StarlingX

Credential leaked to puppet log on error when pulling images from registry

Bug #2008726 reported by Manoel Benedito Neto
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Manoel Benedito Neto

Bug Description

Brief Description
-----------------
A failure to pull images with credential causes puppet to log the credentials.

Severity
--------
Security defect

Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
Unknown; observed due to other defect during upgrade.
Inspection: review the content of stx-puppet/puppet-manifests/src/modules/platform/manifests/kubernetes.pp, especially commands with crictl option "--creds"

Expected Behavior
-----------------
Credentials should not be leaked to logs

Actual Behavior
---------------
Puppet log contains credential for registry.local:9001

Reproducibility
---------------
Unknown; observed due to defect during upgrade

Yes, if the attempt to pull images can be caused to fail, by default puppet logs on failure

System Configuration
--------------------
Standard, controller storage, 2+1, upgrade 21.12 to 22.12

Observed during upgrade of controller-1, attempting to unlock controller-1

Last Pass
---------
unknown

Timestamp/Logs
--------------
Controller-1 puppet logs

var/log/puppet# find . -type f | xargs grep -l "crictl pull --creds sysinv:"
./2023-02-06-16-38-54_controller/puppet.log
./2023-02-06-18-30-02_controller/puppet.log
./2023-02-06-16-45-30_controller/puppet.log
./2023-02-06-17-44-30_controller/puppet.log
./2023-02-06-17-38-48_controller/puppet.log

Alarms
------
n/a

Test Activity
-------------
feature development

Workaround
----------
n/a

Manoel Benedito Neto (mbenedit)
Changed in starlingx:
assignee: nobody → Manoel Benedito Neto (mbenedit)
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/873597
Committed: https://opendev.org/starlingx/stx-puppet/commit/be6c690370cd6454f2c01e1b9d9ae7f644b02feb
Submitter: "Zuul (22348)"
Branch: master

commit be6c690370cd6454f2c01e1b9d9ae7f644b02feb
Author: Manoel Benedito Neto <email address hidden>
Date: Mon Feb 13 12:46:15 2023 -0300

    Mask credentials in puppet log files

    This commit masks the credentials used in crictl pull command, logged
    and executed by puppet to pull images from registry. Wrapping the data
    type of local_registry_auth variable as Sensitive, protects from
    exposing the registry credentials in log files.

    Test Plan:
    PASS: Deploy a DX system with the wrong credentials addressed to the
          $local_registry_auth and observe in the puppet logs from
          Controller-1, the exec commands are logged with Sensitive
          [redacted] where it would have the credentials to the registry.
    PASS: Deploy a DX system with the correct credentials addressed to the
          $local_registry_auth and observe the system successfully being
          available.

    Closes-Bug: 2008726
    Signed-off-by: Manoel Benedito Neto <email address hidden>
    Change-Id: I831e65ad948e62c346f56f5e9c7587e4dbdcd29f

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.9.0 stx.security
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Re-opening. Code was reverted as it introduced a controller-1 unlock issue: https://review.opendev.org/c/starlingx/stx-puppet/+/877020

Changed in starlingx:
status: Fix Released → Confirmed
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/877473
Committed: https://opendev.org/starlingx/stx-puppet/commit/ab6a08ae31bbbc6a659a96d216896bbbf8630489
Submitter: "Zuul (22348)"
Branch: master

commit ab6a08ae31bbbc6a659a96d216896bbbf8630489
Author: Manoel Benedito Neto <email address hidden>
Date: Wed Mar 15 09:27:30 2023 -0300

    Pull images from registry with credential file

    This commit adds the ability to use the content of a created credential
    file as the value of the --creds parameter for `crictl pull` command,
    preventing logging the literal credential values on puppet log files.

    The registry_credentials file is created from a template file that
    interpolates the scope variable containing the value of the
    credentials. As soon as the file is created and read, the file is
    deleted from the /tmp/puppet directory.

    Test Plan:
    PASS: Deploy a SX system and observe Controller-0 status is available
          enabled active.
    PASS: Deploy a DX system and observe in the puppet logs from
          Controller-1, the exec commands are logged with the sed command
          where it would have the credentials to the registry. Observe the
          both controllers are available enabled active status.
    PASS: Observe exit 0 output in each log file of Controller-1 listed by
          the execution of the command below.
          find /var/log/puppet -type f | xargs grep -l "creds"
    PASS: Upgrade kubernetes version from v1.24.4 to v1.25.3 in AIO-SX and
          AIO-DX systems. Observe the state upgrade-complete after finishes
          the manual kubernetes components upgrade for both types of
          systems.

    Closes-Bug: 2008726
    Signed-off-by: Manoel Benedito Neto <email address hidden>
    Change-Id: Id2579767f25cb5d0cabe38528e7aa72bb9c7a8b2

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.