OpenStack Compute (nova)

Guest admin password and network information is logged at debug if libvirt.inject_partition != -2

Bug #1737207 reported by Matt Riedemann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Matt Riedemann
Ocata
Fix Committed
Medium
Matt Riedemann
Pike
Fix Committed
Medium
Matt Riedemann
Queens
Fix Committed
Medium
Matt Riedemann

Bug Description

When using the libvirt driver and the inject_partition config option is != -2 (disabled), the driver will log the network information and admin password about the guest during disk injection:

http://logs.openstack.org/50/524750/1/check/legacy-tempest-dsvm-neutron-full-centos-7/a7f051e/logs/screen-n-cpu.txt.gz#_Dec_04_13_42_41_311316

Dec 04 13:42:41.311316 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Checking root disk injection InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3115}}
Dec 04 13:42:41.314687 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Injecting InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3146}}

This was introduced in Ocata (15.0.0): https://review.openstack.org/#/c/337790/

Matt Riedemann (mriedem)
Changed in nova:
assignee: nobody → Matt Riedemann (mriedem)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/526772

Changed in nova:
status: Triaged → In Progress
Matt Riedemann (mriedem)
no longer affects: nova/newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/548289

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/548312

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/548314

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/526772
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6839630e86d958dcda8585664586754d419363a7
Submitter: Zuul
Branch: master

commit 6839630e86d958dcda8585664586754d419363a7
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/queens)

Reviewed: https://review.openstack.org/548289
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=088bf6df8ee332f1c24493430003a5bf1b77b2ce
Submitter: Zuul
Branch: stable/queens

commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207
    (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/pike)

Reviewed: https://review.openstack.org/548312
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=13b598d371e7d0a67a953a87666d2e6adbc38372
Submitter: Zuul
Branch: stable/pike

commit 13b598d371e7d0a67a953a87666d2e6adbc38372
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207
    (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7)
    (cherry picked from commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 17.0.2

This issue was fixed in the openstack/nova 17.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.1.1

This issue was fixed in the openstack/nova 16.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/ocata)

Reviewed: https://review.openstack.org/548314
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1291d45418138d28f67873c6e47aa740e48ff80f
Submitter: Zuul
Branch: stable/ocata

commit 1291d45418138d28f67873c6e47aa740e48ff80f
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207
    (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7)
    (cherry picked from commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce)
    (cherry picked from commit 13b598d371e7d0a67a953a87666d2e6adbc38372)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 18.0.0.0b1

This issue was fixed in the openstack/nova 18.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 15.1.1

This issue was fixed in the openstack/nova 15.1.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.