Credential leaked to puppet log on error when pulling images from registry
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Manoel Benedito Neto |
Bug Description
Brief Description
-----------------
A failure to pull images with credential causes puppet to log the credentials.
Severity
--------
Security defect
Minor: System/Feature is usable with minor issue
Steps to Reproduce
------------------
Unknown; observed due to other defect during upgrade.
Inspection: review the content of stx-puppet/
Expected Behavior
-----------------
Credentials should not be leaked to logs
Actual Behavior
---------------
Puppet log contains credential for registry.local:9001
Reproducibility
---------------
Unknown; observed due to defect during upgrade
Yes, if the attempt to pull images can be caused to fail, by default puppet logs on failure
System Configuration
-------
Standard, controller storage, 2+1, upgrade 21.12 to 22.12
Observed during upgrade of controller-1, attempting to unlock controller-1
Last Pass
---------
unknown
Timestamp/Logs
--------------
Controller-1 puppet logs
var/log/puppet# find . -type f | xargs grep -l "crictl pull --creds sysinv:"
./2023-
./2023-
./2023-
./2023-
./2023-
Alarms
------
n/a
Test Activity
-------------
feature development
Workaround
----------
n/a
Changed in starlingx: | |
assignee: | nobody → Manoel Benedito Neto (mbenedit) |
Changed in starlingx: | |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → Medium |
tags: | added: stx.9.0 stx.security |
Changed in starlingx: | |
status: | Confirmed → In Progress |
Reviewed: https:/ /review. opendev. org/c/starlingx /stx-puppet/ +/873597 /opendev. org/starlingx/ stx-puppet/ commit/ be6c690370cd645 4f2c01e1b9d9ae7 f644b02feb
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit be6c690370cd645 4f2c01e1b9d9ae7 f644b02feb
Author: Manoel Benedito Neto <email address hidden>
Date: Mon Feb 13 12:46:15 2023 -0300
Mask credentials in puppet log files
This commit masks the credentials used in crictl pull command, logged
and executed by puppet to pull images from registry. Wrapping the data
type of local_registry_auth variable as Sensitive, protects from
exposing the registry credentials in log files.
Test Plan:
$local_ registry_ auth and observe in the puppet logs from
Controller- 1, the exec commands are logged with Sensitive
[redacted] where it would have the credentials to the registry.
$local_ registry_ auth and observe the system successfully being
available.
PASS: Deploy a DX system with the wrong credentials addressed to the
PASS: Deploy a DX system with the correct credentials addressed to the
Closes-Bug: 2008726 c346f56f5e9c758 7e4dbdcd29f
Signed-off-by: Manoel Benedito Neto <email address hidden>
Change-Id: I831e65ad948e62