATE KEY'], u'LOCAL_VM_DIR_PATH': u'/var/tmp', 'ansible_forks': 5, 'ansible_facts': {}, u'CPU_SOCKETS': 1, u'LOCAL_VM_DIR_PREFIX': u'localvm', 'inventory_hostname': u'localhost', 'ansible_skip_tags': [], u'EMULATED_MACHINE': None, 'playbook_dir': u'/usr/share/ovirt-hosted-engine-setup/ansible', u'FQDN': u'rhevh-hostedengine-vm-04.lab.eng.pek2.**FILTERED**.com', u'VM_IP_ADDR': None, u'HOST_NAME': u'dell-per515-02.lab.eng.pek2.**FILTERED**.com', 'group_names': ['ungrouped'], u'CDROM': None, u'ROOT_SSH_ACCESS': u'yes', u'CONSOLE_TYPE': u'vnc', 'ansible_version': {'major': 2, 'full': '2.5.2', 'string': '2.5.2', 'minor': 5, 'revision': 2}, u'VM_MAC_ADDR': u'52:54:00:5e:8e:c7', 'inventory_file': u'localhost,', u'MEM_SIZE': 16348, u'GRAPHICS_DEVICE': u'vnc', u'he_filtered_tokens_vars': [u'ADMIN_PASSWORD', u'APPLIANCE_PASSWORD', u'ISCSI_PASSWORD', u'ISCSI_DISCOVER_PASSWORD', u'ROOTPWD'], u'APPLIANCE_OVA': None, u'APPLIANCE_PASSWORD': u'**FILTERED**', u'CONSOLE_UUID': None, u'VM_UUID': u'62b13066-0b11-422f-aba2-dfb5b87108b4', u'CPU_TYPE': u'model_Opteron_G5', 'groups': {'ungrouped': [u'localhost'], 'all': [u'localhost']}, u'ROOT_SSH_PUBKEY': None, u'VM_ETC_HOSTS': True, u'CLOUD_INIT_HOST_NAME': u'rhevh-hostedengine-vm-04', 'ansible_inventory_sources': [u'localhost,'], u'ENABLE_HC_GLUSTER_SERVICE': False, u'VIDEO_DEVICE': u'vga', 'inventory_hostname_short': u'localhost', 'inventory_dir': u'None', 'omit': '__omit_place_holder__95fcc81a0c914dd9d69b4d1b6fc3d7ff2f7983ca', 'ansible_diff_mode': False, u'CDROM_UUID': None, u'ENABLE_LIBGFAPI': None, 'ansible_check_mode': False, u'MAXVCPUS': 16, 'ansible_run_tags': [u'all'], u'HOST_ADDRESS': u'dell-per515-02.lab.eng.pek2.**FILTERED**.com', u'VM_NAME': u'HostedEngine', u'ADMIN_PASSWORD': u'**FILTERED**'}}"
"""

The appliance and admin password is set as  "**FILTERED**".

So, moving to verified.

Comment 10 Sandro Bonazzola 2018-05-10 06:29:25 UTC
This bugzilla is included in oVirt 4.2.3 release, published on May 4th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.