Red Hat Bugzilla – Bug 979092
openstack-keystone: please review support data collection
Last modified: 2016-04-26 20:33:57 EDT
Description of problem:
As part of support readiness preparations for OpenStack please review the data proposed to be collected for support purposes by the sos tool:
Please verify that this set of information is complete and sufficient for support of this component and confirm either that no secrets (passwords, private keys, etc.) are collected or list any secrets that may be included.
This information is needed to create path exclusion and search/replace rules to remove this data from generated reports.
We are aware of the following possibly confidential items in this component's collected data:
#ca_password = None
# password = None
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
Please provide feedback on these items via this bug - once the review has taken place the bug may be closed.
In addition to the values above, the SQL Connection and the LDAP connection both can potentially have passwords in them.
The two keyfile values are merely paths, and should be left in the data.
The admin_token value is like a password and should be removed. If the value is present, however, it indicates a misconfigured system, so a marker that it was set should be included.
Bryn, any additional data needed for this one?
Jeremy is working on the SOS report for this.
new pull request submitted and can be tracked at BZ999657.
We are currently only collecting default_catalog.templates,keystone.conf,logging.conf, and policy.json from /etc/keystone so we dont copy private ssl keys.
in keystone.conf we are replacing the passowd string with ***** in the settings ca_password,password,admin_token, and the password portion of the sql connection string.
This was accepted upstream and is in the main github branch.
For RHEL6 this had to be backported to sos 2.2 and is not in the main sos package. It can be found in the package sos-plugins-openstack.
For testing the sos and sos-plugins-openstack packages should be installed and run on a system with keystone installed. The sos tarball should contain the 4 keystone config files from the setup self.add_copy_specs call and should also capture the logs from /var/log/keystone. The /etc/keystone/keystone.conf file should also have passwords scrubbed in the postproc step.
tested and works as expected, see test plan.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.