Description of problem: In /etc/imagefactory, the following files store passwords in plain text. This is a security risk. [root@cf-ceae2 imagefactory]# cat rhevm.json { "rhevm-rhevm": { "username": "admin@internal", "nfs-dir": "/mnt/rhevm-nfs", "nfs-path": "/pub/ISO_mnt", "nfs-host": "fqdn", "api-url": "https://fqdn:8443/api", "password": "removed", "cluster": "_any_", "timeout": 1800 } } [root@cf-ceae2 imagefactory]# cat vsphere.json { "vsphere-vsphere5": { "api-url": "https://fqdn/sdk", "username": "username", "password": "removed", "datastore": "datastore1", "network_name": "VM Network" } }
My understanding is that these passwords are not used and that configure doesn't need to write them. Ian, can you confirm? If configure is writing them, poke Eck to have him fix that.
I am not in a position to double-confirm this via actual testing, but re-reading the code I am 99% sure that these username and password fields can be removed from the config files. The account username and password to be used when doing a push are passed in XML as part of the push API call. We don't need the data to be duplicated in /etc.
I don't see the rhevm.json and vsphere.json files in the directory /etc/imagefactory now .... Does that fixes the issue , or the location is changed ? [root@dell-per805-01 imagefactory]# ll total 8 -rw-r--r--. 1 root root 751 Feb 27 04:21 imagefactory.conf drwxr-xr-x. 2 root root 4096 Feb 27 04:19 jeos_images rpm -qa|grep aeolus aeolus-conductor-0.8.0-36.el6.noarch rubygem-aeolus-cli-0.3.0-10.el6.noarch aeolus-conductor-daemons-0.8.0-36.el6.noarch aeolus-configure-2.5.0-15.el6.noarch rubygem-aeolus-image-0.3.0-10.el6.noarch aeolus-all-0.8.0-36.el6.noarch aeolus-conductor-doc-0.8.0-36.el6.noarch
[root@qeblade30 ~]# cat /etc/imagefactory/rhevm.json { "rhevm-default": { "username": "admin@internal", "nfs-dir": "/mnt/rhevm-nfs", "nfs-path": "/home/blade27_export", "nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com", "api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api", "password": "dog8code", "cluster": "_any_", "timeout": 1800 } } [root@qeblade30 ~]# rpm -qa | grep factory imagefactory-jeosconf-ec2-rhel-1.0.0rc7-1.el6.noarch imagefactory-1.0.0rc7-1.el6.noarch imagefactory-jeosconf-ec2-fedora-1.0.0rc7-1.el6.noarch rubygem-imagefactory-console-0.4.0-1.el6.noarch [root@qeblade30 ~]# rpm -qa | grep conductor aeolus-conductor-doc-0.8.0-36.el6.noarch aeolus-conductor-0.8.0-36.el6.noarch aeolus-conductor-daemons-0.8.0-36.el6.noarch [root@qeblade30 ~]# FAILS or not in build
Reassigning to rwsu per a discussion with morazi. Richard, We need the automagic setup of the rhevm.json and vsphere.json files to stop putting passwords in them. The passwords in these files are either ignored or are redundant but are being logged in /var/log/imagefactory.log.
