Activity log for bug #1811098

Date Who What changed Old value New value Message
2019-01-09 14:18:18 Edward Hope-Morley bug added bug
2019-01-10 16:14:27 Edward Hope-Morley ceilometer: assignee Edward Hope-Morley (hopem)
2019-01-10 16:18:23 OpenStack Infra ceilometer: status New In Progress
2019-01-10 16:19:03 Edward Hope-Morley bug task added cloud-archive
2019-01-10 16:19:13 Edward Hope-Morley nominated for series cloud-archive/rocky
2019-01-10 16:19:13 Edward Hope-Morley nominated for series cloud-archive/queens
2019-01-10 16:19:13 Edward Hope-Morley nominated for series cloud-archive/stein
2019-01-10 16:19:28 Edward Hope-Morley tags sts sts-sru-needed
2019-01-11 18:22:05 Edward Hope-Morley attachment added lp1811098-stein.debdiff https://bugs.launchpad.net/ceilometer/+bug/1811098/+attachment/5228503/+files/lp1811098-stein.debdiff
2019-01-11 18:22:29 Edward Hope-Morley attachment added lp1811098-rocky.debdiff https://bugs.launchpad.net/ceilometer/+bug/1811098/+attachment/5228504/+files/lp1811098-rocky.debdiff
2019-01-11 18:22:47 Edward Hope-Morley attachment added lp1811098-queens.debdiff https://bugs.launchpad.net/ceilometer/+bug/1811098/+attachment/5228505/+files/lp1811098-queens.debdiff
2019-01-11 18:23:08 Edward Hope-Morley summary ceilometer writing snmp credentials to log file [SRU] ceilometer writing snmp credentials to log file
2019-01-11 18:23:36 Edward Hope-Morley bug task added ubuntu
2019-01-11 18:23:56 Edward Hope-Morley nominated for series Ubuntu Cosmic
2019-01-11 18:23:56 Edward Hope-Morley nominated for series Ubuntu Disco
2019-01-11 18:23:56 Edward Hope-Morley nominated for series Ubuntu Bionic
2019-01-11 18:24:34 Edward Hope-Morley affects ubuntu ceilometer (Ubuntu)
2019-01-12 00:22:06 Ubuntu Foundations Team Bug Bot tags sts sts-sru-needed patch sts sts-sru-needed
2019-01-12 00:22:15 Ubuntu Foundations Team Bug Bot bug added subscriber Ubuntu Sponsors Team
2019-01-16 14:48:25 Edward Hope-Morley description The ceilometer-agent-central is always writing the contents of polling.yaml to its log file (and as INFO) [1] This presents a security risk if e.g. resources contain sensitive information like when specifying snmp targets with the url containing the username, password etc. There are a couple of ways we could solve this, namely; (1) don't log this info at all, (2) sanitise the contents prior to logging as DEBUG (3) switch to using config for the snmp credentials in a similar way to how the Triple0Discoverer does it [2] - this would only support having the same creds everywhere thought which may not be desirable. [1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70 [2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24 [Impact] This SRU proposal is to patch the Ubuntu ceilometer package so that the ceilometer-agent switches printing the contents of polling.yaml from INFO to DEBUG. This is mostly an interim fix to make it easy to stop the presence of sensitive data in the ceilometer logfiles when DEBUG logging is not activated. Another bug will be raised to propose sanitising the data printed. [Test Case] * deploy Openstack Q/R/S with ceilometer * enable debug logging * check that /var/log/ceilometer/ceilometer-agent-central.log contains a line similar to: 2019-01-09 11:40:50.641 25495 DEBUG ceilometer.agent [-] Config file: {'sources': [{'interval': 300, 'meters'... i.e. ensure that the log is printed using DEBUG (not INFO) [Regression Potential] Users with debug mode disabled will no longer see this line. ---- The ceilometer-agent-central is always writing the contents of polling.yaml to its log file (and as INFO) [1] This presents a security risk if e.g. resources contain sensitive information like when specifying snmp targets with the url containing the username, password etc. There are a couple of ways we could solve this, namely; (1) don't log this info at all, (2) sanitise the contents prior to logging as DEBUG (3) switch to using config for the snmp credentials in a similar way to how the Triple0Discoverer does it [2] - this would only support having the same creds everywhere thought which may not be desirable. [1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70 [2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24
2019-01-16 19:05:14 Corey Bryant bug task added cloud-archive/queens
2019-01-16 19:05:18 Corey Bryant bug task added cloud-archive/rocky
2019-01-16 19:05:20 Corey Bryant bug task added cloud-archive/stein
2019-01-16 19:05:24 Corey Bryant bug task added ceilometer (Ubuntu Bionic)
2019-01-16 19:05:25 Corey Bryant bug task added ceilometer (Ubuntu Cosmic)
2019-01-16 19:05:28 Corey Bryant bug task added ceilometer (Ubuntu Disco)
2019-01-16 19:05:55 Corey Bryant nominated for series cloud-archive/ocata
2019-01-16 19:05:55 Corey Bryant bug task added cloud-archive/ocata
2019-01-16 19:05:55 Corey Bryant nominated for series cloud-archive/pike
