2019-01-09 14:18:18 |
Edward Hope-Morley |
bug |
|
|
added bug |
2019-01-10 16:14:27 |
Edward Hope-Morley |
ceilometer: assignee |
|
Edward Hope-Morley (hopem) |
|
2019-01-10 16:18:23 |
OpenStack Infra |
ceilometer: status |
New |
In Progress |
|
2019-01-10 16:19:03 |
Edward Hope-Morley |
bug task added |
|
cloud-archive |
|
2019-01-10 16:19:13 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/rocky |
|
2019-01-10 16:19:13 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/queens |
|
2019-01-10 16:19:13 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/stein |
|
2019-01-10 16:19:28 |
Edward Hope-Morley |
tags |
|
sts sts-sru-needed |
|
2019-01-11 18:22:05 |
Edward Hope-Morley |
attachment added |
|
lp1811098-stein.debdiff https://bugs.launchpad.net/ceilometer/+bug/1811098/+attachment/5228503/+files/lp1811098-stein.debdiff |
|
2019-01-11 18:22:29 |
Edward Hope-Morley |
attachment added |
|
lp1811098-rocky.debdiff https://bugs.launchpad.net/ceilometer/+bug/1811098/+attachment/5228504/+files/lp1811098-rocky.debdiff |
|
2019-01-11 18:22:47 |
Edward Hope-Morley |
attachment added |
|
lp1811098-queens.debdiff https://bugs.launchpad.net/ceilometer/+bug/1811098/+attachment/5228505/+files/lp1811098-queens.debdiff |
|
2019-01-11 18:23:08 |
Edward Hope-Morley |
summary |
ceilometer writing snmp credentials to log file |
[SRU] ceilometer writing snmp credentials to log file |
|
2019-01-11 18:23:36 |
Edward Hope-Morley |
bug task added |
|
ubuntu |
|
2019-01-11 18:23:56 |
Edward Hope-Morley |
nominated for series |
|
Ubuntu Cosmic |
|
2019-01-11 18:23:56 |
Edward Hope-Morley |
nominated for series |
|
Ubuntu Disco |
|
2019-01-11 18:23:56 |
Edward Hope-Morley |
nominated for series |
|
Ubuntu Bionic |
|
2019-01-11 18:24:34 |
Edward Hope-Morley |
affects |
ubuntu |
ceilometer (Ubuntu) |
|
2019-01-12 00:22:06 |
Ubuntu Foundations Team Bug Bot |
tags |
sts sts-sru-needed |
patch sts sts-sru-needed |
|
2019-01-12 00:22:15 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2019-01-16 14:48:25 |
Edward Hope-Morley |
description |
The ceilometer-agent-central is always writing the contents of polling.yaml to its log file (and as INFO) [1]
This presents a security risk if e.g. resources contain sensitive information like when specifying snmp targets with the url containing the username, password etc.
There are a couple of ways we could solve this, namely; (1) don't log this info at all, (2) sanitise the contents prior to logging as DEBUG (3) switch to using config for the snmp credentials in a similar way to how the Triple0Discoverer does it [2] - this would only support having the same creds everywhere thought which may not be desirable.
[1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70
[2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24 |
[Impact]
This SRU proposal is to patch the Ubuntu ceilometer package so that the ceilometer-agent switches printing the contents of polling.yaml from INFO to DEBUG. This is mostly an interim fix to make it easy to stop the presence of sensitive data in the ceilometer logfiles when DEBUG logging is not activated. Another bug will be raised to propose sanitising the data printed.
[Test Case]
* deploy Openstack Q/R/S with ceilometer
* enable debug logging
* check that /var/log/ceilometer/ceilometer-agent-central.log contains a line similar to:
2019-01-09 11:40:50.641 25495 DEBUG ceilometer.agent [-] Config file: {'sources': [{'interval': 300, 'meters'...
i.e. ensure that the log is printed using DEBUG (not INFO)
[Regression Potential]
Users with debug mode disabled will no longer see this line.
----
The ceilometer-agent-central is always writing the contents of polling.yaml to its log file (and as INFO) [1]
This presents a security risk if e.g. resources contain sensitive information like when specifying snmp targets with the url containing the username, password etc.
There are a couple of ways we could solve this, namely; (1) don't log this info at all, (2) sanitise the contents prior to logging as DEBUG (3) switch to using config for the snmp credentials in a similar way to how the Triple0Discoverer does it [2] - this would only support having the same creds everywhere thought which may not be desirable.
