Nova logs iscsi passwords when attaching volumes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
Example:
2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.
2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.
2014-07-25 21:50:13.058 4750 DEBUG nova.virt.
The part after the "-v" is the value to update the open-iscsi record with, and it is the password used to attach the volume. We've found that the following regex can catch these in the logs:
node\.session\
It's a debug level log message, so this issue can be avoided by turning off debug logging in production. However, since it's a command that gets executed with sudo, it ends up in /var/log/auth.log by default too. We'd like to fix this problem at the source by not executing a command that contains the password. Is there any other way to update the record?
description: | updated |
Changed in nova: | |
importance: | Undecided → High |
Changed in nova: | |
status: | New → Confirmed |
As of 74d06db19fe0037 435c12e52c3c88f 980e619420 (mid July in master) this appears to be mostly fixed as the regexp no recognises the password in the log message as something to be sanitized.
The more general problem of sudo logging is probably not fixable though