yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1348840] Re: Nova logs iscsi passwords when attaching volumes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "Markus Zoeller \(markus_z\)" <mzoeller@xxxxxxxxxx>
Date: Tue, 17 May 2016 16:40:29 -0000
Reply-to: Bug 1348840 <1348840@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This wishlist bug has been open a year without any activity. I'm going
to move it to "Opinion / Wishlist", which is an easily-obtainable queue
of older requests that have come on.

In case you want to work on that, consider writing a blueprints [1] and
spec [2]. I'll recommend to read [3] if not yet done. The effort to
implement the requested feature is then driven only by the blueprint
(and spec).

References:
[1] https://blueprints.launchpad.net/nova/
[2] https://github.com/openstack/nova-specs
[3] https://wiki.openstack.org/wiki/Blueprints

** Changed in: nova
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1348840

Title:
  Nova logs iscsi passwords when attaching volumes

Status in OpenStack Compute (nova):
  Opinion

Bug description:
  Example:

  2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf iscsiadm -m node -T iqn.2010-10.org.openstack:volume-5940c9ef-ebec-448a-a8eb-971f0ef32a69 -p 10.191.1.1:3260 --op update -n node.session.auth.password -v 266nnohUEzTRP5QtPJ47 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:154
  2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Result was 0 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:187
  2014-07-25 21:50:13.058 4750 DEBUG nova.virt.libvirt.volume [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'266nnohUEzTRP5QtPJ47'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/dist-packages/nova/virt/libvirt/volume.py:248

  The part after the "-v" is the value to update the open-iscsi record
  with, and it is the password used to attach the volume.  We've found
  that the following regex can catch  these in the logs:

  node\.session\.auth\.password.*

  It's a debug level log message, so this issue can be avoided by
  turning off debug logging in production.  However, since it's a
  command that gets executed with sudo, it ends up in /var/log/auth.log
  by default too.  We'd like to fix this problem at the source by not
  executing a command that contains the password.  Is there any other
  way to update the record?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1348840/+subscriptions

References

[Bug 1348840] [NEW] Nova logs iscsi passwords when attaching volumes
From: Joel Friedly, 2014-07-25