OpenStack Compute (nova)

  1. Bug #1348840
  2. Activity log

Activity log for bug #1348840

Date Who What changed Old value New value Message
2014-07-25 23:12:46 Joel Friedly bug added bug
2014-07-25 23:13:49 Joel Friedly description Example: 2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf iscsiadm -m node -T iqn.2010-10.org.openstack:volume-5940c9ef-ebec-448a-a8eb-971f0ef32a69 -p 10.191.1.1:3260 --op update -n node.session.auth.password -v 266nnohUEzTRP5QtPJ47 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:154 2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Result was 0 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:187 2014-07-25 21:50:13.058 4750 DEBUG nova.virt.libvirt.volume [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'266nnohUEzTRP5QtPJ47'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/dist-packages/nova/virt/libvirt/volume.py:248 The part after the "-v" the value to update the open-iscsi record with, and it is the password used to attach the volume. We've found that the following regex can catch these in the logs: node\.session\.auth\.password.* It's a debug level log message, so this issue can be avoided by turning off debug logging in production. However, since it's a command that gets executed with sudo, it ends up in /var/log/auth.log by default too. We'd like to fix this problem at the source by not executing a command that contains the password. Is there any other way to update the record? Example: 2014-07-25 21:50:12.987 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf iscsiadm -m node -T iqn.2010-10.org.openstack:volume-5940c9ef-ebec-448a-a8eb-971f0ef32a69 -p 10.191.1.1:3260 --op update -n node.session.auth.password -v 266nnohUEzTRP5QtPJ47 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:154 2014-07-25 21:50:13.057 4750 DEBUG nova.openstack.common.processutils [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] Result was 0 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:187 2014-07-25 21:50:13.058 4750 DEBUG nova.virt.libvirt.volume [req-251c525c-b92e-4638-89a0-c77ee887ff17 119a4280aa594405aabc31b4fc0f640c ae356b4961204701ae7e89b7495c28bb] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'266nnohUEzTRP5QtPJ47'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/dist-packages/nova/virt/libvirt/volume.py:248 The part after the "-v" is the value to update the open-iscsi record with, and it is the password used to attach the volume. We've found that the following regex can catch these in the logs: node\.session\.auth\.password.* It's a debug level log message, so this issue can be avoided by turning off debug logging in production. However, since it's a command that gets executed with sudo, it ends up in /var/log/auth.log by default too. We'd like to fix this problem at the source by not executing a command that contains the password. Is there any other way to update the record?
2014-07-28 20:03:00 Tracy Jones nova: importance Undecided High
2014-07-30 03:52:59 Christopher Yeoh nova: status New Confirmed
2014-07-30 06:13:15 Christopher Yeoh nova: importance High Wishlist
2016-05-17 16:40:21 Markus Zoeller (markus_z) nova: status Confirmed Opinion