debcrafters-packages team mailing list archive

Thread
Date
[Bug 2101134] Re: [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Bryan Fraschetti <2101134@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Jun 2025 20:00:49 -0000
Reply-to: Bug 2101134 <2101134@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hello o/

I've verified this by deploying OpenStack Yoga on Jammy via juju then
running sos report on the various machines

## Check ceph obfuscation

ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh ceph-
rgw/0

# Before enabling proposed
ubuntu@juju-35531a-verif-testing-4:~$ sudo sos report
ubuntu@juju-35531a-verif-testing-4:~$ tar -xf /tmp/sosreport-juju-35531a-verif-testing-4-2025-06-06-fnzgjcu.tar.xz
ubuntu@juju-35531a-verif-testing-4:~$ cat sosreport-juju-35531a-verif-testing-4-2025-06-06-fnzgjcu/etc/ceph/ceph.conf
Observed that password (rgw keystone admin password) is present in plaintext

# After enabling proposed
ubuntu@juju-35531a-verif-testing-4:~$ sudo add-apt-repository -y "deb http://archive.ubuntu.com/ubuntu jammy-proposed main restricted universe multiverse"
ubuntu@juju-35531a-verif-testing-4:~$ sudo apt update && sudo apt upgrade -y
ubuntu@juju-35531a-verif-testing-4:~$ sudo sos report
ubuntu@juju-35531a-verif-testing-4:~$ tar -xf /tmp/sosreport-juju-35531a-verif-testing-4-2025-06-06-ouwvavz.tar.xz
ubuntu@juju-35531a-verif-testing-4:~$ cat sosreport-juju-35531a-verif-testing-4-2025-06-06-ouwvavz/etc/ceph/ceph.conf
[global]
... File contents ...
rgw keystone admin user = s3_swift
rgw keystone admin password = *********
rgw keystone api version = 3
rgw keystone admin domain = service_domain
... Continued file contents

Note that rgw keystone admin password is successfully obfuscated

# Check for existence of auth.log, syslog, kern.log, and ubuntu-
advantage.log

ubuntu@juju-35531a-verif-testing-4:~$ ls -alh sosreport-juju-35531a-verif-testing-4-2025-06-06-ouwvavz/var/log/
# Note that I truncated the listing to just those of concern for brevity
total 700K
drwxrwxr-x 7 root   root 4.0K Jun  6 19:03 .
drwxr-xr-x 7 root   root 4.0K Jun  6 18:27 ..
-rw-r----- 1 syslog adm   10K Jun  6 19:04 auth.log
-rw-r----- 1 root   adm   43K Jun  6 18:26 dmesg
-rw-r----- 1 syslog adm   68K Jun  6 19:04 kern.log
-rw-r----- 1 syslog adm  261K Jun  6 19:04 syslog
-rw-r----- 1 root   root  16K Jun  6 19:04 ubuntu-advantage.log

## Check Horizon obfuscation

ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh
openstack-dashboard/0

# Before enabling proposed
ubuntu@juju-35531a-verif-testing-14:~$ sudo sos report
ubuntu@juju-35531a-verif-testing-14:~$ tar -xf /tmp/sosreport-juju-35531a-verif-testing-14-2025-06-06-qfunzxc.tar.xz
ubuntu@juju-35531a-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" sosreport-juju-35531a-verif-testing-14-2025-06-06-qfunzxc/etc/openstack-dashboard/local_settings.py
Observed that SECRET_KEY, PASSWORD, and EMAIL_HOST_PASSWORD are not obfuscated

# After enabling proposed
ubuntu@juju-35531a-verif-testing-14:~$ sudo add-apt-repository -y "deb http://archive.ubuntu.com/ubuntu jammy-proposed main restricted universe multiverse"
ubuntu@juju-35531a-verif-testing-14:~$ sudo apt update && sudo apt upgrade -y
ubuntu@juju-35531a-verif-testing-14:~$ sudo sos report
ubuntu@juju-35531a-verif-testing-14:~$ sudo tar -xf /tmp/sosreport-juju-35531a-verif-testing-14-2025-06-06-lrqqhif.tar.xz
ubuntu@juju-35531a-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" sosreport-juju-35531a-verif-testing-14-2025-06-06-lrqqhif/etc/openstack-dashboard/local_settings.py
SECRET_KEY = *********
        'PASSWORD': *********
EMAIL_HOST_PASSWORD = *********

Note that all are now successfully obfuscated

# Check for auth.log, syslog, kern.log, and ubuntu-advantage.log

ubuntu@juju-35531a-verif-testing-14:~$ ls -alh sosreport-juju-35531a-verif-testing-14-2025-06-06-lrqqhif/var/log/
# Note that I truncated the listing to just those of concern for brevity
total 804K
drwxrwxr-x 7 root   root 4.0K Jun  6 19:30 .
drwxr-xr-x 7 root   root 4.0K Jun  6 18:27 ..
-rw-r----- 1 syslog adm   18K Jun  6 19:31 auth.log
-rw-r----- 1 root   adm   43K Jun  6 18:26 dmesg
-rw-r----- 1 syslog adm   68K Jun  6 19:31 kern.log
-rw-r----- 1 syslog adm  276K Jun  6 19:31 syslog
-rw-r----- 1 root   root  16K Jun  6 19:31 ubuntu-advantage.log

I will repeat this testing on noble and oracular

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to sos in Ubuntu.
https://bugs.launchpad.net/bugs/2101134

Title:
  [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

Status in Ubuntu Pro:
  New
Status in Ubuntu Pro 20.04 series:
  New
Status in sos package in Ubuntu:
  Fix Released
Status in sosreport source package in Focal:
  Won't Fix
Status in sosreport source package in Jammy:
  Fix Committed
Status in sosreport source package in Noble:
  Fix Committed
Status in sosreport source package in Oracular:
  Fix Committed
Status in sos source package in Plucky:
  Fix Released

Bug description:
  [ Impact ]

  When doing SRU for sos 4.8.2 we encountered obfuscation issues,
  although not a regression at the time, it was still an issue that had
  been present for a while

  1. So, these passwords would be fully visible to the end support personnel and therefore leaked passwords.
  2. Some logs had not longer being collected which are essential for debugging, such as auth.log, syslog and kern.log in /var/log
  3. The ubuntu plugin was no longer collecting Ubuntu Pro details due to the package name for ubuntu-pro, and hence essential for supportability for customers that have Ubuntu Pro
  4. autopkgtest for focal rendered a new issue, was not necessarily an issue, but the script was catching it

  [ Test Plan ]

  Test 1. Deploy a openstack simple cloud, and run the sos report, check to see if passwords are obfuscated in configuration file for radosgw and horizon config in particular /etc/ceph/ceph.conf and /etc/horizon/local_settings.py
  Test 2. Deploy all series, and ensure the the auth.log, syslog and kerne.log are collected from /var/log.
  Test 3. On the same hosts as Test 2, ensure that /var/log/ubuntu-advantage logs are collected
  Test 4. Ensure to do autopkgtest via PPA for arm64 before going for SRU, and ensure all is good before submitting

  The majority of the testing will follow ythe process detailed in the
  following URL:

  https://wiki.ubuntu.com/SosreportUpdates

  [ Where problems could occur ]

  1. The corresponding files are not obfuscated, and we need to update the patches.
  2. The files that have been specified are not being collected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-pro/+bug/2101134/+subscriptions