Bug 1843080
| Summary: | Shouldn't show token in delete and rollover pod logs | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> | ||||
| Component: | Logging | Assignee: | Periklis Tsirakidis <periklis> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Anping Li <anli> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.5 | CC: | aos-bugs, jcantril, periklis | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.5.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | No Doc Update | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-07-13 17:42:56 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1842445 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
OpenShift BugZilla Robot
2020-06-02 17:30:13 UTC
Moving to medium because a security risk The PR is in the image. But it still failed.
{
"io.openshift.build.commit.id": "1278b5f0e61dc3fd1fbad047eb905f0d876a0d68",
"io.openshift.build.commit.url": "https://github.com/openshift/elasticsearch-operator/commit/1278b5f0e61dc3fd1fbad047eb905f0d876a0d68",
"io.openshift.build.source-location": "https://github.com/openshift/elasticsearch-operator",
"io.openshift.maintainer.component": "Logging",
"io.openshift.maintainer.product": "OpenShift Container Platform",
"io.openshift.tags": "openshift,logging,elasticsearch",
"maintainer": "AOS Logging <aos-logging>",
"name": "openshift/ose-elasticsearch-operator",
"release": "202006031723",
"version": "v4.5.0"
}
#
$ oc get pods
NAME READY STATUS RESTARTS AGE
cluster-logging-operator-565c75fd55-xzf9h 1/1 Running 0 91m
curator-1591237800-28b5v 0/1 Error 0 94m
curator-1591243200-ggtcw 0/1 Completed 0 4m17s
elasticsearch-cdm-gc0jxyca-1-68c4d68bb8-jld72 2/2 Running 0 98m
elasticsearch-cdm-gc0jxyca-2-7cfd55c65-c26s8 2/2 Running 0 98m
elasticsearch-cdm-gc0jxyca-3-7fc9858bd6-gs5tq 2/2 Running 0 95m
elasticsearch-delete-app-1591243200-6mxjt 0/1 Completed 0 4m17s
elasticsearch-delete-audit-1591243200-8mqv2 0/1 Completed 0 4m17s
elasticsearch-delete-infra-1591243200-dqqth 0/1 Completed 0 4m17s
elasticsearch-rollover-app-1591243200-qqqmz 0/1 Error 0 4m17s
elasticsearch-rollover-audit-1591243200-j87wc 0/1 Error 0 4m17s
elasticsearch-rollover-infra-1591243200-xlwfj 0/1 Error 0 4m17s
#oc logs elasticsearch-rollover-app-1591243200-qqqmz
* About to connect() to elasticsearch port 9200 (#0)
* Trying 172.30.253.152...
* Connected to elasticsearch (172.30.253.152) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/indexmanagement/keys/admin-ca
CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=logging-es,OU=OpenShift,O=Logging
* start date: Jun 04 01:25:40 2020 GMT
* expire date: Jun 04 01:25:40 2022 GMT
* common name: logging-es
* issuer: CN=openshift-cluster-logging-signer
> POST /app-write/_rollover?pretty HTTP/1.1
> User-Agent: curl/7.29.0
> Host: elasticsearch:9200
> Accept: */*
> Content-Type:application/json
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5ZaVREMVdOaFo1b1FlVklIZWgxamttcDB1cExPcU9GaUdHRmV6S2VCb2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtbG9nZ2luZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJlbGFzdGljc2VhcmNoLXRva2VuLTk5OGZ3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImVsYXN0aWNzZWFyY2giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxN2RlNzhlNC04ZDc2LTQ1MjYtYmUyZS1jYWNiOTY1MjNjMGQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWxvZ2dpbmc6ZWxhc3RpY3NlYXJjaCJ9.X71Iz41cXWDquWwK3AX6q4vbm1uXGb0AoV9oiWPTAwbKPJdLKvZ_TRoGYh5VLD6hXDN2UMDP3zDKYhqNtF18-l4BSRuSG7qh7D1i2G2jRGkUgSmwrOq1TBvuRoVkYwIK-TzlelmDegCiTj9tCvsU49LPqGsmL62t1G4QCOkMMhxo7f_WnIuNQuyD0MnpPukOIdZ1TKngaz8aM9pQ1ArWukWdh0tHAMsjxxhWblw0GTssSFjoQzaXu1GweXr6QMK6fSDeAEsv8n112r7lK6mOc17ucMWUYwpDXEjkSrFefWUkSJWcp5TsmILaTLOtKtRdWP7BHm5JOBLoyPUU5YzqJQ
> Content-Length: 68
>
} [data not shown]
* upload completely sent off: 68 out of 68 bytes
< HTTP/1.1 401 Unauthorized
< content-type: text/plain; charset=UTF-8
< content-length: 29
<
{ [data not shown]
* Connection #0 to host elasticsearch left intact
Moving back to ON_QA. Please test again and make certain you have the image from this build https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1218736 It looks to have have the same commit hash. Additionally, looking at the commit tree, i don't see how it could display the logs referenced in the previous comment since the `-x` flag is missing: http://pkgs.devel.redhat.com/cgit/containers/elasticsearch-operator/tree/pkg/indexmanagement/scripts.go?h=rhaos-4.5-rhel-7&id=5411ff8aa1d4fd03953af8ad7efb13e71e821d41#n4 Can you hop on the pod and look at the run script to ensure it is absent? If it is still showing the logs with the token then we have something else going on. Created attachment 1696130 [details] The elasticsearch-delete-xx run.sh There is still token. "io.openshift.build.commit.id": "ae738e44c20d89f6eada143501563e5defbe36c9", "io.openshift.build.commit.url": "https://github.com/openshift/elasticsearch-operator/commit/ae738e44c20d89f6eada143501563e5defbe36c9", "name": "openshift/ose-elasticsearch-operator", "release": "202006080457", "vcs-ref": "00fa021b52b07250914d63f7bac7955f4843b7ed", "version": "v4.5.0" Verified in clusterlogging.4.5.0-202006161654 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |