dejanmm at fastmail
Aug 27, 2010, 7:58 AM
Post #8 of 8
(493 views)
Permalink
|
|
Re: external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs
[In reply to]
|
|
Hi,
On Fri, Aug 27, 2010 at 11:17:08AM +0200, Holger Teutsch wrote:
> Dejan,
> no problem.
> The patch now as attachment.
Applied. Many thanks for the contribution.
Cheers,
Dejan
> Thanx
> Holger
> ----Ursprüngliche Nachricht-----
> Von: Dejan Muhamedagic <dejanmm [at] fastmail>
> Gesendet: Aug 26, 2010 6:38:47 PM
> An: High-Availability Linux Development List <linux-ha-dev [at] lists>
> Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs
>
> >Hi Holger,
> >
> >On Thu, Aug 26, 2010 at 05:10:13PM +0200, Holger Teutsch wrote:
> >> Dejan,
> >> I see.
> >> I guess the remaining task is to cleanup all stonith agents to
> >> let them pass password parameters to underlying tools in the
> >> most concealed way. In the case of IPMI the underlying tool is
> >> ipmitool. At least since 1.8.2 released in 2005 passing the
> >> password via an environment variable is a valid option.
> >>
> >> Is it a valid assumption that all ipmitools in the field used
> >> together with cluster-glue are later so passing via env should
> >> be implemented as default ?
> >> Or should there be a param for backwards compatibility (e.g.
> >> passwd_as_param=1) ?
> >
> >I misunderstood your patch in part and owe you an apology. What
> >you implemented has a benefit of its own. lrmd cannot help
> >individual plugins or resource agents to hide passwords. We can
> >also keep the option to pass a password in a file.
> >
> >Can you please send the patch again, this time as an attachment.
> >The copy I have seems to have broken indentation and won't apply.
> >
> >Sorry for the confusion.
> >
> >Cheers,
> >
> >Dejan
> >
> >
> >> Thanx for opinions.
> >> Regards
> >> Holger
> >>
> >> -----Ursprüngliche Nachricht-----
> >> Von: Dejan Muhamedagic <dejanmm [at] fastmail>
> >> Gesendet: Aug 25, 2010 4:14:19 PM
> >> An: High-Availability Linux Development List *
> >> Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs
> >>
> >> >Hi,
> >> >
> >> >On Thu, Aug 19, 2010 at 11:35:41AM +0200, Holger Teutsch wrote:
> >> >> Hi,
> >> >> the very sensitive IPMI password now shows up in crm's config,
> >> >> log files and ps -ef output.
> >> >>
> >> >> This patch provides an optional parameter "passwd_method" that
> >> >> can be used to hide this information on various levels.
> >> >>
> >> >> If not defined the old behavior is retained.
> >> >
> >> >Many thanks for the patch, but we have to go another route for
> >> >this issue. It'd be a big effort to provide the same for all
> >> >stonith plugins. The basic idea is to enhance lrmd to be able to
> >> >read parameters from a file instead of the usual set of nvpairs
> >> >in the CIB. See
> >> >http://developerbugs.linux-foundation.org/show_bug.cgi?id=2415
> >> >for more information.
> >> >
> >> >Thanks,
> >> >
> >> >Dejan
> >> >
> >> >> Regards
> >> >> Holger
> >> >>
> >> >> # HG changeset patch
> >> >> # User Holger Teutsch <holger.teutsch [at] web>
> >> >> # Date 1282209948 -7200
> >> >> # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc
> >> >> # Parent ba146a145a3ede967af48e8936ac414984aa1e5f
> >> >> external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs
> >> >>
> >> >> diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi
> >> >> --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200
> >> >> +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200
> >> >> @@ -60,9 +60,30 @@
> >> >> interface="lan"
> >> >> fi
> >> >>
> >> >> + case "${passwd_method}" in
> >> >> + param|'')
> >> >> + passwd_method=param
> >> >> + M="-P"
> >> >> + ;;
> >> >> + env)
> >> >> + M="-E"
> >> >> + ;;
> >> >> + file)
> >> >> + M="-f"
> >> >> + ;;
> >> >> + *)
> >> >> + ha_log.sh err "invalid passwd_method: \"${passwd_method}\""
> >> >> + return 1
> >> >> + esac
> >> >> +
> >> >> action="$*"
> >> >>
> >> >> - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P "${passwd}" ${action} 2>&1
> >> >> + if [ $passwd_method = env ]
> >> >> + then
> >> >> + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -E ${action} 2>&1
> >> >> + else
> >> >> + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M "${passwd}" ${action} 2>&1
> >> >> + fi
> >> >> }
> >> >>
> >> >> # Yet another convenience wrapper that invokes run_ipmitool, captures
> >> >> @@ -94,7 +115,6 @@
> >> >> esac
> >> >> }
> >> >>
> >> >> -
> >> >> # Rewrite the hostname to accept "," as a delimeter for hostnames too.
