[Openstack-security] [Bug 1737207] Re: Guest admin password and network information is logged at debug if libvirt.inject_partition != -2
OpenStack Infra
1737207 at bugs.launchpad.net
Wed Apr 18 21:53:54 UTC 2018
Reviewed: https://review.openstack.org/548314
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1291d45418138d28f67873c6e47aa740e48ff80f
Submitter: Zuul
Branch: stable/ocata
commit 1291d45418138d28f67873c6e47aa740e48ff80f
Author: Matt Riedemann <mriedem.os at gmail.com>
Date: Fri Dec 8 16:02:44 2017 -0500
libvirt: mask InjectionInfo.admin_pass
Logging network information and the admin password
for guest instances is not ideal, so let's not do it.
Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2
Closes-Bug: #1737207
(cherry picked from commit 6839630e86d958dcda8585664586754d419363a7)
(cherry picked from commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce)
(cherry picked from commit 13b598d371e7d0a67a953a87666d2e6adbc38372)
** Changed in: nova/ocata
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1737207
Title:
Guest admin password and network information is logged at debug if
libvirt.inject_partition != -2
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) ocata series:
Fix Committed
Status in OpenStack Compute (nova) pike series:
Fix Committed
Status in OpenStack Compute (nova) queens series:
Fix Committed
Bug description:
When using the libvirt driver and the inject_partition config option
is != -2 (disabled), the driver will log the network information and
admin password about the guest during disk injection:
http://logs.openstack.org/50/524750/1/check/legacy-tempest-dsvm-
neutron-full-
centos-7/a7f051e/logs/screen-n-cpu.txt.gz#_Dec_04_13_42_41_311316
Dec 04 13:42:41.311316 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Checking root disk injection InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3115}}
Dec 04 13:42:41.314687 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Injecting InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3146}}
This was introduced in Ocata (15.0.0):
https://review.openstack.org/#/c/337790/
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1737207/+subscriptions
More information about the Openstack-security
mailing list