Bug 1996883
| Summary: | Reduce buildah log level for default build log level | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Madhusudan Upadhyay <maupadhy> |
| Component: | Build | Assignee: | Corey Daley <cdaley> |
| Status: | CLOSED WONTFIX | QA Contact: | Jitendar Singh <jitsingh> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.7 | CC: | adam.kaplan, aos-bugs, cdaley, taxu |
| Target Milestone: | --- | Flags: | cdaley:
needinfo-
|
| Target Release: | 4.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
* Before this update, Buildah printed steps to the log file by default. As a result, the contents of environment variables could be exposed by the default build settings. This update resolves the issue. The `--quiet` option is appended to Buildah builds for log levels below 2. Now Buildah build steps are no longer printed to the log when a build level below 2 is specified, or no build log level is specified. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1996883[BZ#1996883])
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-04-19 16:18:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Madhusudan Upadhyay
2021-08-23 21:48:31 UTC
Confirmed that even on the latest buildah (1.22), ENV steps are printed to stdout even if buildah's log level is set to "error" or higher. Reproducer: 1. Create a simple Containerfile that has an ENV statement ``` FROM registry.redhat.io/ubi8/ubi:latest ENV SECRET_DATA="hello-world" RUN echo "Hello world!" ``` 2. Build an image with the Containerfile above, with log level set to "error" ``` $ buildah --log-level=error bud -t hello-world:latest -f Containerfile . ``` Result: Step ENV is printed. Filed upstream issue for buildah: https://github.com/containers/buildah/issues/3473 We will then have to think carefully about how we tune buildah's log output. I believe the convention is that log level 0 is considered "info" - we don't have a means to tell OpenShift builds to only print warning/error messages. ENV declarations are set into the resulting container image - anything sensitive will leak in the deployed application. Therefore this is not as major a security concern, since by using ENV variables the developer is accepting that those values can be distributed/leaked. For truly sensitive information, using Secrets as a build input are the best option available today [1]. Once OCP 4.9 is released, we will have a better option with build volumes [2]. To get logging back to parity with OCP 3.11, we can pass buildah the "--quiet" option, which suppresses those STEP announcements. Our convention is to increase logging when BUILD_LOGLEVEL is set to 2 or higher - we can drop the quiet option then. [1] https://docs.openshift.com/container-platform/4.8/cicd/builds/creating-build-inputs.html#builds-input-secrets-configmaps_creating-build-inputs [2] https://issues.redhat.com/browse/BUILD-257 @cdaley Customer has confirmed that they are using secrets: https://docs.openshift.com/container-platform/4.8/cicd/builds/creating-build-inputs.html#builds-input-secrets-configmaps_creating-build-inputs But not able to use "--quiet" build argument since they are using openshift s2i config: strategy: type: Source sourceStrategy: from: kind: ImageStreamTag namespace: xxxxxxx name: 's2i-xxxxxx-xxxxxxx:v1.0.0' Under this setting, the secret as well as every other openshift secret are printed. Do we have any any workaround for this? |