> >> >>
> >> >> case ${1} in
> >> >> @@ -195,6 +215,19 @@
> >> >> </longdesc>
> >> >> </parameter>
> >> >>
> >> >> +
> >> >> +<content type="string" default="param"/>
> >> >> +
> >> >> +Method for passing passwd parameter
> >> >> +</shortdesc>
> >> >> +<longdesc lang="en">
> >> >> +Method for passing the passwd parameter to ipmitool
> >> >> + param: pass as parameter (-P)
> >> >> + env: pass via environment (-E)
> >> >> + file: value of "passwd" is actually a file name, pass with (-f)
> >> >> +</longdesc>
> >> >> +</parameter>
> >> >> +
> >> >>
> >> >> <content type="string" default="lan"/>
> >> >>
> >> >> ___________________________________________________________
> >> >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
> >> >> Jetzt freischalten unter http://movieflat.web.de
> >> >> _______________________________________________________
> >> >> Linux-HA-Dev: Linux-HA-Dev [at] lists
> >> >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> >> >> Home Page: http://linux-ha.org/
> >> >_______________________________________________________
> >> >Linux-HA-Dev: Linux-HA-Dev [at] lists
> >> >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> >> >Home Page: http://linux-ha.org/
> >> ___________________________________________________________
> >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
> >> Jetzt freischalten unter http://movieflat.web.de
> >> _______________________________________________________
> >> Linux-HA-Dev: Linux-HA-Dev [at] lists
> >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> >> Home Page: http://linux-ha.org/
> >_______________________________________________________
> >Linux-HA-Dev: Linux-HA-Dev [at] lists
> >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> >Home Page: http://linux-ha.org/
> ___________________________________________________________
> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://movieflat.web.de
> # HG changeset patch
> # User Holger Teutsch <holger.teutsch [at] web>
> # Date 1282209948 -7200
> # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc
> # Parent ba146a145a3ede967af48e8936ac414984aa1e5f
> external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs
>
> diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi
> --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200
> +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200
> @@ -60,9 +60,30 @@
> interface="lan"
> fi
>
> + case "${passwd_method}" in
> + param|'')
> + passwd_method=param
> + M="-P"
> + ;;
> + env)
> + M="-E"
> + ;;
> + file)
> + M="-f"
> + ;;
> + *)
> + ha_log.sh err "invalid passwd_method: \"${passwd_method}\""
> + return 1
> + esac
> +
> action="$*"
>
> - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P "${passwd}" ${action} 2>&1
> + if [ $passwd_method = env ]
> + then
> + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -E ${action} 2>&1
> + else
> + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M "${passwd}" ${action} 2>&1
> + fi
> }
>
> # Yet another convenience wrapper that invokes run_ipmitool, captures
> @@ -94,7 +115,6 @@
> esac
> }
>
> -
> # Rewrite the hostname to accept "," as a delimeter for hostnames too.
>
> case ${1} in
> @@ -195,6 +215,19 @@
> </longdesc>
> </parameter>
>
> +<parameter name="passwd_method" unique="1">
> +<content type="string" default="param"/>
> +<shortdesc lang="en">
> +Method for passing passwd parameter
> +</shortdesc>
> +<longdesc lang="en">
> +Method for passing the passwd parameter to ipmitool
> + param: pass as parameter (-P)
> + env: pass via environment (-E)
> + file: value of "passwd" is actually a file name, pass with (-f)
> +</longdesc>
> +</parameter>
> +
> <parameter name="interface" unique="1">
> <content type="string" default="lan"/>
> <shortdesc lang="en">
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev [at] lists
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
|
signature.asc