[1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70
[2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24 |
|
2019-01-16 19:05:14 |
Corey Bryant |
bug task added |
|
cloud-archive/queens |
|
2019-01-16 19:05:18 |
Corey Bryant |
bug task added |
|
cloud-archive/rocky |
|
2019-01-16 19:05:20 |
Corey Bryant |
bug task added |
|
cloud-archive/stein |
|
2019-01-16 19:05:24 |
Corey Bryant |
bug task added |
|
ceilometer (Ubuntu Bionic) |
|
2019-01-16 19:05:25 |
Corey Bryant |
bug task added |
|
ceilometer (Ubuntu Cosmic) |
|
2019-01-16 19:05:28 |
Corey Bryant |
bug task added |
|
ceilometer (Ubuntu Disco) |
|
2019-01-16 19:05:55 |
Corey Bryant |
nominated for series |
|
cloud-archive/ocata |
|
2019-01-16 19:05:55 |
Corey Bryant |
bug task added |
|
cloud-archive/ocata |
|
2019-01-16 19:05:55 |
Corey Bryant |
nominated for series |
|
cloud-archive/pike |
|
2019-01-16 19:05:55 |
Corey Bryant |
bug task added |
|
cloud-archive/pike |
|
2019-01-16 19:06:09 |
Corey Bryant |
cloud-archive/ocata: importance |
Undecided |
High |
|
2019-01-16 19:06:09 |
Corey Bryant |
cloud-archive/ocata: status |
New |
Triaged |
|
2019-01-16 19:06:21 |
Corey Bryant |
cloud-archive/pike: importance |
Undecided |
High |
|
2019-01-16 19:06:21 |
Corey Bryant |
cloud-archive/pike: status |
New |
Triaged |
|
2019-01-16 19:06:33 |
Corey Bryant |
cloud-archive/queens: importance |
Undecided |
High |
|
2019-01-16 19:06:33 |
Corey Bryant |
cloud-archive/queens: status |
New |
Triaged |
|
2019-01-16 19:06:44 |
Corey Bryant |
cloud-archive/rocky: importance |
Undecided |
High |
|
2019-01-16 19:06:44 |
Corey Bryant |
cloud-archive/rocky: status |
New |
Triaged |
|
2019-01-16 19:06:56 |
Corey Bryant |
cloud-archive/stein: importance |
Undecided |
High |
|
2019-01-16 19:06:56 |
Corey Bryant |
cloud-archive/stein: status |
New |
Triaged |
|
2019-01-16 19:07:09 |
Corey Bryant |
ceilometer (Ubuntu Bionic): importance |
Undecided |
High |
|
2019-01-16 19:07:09 |
Corey Bryant |
ceilometer (Ubuntu Bionic): status |
New |
Triaged |
|
2019-01-16 19:07:26 |
Corey Bryant |
ceilometer (Ubuntu Cosmic): importance |
Undecided |
High |
|
2019-01-16 19:07:26 |
Corey Bryant |
ceilometer (Ubuntu Cosmic): status |
New |
Triaged |
|
2019-01-16 19:07:42 |
Corey Bryant |
ceilometer (Ubuntu Disco): importance |
Undecided |
High |
|
2019-01-16 19:07:42 |
Corey Bryant |
ceilometer (Ubuntu Disco): status |
New |
Triaged |
|
2019-01-16 19:10:42 |
Corey Bryant |
information type |
Public |
Private Security |
|
2019-01-16 19:12:48 |
Corey Bryant |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2019-01-16 19:34:46 |
Jeremy Stanley |
bug |
|
|
added subscriber Ceilometer Core security contacts |
2019-01-28 20:22:19 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-01-28 23:31:48 |
Launchpad Janitor |
ceilometer (Ubuntu Disco): status |
Triaged |
Fix Released |
|
2019-01-31 23:16:50 |
Brian Murray |
information type |
Private Security |
Public Security |
|
2019-01-31 23:17:14 |
Brian Murray |
ceilometer (Ubuntu Cosmic): status |
Triaged |
Fix Committed |
|
2019-01-31 23:17:17 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2019-01-31 23:17:21 |
Brian Murray |
tags |
patch sts sts-sru-needed |
patch sts sts-sru-needed verification-needed verification-needed-cosmic |
|
2019-01-31 23:18:24 |
Brian Murray |
ceilometer (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2019-01-31 23:18:32 |
Brian Murray |
tags |
patch sts sts-sru-needed verification-needed verification-needed-cosmic |
patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic |
|
2019-02-04 09:50:55 |
James Page |
cloud-archive/rocky: status |
Triaged |
Fix Committed |
|
2019-02-04 09:50:57 |
James Page |
tags |
patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic |
patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic verification-rocky-needed |
|
2019-02-05 16:14:23 |
Edward Hope-Morley |
tags |
patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic verification-rocky-needed |
patch sts sts-sru-needed verification-done-cosmic verification-needed verification-needed-bionic verification-rocky-needed |
|
2019-02-06 09:34:55 |
Edward Hope-Morley |
tags |
patch sts sts-sru-needed verification-done-cosmic verification-needed verification-needed-bionic verification-rocky-needed |
patch sts sts-sru-needed verification-done-bionic verification-done-cosmic verification-needed verification-rocky-needed |
|
2019-02-06 15:20:38 |
Edward Hope-Morley |
tags |
patch sts sts-sru-needed verification-done-bionic verification-done-cosmic verification-needed verification-rocky-needed |
patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-rocky-done |
|
2019-02-11 09:35:40 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-02-11 09:45:45 |
Launchpad Janitor |
ceilometer (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-02-11 16:04:18 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2019-02-11 16:04:19 |
Corey Bryant |
tags |
patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-rocky-done |
patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-needed verification-rocky-done |
|
2019-02-15 02:07:14 |
Nick Tait |
cve linked |
|
2019-3830 |
|
2019-02-18 09:28:41 |
Launchpad Janitor |
ceilometer (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-02-25 14:44:02 |
Corey Bryant |
cloud-archive/stein: status |
Triaged |
Fix Released |
|
2019-02-25 14:53:01 |
Corey Bryant |
cloud-archive/rocky: status |
Fix Committed |
Fix Released |
|
2019-02-26 12:39:13 |
Edward Hope-Morley |
tags |
patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-needed verification-rocky-done |
patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-done verification-rocky-done |
|
2019-02-26 12:46:45 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|
2019-03-04 14:12:03 |
Edward Hope-Morley |
tags |
patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-done verification-rocky-done |
patch sts sts-sru-done verification-done verification-done-bionic verification-done-cosmic verification-queens-done verification-rocky-done |
|