diff --git a/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch new file mode 100644 index 0000000..b8101b6 --- /dev/null +++ b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch @@ -0,0 +1,66 @@ +From 5fd872c64c53af37015f366295e0c2418c969757 Mon Sep 17 00:00:00 2001 +From: Yedidyah Bar David +Date: Thu, 26 May 2022 16:43:21 +0300 +Subject: [PATCH] [ovirt] answer files: Filter out all password keys + +Instead of hard-coding specific keys and having to maintain them over +time, replace the values of all keys that have 'password' in their name. +I think this covers all our current and hopefully future keys. It might +add "false positives" - keys that are not passwords but have 'password' +in their name - and I think that's a risk worth taking. + +Sadly, the engine admin password prompt's name is +'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has +to be listed specifically. + +A partial list of keys added since the replaced code was written: +- grafana-related stuff +- keycloak-related stuff +- otopi-style answer files + +Signed-off-by: Yedidyah Bar David +Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba +--- + sos/report/plugins/ovirt.py | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py +index 09647bf1..3b1bb29b 100644 +--- a/sos/report/plugins/ovirt.py ++++ b/sos/report/plugins/ovirt.py +@@ -241,19 +241,22 @@ class Ovirt(Plugin, RedHatPlugin): + r'{key}=********'.format(key=key) + ) + +- # Answer files contain passwords +- for key in ( +- 'OVESETUP_CONFIG/adminPassword', +- 'OVESETUP_CONFIG/remoteEngineHostRootPassword', +- 'OVESETUP_DWH_DB/password', +- 'OVESETUP_DB/password', +- 'OVESETUP_REPORTS_CONFIG/adminPassword', +- 'OVESETUP_REPORTS_DB/password', ++ # Answer files contain passwords. ++ # Replace all keys that have 'password' in them, instead of hard-coding ++ # here the list of keys, which changes between versions. ++ # Sadly, the engine admin password prompt name does not contain ++ # 'password'... so neither does the env key. ++ for item in ( ++ 'password', ++ 'OVESETUP_CONFIG_ADMIN_SETUP', + ): + self.do_path_regex_sub( + r'/var/lib/ovirt-engine/setup/answers/.*', +- r'{key}=(.*)'.format(key=key), +- r'{key}=********'.format(key=key) ++ re.compile( ++ r'(?P[^=]*{item}[^=]*)=.*'.format(item=item), ++ flags=re.IGNORECASE ++ ), ++ r'\g=********' + ) + + # aaa profiles contain passwords +-- +2.27.0 + diff --git a/SOURCES/sos-bz2098643-crio-output-to-json.patch b/SOURCES/sos-bz2098643-crio-output-to-json.patch new file mode 100644 index 0000000..2f5dd3b --- /dev/null +++ b/SOURCES/sos-bz2098643-crio-output-to-json.patch @@ -0,0 +1,73 @@ +From c2e66fa4dae51f03c7310ba5278897ddecac1aad Mon Sep 17 00:00:00 2001 +From: Nadia Pinaeva +Date: Thu, 2 Jun 2022 15:43:09 +0200 +Subject: [PATCH] crio: switch from parsing output in table format to json + +Signed-off-by: Nadia Pinaeva +--- + sos/policies/runtimes/crio.py | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/sos/policies/runtimes/crio.py b/sos/policies/runtimes/crio.py +index 55082d07..4cae1ecc 100644 +--- a/sos/policies/runtimes/crio.py ++++ b/sos/policies/runtimes/crio.py +@@ -7,6 +7,7 @@ + # version 2 of the GNU General Public License. + # + # See the LICENSE file in the source distribution for further information. ++import json + + from sos.policies.runtimes import ContainerRuntime + from sos.utilities import sos_get_command_output +@@ -29,14 +30,15 @@ class CrioContainerRuntime(ContainerRuntime): + :type get_all: ``bool`` + """ + containers = [] +- _cmd = "%s ps %s" % (self.binary, '-a' if get_all else '') ++ _cmd = "%s ps %s -o json" % (self.binary, '-a' if get_all else '') + if self.active: + out = sos_get_command_output(_cmd, chroot=self.policy.sysroot) +- if out['status'] == 0: +- for ent in out['output'].splitlines()[1:]: +- ent = ent.split() ++ if out["status"] == 0: ++ out_json = json.loads(out["output"]) ++ for container in out_json["containers"]: + # takes the form (container_id, container_name) +- containers.append((ent[0], ent[-3])) ++ containers.append( ++ (container["id"], container["metadata"]["name"])) + return containers + + def get_images(self): +@@ -47,13 +49,21 @@ class CrioContainerRuntime(ContainerRuntime): + """ + images = [] + if self.active: +- out = sos_get_command_output("%s images" % self.binary, ++ out = sos_get_command_output("%s images -o json" % self.binary, + chroot=self.policy.sysroot) + if out['status'] == 0: +- for ent in out['output'].splitlines(): +- ent = ent.split() +- # takes the form (image_name, image_id) +- images.append((ent[0] + ':' + ent[1], ent[2])) ++ out_json = json.loads(out["output"]) ++ for image in out_json["images"]: ++ # takes the form (repository:tag, image_id) ++ if len(image["repoTags"]) > 0: ++ for repo_tag in image["repoTags"]: ++ images.append((repo_tag, image["id"])) ++ else: ++ if len(image["repoDigests"]) == 0: ++ image_name = "" ++ else: ++ image_name = image["repoDigests"][0].split("@")[0] ++ images.append((image_name + ":", image["id"])) + return images + + def fmt_container_cmd(self, container, cmd, quotecmd): +-- +2.27.0 + diff --git a/SPECS/sos.spec b/SPECS/sos.spec index 6e036b6..2e9e389 100644 --- a/SPECS/sos.spec +++ b/SPECS/sos.spec @@ -5,7 +5,7 @@ Summary: A set of tools to gather troubleshooting information from a system Name: sos Version: 4.2 -Release: 19%{?dist}.alma +Release: 20%{?dist}.alma Group: Applications/System Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz Source1: sos-audit-%{auditversion}.tgz @@ -45,6 +45,8 @@ Patch21: sos-bz2042966-ovn-proper-package-enablement.patch Patch22: sos-bz2054882-plugopt-logging-effective-opts.patch Patch23: sos-bz2055547-honour-plugins-timeout-hardcoded.patch Patch24: sos-bz2071825-merged-8.6.z.patch +Patch25: sos-bz2098639-ovirt-obfuscation_answer_file.patch +Patch26: sos-bz2098643-crio-output-to-json.patch # almalinux Patch1000: sos-almalinux-branding.patch @@ -82,6 +84,8 @@ support technicians and developers. %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 +%patch26 -p1 # almalinux %patch1000 -p1 @@ -151,9 +155,14 @@ of the system. Currently storage and filesystem commands are audited. %ghost /etc/audit/rules.d/40-sos-storage.rules %changelog -* Wed May 25 2022 Andrew Lukoshko - 4.2-19.alma +* Wed Aug 03 2022 Andrew Lukoshko - 4.2-20.alma - Debrand for AlmaLinux +* Fri Jul 24 2022 Jan Jansky = 4.2-20 +- [ovirt] obfuscate answer file + Resolves: bz2098639 +- [crio] from output to json + Resolves: bz2098643 * Mon May 09 2022 Jan Jansky = 4.2-19 - OCP backport Resolves: bz2071824