OpenStack Compute (nova)

Nova logs iscsi passwords when attaching volumes

Bug #1348840 reported by Joel Friedly on 2014-07-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned

Bug Description

Example:

2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf iscsiadm -m node -T iqn.2010-10.org.openstack:volume-5940c9ef-ebec-448a-a8eb-971f0ef32a69 -p 10.191.1.1:3260 --op update -n node.session.auth.password -v 266nnohUEzTRP5QtPJ47 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:154
2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Result was 0 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:187
2014-07-25 21:50:13.058 4750 DEBUG nova.virt.libvirt.volume [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'266nnohUEzTRP5QtPJ47'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/dist-packages/nova/virt/libvirt/volume.py:248

The part after the "-v" is the value to update the open-iscsi record with, and it is the password used to attach the volume. We've found that the following regex can catch these in the logs:

node\.session\.auth\.password.*

It's a debug level log message, so this issue can be avoided by turning off debug logging in production. However, since it's a command that gets executed with sudo, it ends up in /var/log/auth.log by default too. We'd like to fix this problem at the source by not executing a command that contains the password. Is there any other way to update the record?

See original description

Joel Friedly (joelfriedly) on 2014-07-25

description:

updated

Tracy Jones (tjones-i) on 2014-07-28

Changed in nova:
importance:	Undecided → High

Christopher Yeoh (cyeoh-0) on 2014-07-30

Changed in nova:
status:	New → Confirmed

Revision history for this message

Christopher Yeoh (cyeoh-0) wrote on 2014-07-30:

As of 74d06db19fe0037435c12e52c3c88f980e619420 (mid July in master) this appears to be mostly fixed as the regexp no recognises the password in the log message as something to be sanitized.

The more general problem of sudo logging is probably not fixable though

Changed in nova:
importance:	High → Wishlist

Revision history for this message

Markus Zoeller (markus_z) (mzoeller) wrote on 2016-05-17:

This wishlist bug has been open a year without any activity. I'm going to move it to "Opinion / Wishlist", which is an easily-obtainable queue of older requests that have come on.

In case you want to work on that, consider writing a blueprints [1] and spec [2]. I'll recommend to read [3] if not yet done. The effort to implement the requested feature is then driven only by the blueprint (and spec).

References:
[1] https://blueprints.launchpad.net/nova/
[2] https://github.com/openstack/nova-specs
[3] https://wiki.openstack.org/wiki/Blueprints

Changed in nova:
status:	Confirmed → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.