yahoo-eng-team team mailing list archive

[Joel Friedly <joelfriedly@xxxxxxxxx>]

Public bug reported:

Example:

2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf iscsiadm -m node -T iqn.2010-10.org.openstack:volume-5940c9ef-ebec-448a-a8eb-971f0ef32a69 -p 10.191.1.1:3260 --op update -n node.session.auth.password -v 266nnohUEzTRP5QtPJ47 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:154
2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Result was 0 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:187
2014-07-25 21:50:13.058 4750 DEBUG nova.virt.libvirt.volume [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'266nnohUEzTRP5QtPJ47'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/dist-packages/nova/virt/libvirt/volume.py:248

The part after the "-v" is the value to update the open-iscsi record
with, and it is the password used to attach the volume.  We've found
that the following regex can catch  these in the logs:

node\.session\.auth\.password.*

It's a debug level log message, so this issue can be avoided by turning
off debug logging in production.  However, since it's a command that
gets executed with sudo, it ends up in /var/log/auth.log by default too.
We'd like to fix this problem at the source by not executing a command
that contains the password.  Is there any other way to update the
record?

** Affects: nova
     Importance: Undecided
         Status: New

** Description changed:

  Example:
  
  2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf iscsiadm -m node -T iqn.2010-10.org.openstack:volume-5940c9ef-ebec-448a-a8eb-971f0ef32a69 -p 10.191.1.1:3260 --op update -n node.session.auth.password -v 266nnohUEzTRP5QtPJ47 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:154
  2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Result was 0 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:187
  2014-07-25 21:50:13.058 4750 DEBUG nova.virt.libvirt.volume [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'266nnohUEzTRP5QtPJ47'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/dist-packages/nova/virt/libvirt/volume.py:248
  
- The part after the "-v" the value to update the open-iscsi record with,
- and it is the password used to attach the volume.  We've found that the
- following regex can catch  these in the logs:
+ The part after the "-v" is the value to update the open-iscsi record
+ with, and it is the password used to attach the volume.  We've found
+ that the following regex can catch  these in the logs:
  
  node\.session\.auth\.password.*
  
  It's a debug level log message, so this issue can be avoided by turning
  off debug logging in production.  However, since it's a command that
  gets executed with sudo, it ends up in /var/log/auth.log by default too.
  We'd like to fix this problem at the source by not executing a command
  that contains the password.  Is there any other way to update the
  record?

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1348840

Title:
  Nova logs iscsi passwords when attaching volumes

Status in OpenStack Compute (Nova):
  New

Bug description:
  Example:

  2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf iscsiadm -m node -T iqn.2010-10.org.openstack:volume-5940c9ef-ebec-448a-a8eb-971f0ef32a69 -p 10.191.1.1:3260 --op update -n node.session.auth.password -v 266nnohUEzTRP5QtPJ47 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:154
  2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Result was 0 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:187
  2014-07-25 21:50:13.058 4750 DEBUG nova.virt.libvirt.volume [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'266nnohUEzTRP5QtPJ47'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/dist-packages/nova/virt/libvirt/volume.py:248

  The part after the "-v" is the value to update the open-iscsi record
  with, and it is the password used to attach the volume.  We've found
  that the following regex can catch  these in the logs:

  node\.session\.auth\.password.*

  It's a debug level log message, so this issue can be avoided by
  turning off debug logging in production.  However, since it's a
  command that gets executed with sudo, it ends up in /var/log/auth.log
  by default too.  We'd like to fix this problem at the source by not
  executing a command that contains the password.  Is there any other
  way to update the record?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1348840/+subscriptions