Guest admin password and network information is logged at debug if libvirt.inject_partition != -2

Bug #1737207 reported by Matt Riedemann on 2017-12-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Matt Riedemann
Ocata
Medium
Matt Riedemann
Pike
Medium
Matt Riedemann
Queens
Medium
Matt Riedemann

Bug Description

When using the libvirt driver and the inject_partition config option is != -2 (disabled), the driver will log the network information and admin password about the guest during disk injection:

http://logs.openstack.org/50/524750/1/check/legacy-tempest-dsvm-neutron-full-centos-7/a7f051e/logs/screen-n-cpu.txt.gz#_Dec_04_13_42_41_311316

Dec 04 13:42:41.311316 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Checking root disk injection InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3115}}
Dec 04 13:42:41.314687 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Injecting InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3146}}

This was introduced in Ocata (15.0.0): https://review.openstack.org/#/c/337790/

Matt Riedemann (mriedem) on 2017-12-08
Changed in nova:
assignee: nobody → Matt Riedemann (mriedem)

Fix proposed to branch: master
Review: https://review.openstack.org/526772

Changed in nova:
status: Triaged → In Progress
Matt Riedemann (mriedem) on 2017-12-08
no longer affects: nova/newton

Reviewed: https://review.openstack.org/526772
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6839630e86d958dcda8585664586754d419363a7
Submitter: Zuul
Branch: master

commit 6839630e86d958dcda8585664586754d419363a7
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207

Changed in nova:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/548289
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=088bf6df8ee332f1c24493430003a5bf1b77b2ce
Submitter: Zuul
Branch: stable/queens

commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207
    (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7)

Reviewed: https://review.openstack.org/548312
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=13b598d371e7d0a67a953a87666d2e6adbc38372
Submitter: Zuul
Branch: stable/pike

commit 13b598d371e7d0a67a953a87666d2e6adbc38372
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207
    (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7)
    (cherry picked from commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce)

This issue was fixed in the openstack/nova 17.0.2 release.

This issue was fixed in the openstack/nova 16.1.1 release.

Reviewed: https://review.openstack.org/548314
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1291d45418138d28f67873c6e47aa740e48ff80f
Submitter: Zuul
Branch: stable/ocata

commit 1291d45418138d28f67873c6e47aa740e48ff80f
Author: Matt Riedemann <email address hidden>
Date: Fri Dec 8 16:02:44 2017 -0500

    libvirt: mask InjectionInfo.admin_pass

    Logging network information and the admin password
    for guest instances is not ideal, so let's not do it.

    Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
    Closes-Bug: #1737207
    (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7)
    (cherry picked from commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce)
    (cherry picked from commit 13b598d371e7d0a67a953a87666d2e6adbc38372)

This issue was fixed in the openstack/nova 18.0.0.0b1 development milestone.

This issue was fixed in the openstack/nova 15.1.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers