Bug 979085 - openstack-nova: please review support data collection
openstack-nova: please review support data collection
Status: CLOSED NOTABUG
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova (Show other bugs)
unspecified
Unspecified Unspecified
urgent Severity medium
: Upstream M3
: 4.0
Assigned To: Nikola Dipanov
Ami Jeain
:
Depends On:
Blocks: 840057
  Show dependency treegraph
 
Reported: 2013-06-27 10:55 EDT by Bryn M. Reeves
Modified: 2016-04-26 11:25 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-20 18:30:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Sample etc directory for an allinone RHOS install (Grizzly) (43.20 KB, application/gzip)
2013-08-13 18:35 EDT, Perry Myers
no flags Details

  None (edit)
Description Bryn M. Reeves 2013-06-27 10:55:30 EDT
As part of support readiness preparations for OpenStack please review the data proposed to be collected for support purposes by the sos tool:

        "/etc/nova/"
        "/var/log/nova/"
        "/var/lib/nova/"
        "/etc/polkit-1/localauthority/50-local.d/50-nova.pkla"
        "/etc/sudoers.d/nova"
        "/etc/logrotate.d/openstack-nova"

Please verify that this set of information is complete and sufficient for support of this component and confirm either that no secrets (passwords, private keys, etc.) are collected or list any secrets that may be included.

This information is needed to create path exclusion and search/replace rules to remove this data from generated reports.

Please provide feedback on these items via this bug - once the review has taken place the bug may be closed.
Comment 4 Russell Bryant 2013-08-12 15:39:50 EDT
The following secrets are included:

options in /etc/nova/nova.conf
 - [general]
   - ldap_dns_password
   - neutron_admin_password
   - rabbit_password
   - qpid_password
   - powervm_mgr_passwd
   - xenapi_connection_password
   - virtual_power_host_pass
 - [matchmaker_redis]
   - password
 - [vmware]
   - host_password
   - vnc_password
 - [database]
    - connection
 - [baremetal]
    - sql_connection

options in /etc/nova/api-paste.ini (probably not actually here, but just in case)
 - [filter:authtoken]
   - admin_password

Also, I wouldn't include /var/lib/nova.  It's all data that I don't think is appropriate to collect.

I'd like another nova person to look at this to make sure I didn't miss anything, though.
Comment 5 Alan Pevec 2013-08-12 17:36:39 EDT
> options in /etc/nova/api-paste.ini (probably not actually here, but just in
> case)
>  - [filter:authtoken]
>    - admin_password

That's still an option i.e. user could put authtoken configuration into paste.ini but default location in our RPMs is nova.conf [keystone_authtoken] section and sosreport plugin should mask both,
/etc/nova/api-paste.ini [filter:authtoken] admin_password
and
/etc/nova/nova.conf [keystone_authtoken] admin_password
Comment 6 Nikola Dipanov 2013-08-13 04:47:37 EDT
We might want to consider two more things (however unlikely):

* /etc/sysconfig/openstack-nova-novncproxy.sysconfig as it might have been used to override novncproxy options.
* /var/security/limits.d/91-nova.conf (due to #917534)
Comment 7 Russell Bryant 2013-08-13 05:00:03 EDT
The review looks pretty complete to me now.  Thanks Alan and Nikola!  Bryn, is there any additional information we can provide that would be helpful?
Comment 8 Bryn M. Reeves 2013-08-13 05:49:45 EDT
Examples of the configuration files so that we can come up with regexes to remove these items would be helpful, particularly considering the short time left to the deadline.

Alternately if anyone has a test system where I can look at all this stuff live that would be a help.
Comment 9 Perry Myers 2013-08-13 18:35:07 EDT
Created attachment 786324 [details]
Sample etc directory for an allinone RHOS install (Grizzly)
Comment 10 Perry Myers 2013-08-13 18:35:41 EDT
Bryn, see attachment from Comment #9
Comment 11 Russell Bryant 2013-11-20 18:30:50 EST
It looks like this is complete.  Please let us  know if you need more information.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.