debcrafters-packages team mailing list archive

Thread
Date
[Bug 2101134] Re: [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Bryan Fraschetti <2101134@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Jun 2025 21:51:01 -0000
Reply-to: Bug 2101134 <2101134@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Noble verification
==================
I've verified this by deploying OpenStack Epoxy on Noble via juju and running sos report on the various machines

## Check ceph obfuscation

ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh ceph-
rgw/0

# Before enabling proposed
ubuntu@juju-7b2ab9-verif-testing-4:~$ sudo sos report
ubuntu@juju-7b2ab9-verif-testing-4:~$ tar -xf /tmp/sosreport-juju-7b2ab9-verif-testing-4-2025-06-06-umexjpp.tar.xz
ubuntu@juju-7b2ab9-verif-testing-4:~$ cat sosreport-juju-7b2ab9-verif-testing-4-2025-06-06-umexjpp/etc/ceph/ceph.conf
Observed that password (rgw keystone admin password) is present in plaintext

# After enabling proposed
# modified /etc/apt/sources.list.d/ubuntu.sources to contain:
Types: deb
URIs: http://availability-zone-1.clouds.archive.ubuntu.com/ubuntu/
Suites: noble-proposed
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

ubuntu@juju-7b2ab9-verif-testing-4:~$ sudo apt update && sudo apt upgrade -y
ubuntu@juju-7b2ab9-verif-testing-4:~$ sudo sos report
ubuntu@juju-7b2ab9-verif-testing-4:~$ tar -xf /tmp/sosreport-juju-7b2ab9-verif-testing-4-2025-06-06-kqzaxuc.tar.xz
ubuntu@juju-7b2ab9-verif-testing-4:~$ cat sosreport-juju-7b2ab9-verif-testing-4-2025-06-06-kqzaxuc/etc/ceph/ceph.conf
[global]
... File contents ...
rgw keystone admin user = s3_swift
rgw keystone admin password = *********
rgw keystone api version = 3
rgw keystone admin domain = service_domain
... Continued file contents

Note that rgw keystone admin password is successfully obfuscated

# Check for existence of auth.log, syslog, kern.log, and ubuntu-
advantage.log

ubuntu@juju-7b2ab9-verif-testing-4:~$ ls -alh sosreport-juju-7b2ab9-verif-testing-4-2025-06-06-kqzaxuc/var/log/
# Note that I truncated the listing to just those of concern for brevity
total 756K
-rw-r----- 1 syslog adm   24K Jun  6 21:23 auth.log
-rw-r----- 1 root   adm   46K Jun  6 20:41 dmesg
-rw-r----- 1 syslog adm   73K Jun  6 21:22 kern.log
-rw-r----- 1 syslog adm  310K Jun  6 21:24 syslog
-rw-r----- 1 root   root 4.8K Jun  6 21:24 ubuntu-advantage.log


## Check Horizon obfuscation

ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh
openstack-dashboard/0

# Before enabling proposed
ubuntu@juju-7b2ab9-verif-testing-14:~$ sudo sos report
ubuntu@juju-7b2ab9-verif-testing-14:~$ tar -xf /tmp/sosreport-juju-7b2ab9-verif-testing-14-2025-06-06-gzpkbsm.tar.xz
ubuntu@juju-7b2ab9-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" sosreport-juju-7b2ab9-verif-testing-14-2025-06-06-gzpkbsm/etc/openstack-dashboard/local_settings.py
Observed that SECRET_KEY, PASSWORD, and EMAIL_HOST_PASSWORD are not obfuscated

# After enabling proposed
# modified /etc/apt/sources.list.d/ubuntu.sources to contain:
Types: deb
URIs: http://availability-zone-1.clouds.archive.ubuntu.com/ubuntu/
Suites: noble-proposed
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

ubuntu@juju-7b2ab9-verif-testing-14:~$ sudo apt update && sudo apt upgrade -y
ubuntu@juju-7b2ab9-verif-testing-14:~$ sudo sos report
ubuntu@juju-7b2ab9-verif-testing-14:~$ tar -xf /tmp/sosreport-juju-7b2ab9-verif-testing-14-2025-06-06-yoliman.tar.xz
ubuntu@juju-7b2ab9-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" sosreport-juju-7b2ab9-verif-testing-14-2025-06-06-yoliman/etc/openstack-dashboard/local_settings.py
SECRET_KEY = *********
        'PASSWORD': *********
EMAIL_HOST_PASSWORD = *********

Note that all are now successfully obfuscated

# Check for auth.log, syslog, kern.log, and ubuntu-advantage.log

ubuntu@juju-7b2ab9-verif-testing-14:~$ ls -alh sosreport-juju-7b2ab9-verif-testing-14-2025-06-06-yoliman/var/log/
# Note that I truncated the listing to just those of concern for brevity
total 844K
-rw-r----- 1 syslog adm   24K Jun  6 21:35 auth.log
-rw-r----- 1 root   adm   46K Jun  6 20:42 dmesg
-rw-r----- 1 syslog adm   73K Jun  6 21:34 kern.log
-rw-r----- 1 syslog adm  316K Jun  6 21:35 syslog
-rw-r----- 1 root   root 4.8K Jun  6 21:35 ubuntu-advantage.log

Will repeat on oracular

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to sos in Ubuntu.
https://bugs.launchpad.net/bugs/2101134

Title:
  [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

Status in Ubuntu Pro:
  New
Status in Ubuntu Pro 20.04 series:
  New
Status in sos package in Ubuntu:
  Fix Released
Status in sosreport source package in Focal:
  Won't Fix
Status in sosreport source package in Jammy:
  Fix Committed
Status in sosreport source package in Noble:
  Fix Committed
Status in sosreport source package in Oracular:
  Fix Committed
Status in sos source package in Plucky:
  Fix Released

Bug description:
  [ Impact ]

  When doing SRU for sos 4.8.2 we encountered obfuscation issues,
  although not a regression at the time, it was still an issue that had
  been present for a while

  1. So, these passwords would be fully visible to the end support personnel and therefore leaked passwords.
  2. Some logs had not longer being collected which are essential for debugging, such as auth.log, syslog and kern.log in /var/log
  3. The ubuntu plugin was no longer collecting Ubuntu Pro details due to the package name for ubuntu-pro, and hence essential for supportability for customers that have Ubuntu Pro
  4. autopkgtest for focal rendered a new issue, was not necessarily an issue, but the script was catching it

  [ Test Plan ]

  Test 1. Deploy a openstack simple cloud, and run the sos report, check to see if passwords are obfuscated in configuration file for radosgw and horizon config in particular /etc/ceph/ceph.conf and /etc/horizon/local_settings.py
  Test 2. Deploy all series, and ensure the the auth.log, syslog and kerne.log are collected from /var/log.
  Test 3. On the same hosts as Test 2, ensure that /var/log/ubuntu-advantage logs are collected
  Test 4. Ensure to do autopkgtest via PPA for arm64 before going for SRU, and ensure all is good before submitting

  The majority of the testing will follow ythe process detailed in the
  following URL:

  https://wiki.ubuntu.com/SosreportUpdates

  [ Where problems could occur ]

  1. The corresponding files are not obfuscated, and we need to update the patches.
  2. The files that have been specified are not being collected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-pro/+bug/2101134/+subscriptions