Bug 1676473 - [ACTIVE-STANDBY]- openstack-octavia: Private keys written to world-readable log files
Summary: [ACTIVE-STANDBY]- openstack-octavia: Private keys written to world-readable l...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: z3
: 14.0 (Rocky)
Assignee: Nir Magnezi
QA Contact: Alexander Stafeyev
URL:
Whiteboard:
Depends On:
Blocks: 1686517 1698576
TreeView+ depends on / blocked
 
Reported: 2019-02-12 12:03 UTC by Alexander Stafeyev
Modified: 2019-09-10 14:11 UTC (History)
6 users (show)

Fixed In Version: openstack-octavia-3.0.2-0.20181219195056.ec4c88e.el7ost
Doc Type: Bug Fix
Doc Text:
Octavia will now encrypt certificates and keys used for secure communication with amphorae in its internal workflows. Additionally, a new option, `server_certs_key_passphrase` is available under the certificates section with a default value, `insecure-key-do-not-use-this-key`.
Clone Of:
: 1686517 (view as bug list)
Environment:
Last Closed: 2019-07-02 19:47:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack Storyboard 2005128 0 None None None 2019-03-04 10:34:23 UTC
OpenStack gerrit 627064 0 'None' MERGED Encrypt certs and keys 2020-08-28 19:19:23 UTC
OpenStack gerrit 641268 0 'None' MERGED Encrypt certs and keys 2020-08-28 19:19:22 UTC
Red Hat Product Errata RHBA-2019:1680 0 None None None 2019-07-02 19:47:54 UTC

Description Alexander Stafeyev 2019-02-12 12:03:07 UTC 
Description of problem:
In a default Director installation with Octavia: 
* On the controller, Octavia logs are world readable, where /var/log/containers/octavia and /var/log/containers/httpd/octavia-api are both 755 and the logs themselves are 644.

* The /var/log/containers/octavia/worker.log has private key data (see attachment). 

Version-Release number of selected component (if applicable):

How reproducible:
The octavia.yaml file was not modified in the deployment:
openstack overcloud deploy --templates -e /home/stack/templates/node-info.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/services-docker/octavia.yaml -e /home/stack/templates/overcloud_images.yaml --libvirt-type qemu --ntp-server clock.redhat.com

Actual results:
Log files containing sensitive data are world readable.

Expected results:
Log files must not be world readable if sensitive data is included. Ideally, make all log files non-world-readable.

Additional info:
The default debug level was not changed, and was set to: debug=False




Additional info:

https://bugzilla.redhat.com/show_bug.cgi?id=1633019

sos report
http://rhos-release.virt.bos.redhat.com/log/bz1676467
Comment 1 Alexander Stafeyev 2019-02-12 12:03:41 UTC 
Work well on SINGLE octavia topology
Comment 2 Carlos Goncalves 2019-02-13 15:03:45 UTC 
Active-standby is community supported only. Could you please file a story upstream?
Comment 3 Alexander Stafeyev 2019-03-04 10:28:05 UTC 
https://storyboard.openstack.org/#!/story/2005128
Comment 17 errata-xmlrpc 2019-07-02 19:47:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1680
Note You need to log in before you can comment on or make changes to this bug.