Patch posted: https://fedorahosted.org/pipermail/aeolus-devel/2012-February/009189.html
Pushed to aeolus-configure commit 2c1404afec54662aa143429c002f982d56374634
after fresh install from brew and run aeolus-configure: # cat /etc/imagefactory/rhevm.json { "rhevm-default": { "username": "admin@internal", "nfs-dir": "/mnt/rhevm-nfs", "nfs-path": "/home/blade27_export", "nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com", "api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api", "password": "dog8code", "cluster": "_any_", "timeout": 1800 } } [root@dell-pe1950-03 ~]# rpm -qa | grep "factory\|aeolus-con" aeolus-conductor-0.8.0-38.el6.noarch imagefactory-jeosconf-ec2-fedora-1.0.0rc8-1.el6.noarch rubygem-imagefactory-console-0.4.0-1.el6.noarch aeolus-conductor-daemons-0.8.0-38.el6.noarch aeolus-configure-2.5.0-15.el6.noarch imagefactory-1.0.0rc8-1.el6.noarch aeolus-conductor-doc-0.8.0-38.el6.noarch imagefactory-jeosconf-ec2-rhel-1.0.0rc8-1.el6.noarch again it FAILS or not in build. If it's not in build, please once it is there (in brew) move the bug back to ON_QA (MODIFIED). Thanks
529d24c in aeolus-configure-2.5.0-16
Passwords are not shown now. # cat rhevm.json { "rhevm-default": { "username": "admin@internal", "nfs-dir": "/mnt/rhevm-nfs", "nfs-path": "/home/blade27_export", "nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com", "api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api", "cluster": "_any_", "timeout": 1800 } } # cat vsphere.json { "vsphere-default": { "api-url": "https://10.16.120.136/sdk", "datastore": "datastore1", "network_name": "VM Network" } } verified: rpm -qa | grep aeolus aeolus-conductor-doc-0.8.0-39.el6.noarch rubygem-aeolus-image-0.3.0-10.el6.noarch aeolus-configure-2.5.0-16.el6.noarch aeolus-conductor-0.8.0-39.el6.noarch aeolus-conductor-daemons-0.8.0-39.el6.noarch aeolus-all-0.8.0-39.el6.noarch rubygem-aeolus-cli-0.3.0-12.el6.noarch
This fails... The username is still in the rhevm.json file
Wes and I discussed this and for consistency we will put in the username and password back in vsphere_configure. They are however not used by configure. Sometime in the future we hope to remove credentials all together from the _configure files. This will involve changing how we validate the RHEV nfs-dir. Posted a patch to remove username from rhevm.json and add username and password back in vsphere_configure. https://fedorahosted.org/pipermail/aeolus-devel/2012-March/009373.html https://fedorahosted.org/pipermail/aeolus-devel/2012-March/009374.html
Pushed two part patch to aeolus-configure commit bfa5682f5cbc38a70b80a15a79f540801fb89482 commit 415e5b9e2292e67433b07aa45a7912fd0a7c7385
no username/password in json files. VERIFIED on RHEL62 with packages: #rpm -qa | grep 'aeolus\|imagefactory-\|oz-\|iwhd' rubygem-aeolus-cli-0.3.0-12.el6.noarch aeolus-configure-2.5.0-18.el6.noarch iwhd-1.2-3.el6.x86_64 aeolus-all-0.8.0-41.el6.noarch aeolus-conductor-doc-0.8.0-41.el6.noarch imagefactory-1.0.0rc8-1.el6.noarch aeolus-conductor-daemons-0.8.0-41.el6.noarch imagefactory-jeosconf-ec2-fedora-1.0.0rc8-1.el6.noarch rubygem-imagefactory-console-0.4.0-1.el6.noarch aeolus-conductor-0.8.0-41.el6.noarch imagefactory-jeosconf-ec2-rhel-1.0.0rc8-1.el6.noarch rubygem-aeolus-image-0.3.0-12.el6.noarch oz-0.8.0-5.el6.noarch # cat /etc/imagefactory/rhevm.json { "rhevm-default": { "nfs-dir": "/mnt/rhevm-nfs", "nfs-path": "/home/blade27_export", "nfs-host": "qeblade26.rhq.lab.eng.bos.redhat.com", "api-url": "https://qeblade26.rhq.lab.eng.bos.redhat.com:8443/api", "cluster": "_any_", "timeout": 1800 } } # cat /etc/imagefactory/vsphere.json { "vsphere-default": { "api-url": "https://vsphere.server.com/sdk", "datastore": "datastore", "network_name": "network_name" } }
*** Bug 794739 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-0588.html