2019-01-16 19:05:55 Corey Bryant bug task added cloud-archive/pike
2019-01-16 19:06:09 Corey Bryant cloud-archive/ocata: importance Undecided High
2019-01-16 19:06:09 Corey Bryant cloud-archive/ocata: status New Triaged
2019-01-16 19:06:21 Corey Bryant cloud-archive/pike: importance Undecided High
2019-01-16 19:06:21 Corey Bryant cloud-archive/pike: status New Triaged
2019-01-16 19:06:33 Corey Bryant cloud-archive/queens: importance Undecided High
2019-01-16 19:06:33 Corey Bryant cloud-archive/queens: status New Triaged
2019-01-16 19:06:44 Corey Bryant cloud-archive/rocky: importance Undecided High
2019-01-16 19:06:44 Corey Bryant cloud-archive/rocky: status New Triaged
2019-01-16 19:06:56 Corey Bryant cloud-archive/stein: importance Undecided High
2019-01-16 19:06:56 Corey Bryant cloud-archive/stein: status New Triaged
2019-01-16 19:07:09 Corey Bryant ceilometer (Ubuntu Bionic): importance Undecided High
2019-01-16 19:07:09 Corey Bryant ceilometer (Ubuntu Bionic): status New Triaged
2019-01-16 19:07:26 Corey Bryant ceilometer (Ubuntu Cosmic): importance Undecided High
2019-01-16 19:07:26 Corey Bryant ceilometer (Ubuntu Cosmic): status New Triaged
2019-01-16 19:07:42 Corey Bryant ceilometer (Ubuntu Disco): importance Undecided High
2019-01-16 19:07:42 Corey Bryant ceilometer (Ubuntu Disco): status New Triaged
2019-01-16 19:10:42 Corey Bryant information type Public Private Security
2019-01-16 19:12:48 Corey Bryant removed subscriber Ubuntu Sponsors Team
2019-01-16 19:34:46 Jeremy Stanley bug added subscriber Ceilometer Core security contacts
2019-01-28 20:22:19 Corey Bryant bug added subscriber Ubuntu Stable Release Updates Team
2019-01-28 23:31:48 Launchpad Janitor ceilometer (Ubuntu Disco): status Triaged Fix Released
2019-01-31 23:16:50 Brian Murray information type Private Security Public Security
2019-01-31 23:17:14 Brian Murray ceilometer (Ubuntu Cosmic): status Triaged Fix Committed
2019-01-31 23:17:17 Brian Murray bug added subscriber SRU Verification
2019-01-31 23:17:21 Brian Murray tags patch sts sts-sru-needed patch sts sts-sru-needed verification-needed verification-needed-cosmic
2019-01-31 23:18:24 Brian Murray ceilometer (Ubuntu Bionic): status Triaged Fix Committed
2019-01-31 23:18:32 Brian Murray tags patch sts sts-sru-needed verification-needed verification-needed-cosmic patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic
2019-02-04 09:50:55 James Page cloud-archive/rocky: status Triaged Fix Committed
2019-02-04 09:50:57 James Page tags patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic verification-rocky-needed
2019-02-05 16:14:23 Edward Hope-Morley tags patch sts sts-sru-needed verification-needed verification-needed-bionic verification-needed-cosmic verification-rocky-needed patch sts sts-sru-needed verification-done-cosmic verification-needed verification-needed-bionic verification-rocky-needed
2019-02-06 09:34:55 Edward Hope-Morley tags patch sts sts-sru-needed verification-done-cosmic verification-needed verification-needed-bionic verification-rocky-needed patch sts sts-sru-needed verification-done-bionic verification-done-cosmic verification-needed verification-rocky-needed
2019-02-06 15:20:38 Edward Hope-Morley tags patch sts sts-sru-needed verification-done-bionic verification-done-cosmic verification-needed verification-rocky-needed patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-rocky-done
2019-02-11 09:35:40 Ɓukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team
2019-02-11 09:45:45 Launchpad Janitor ceilometer (Ubuntu Cosmic): status Fix Committed Fix Released
2019-02-11 16:04:18 Corey Bryant cloud-archive/queens: status Triaged Fix Committed
2019-02-11 16:04:19 Corey Bryant tags patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-rocky-done patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-needed verification-rocky-done
2019-02-15 02:07:14 Nick Tait cve linked 2019-3830
2019-02-18 09:28:41 Launchpad Janitor ceilometer (Ubuntu Bionic): status Fix Committed Fix Released
2019-02-25 14:44:02 Corey Bryant cloud-archive/stein: status Triaged Fix Released
2019-02-25 14:53:01 Corey Bryant cloud-archive/rocky: status Fix Committed Fix Released
2019-02-26 12:39:13 Edward Hope-Morley tags patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-needed verification-rocky-done patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-done verification-rocky-done
2019-02-26 12:46:45 Corey Bryant cloud-archive/queens: status Fix Committed Fix Released
2019-03-04 14:12:03 Edward Hope-Morley tags patch sts sts-sru-needed verification-done verification-done-bionic verification-done-cosmic verification-queens-done verification-rocky-done patch sts sts-sru-done verification-done verification-done-bionic verification-done-cosmic verification-queens-done verification-rocky-done