diff --git a/.gitignore b/.gitignore index bf012f1..0ab7433 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/sos-4.9.2.tar.gz +SOURCES/sos-4.10.0.tar.gz SOURCES/sos-audit-0.3-1.tgz diff --git a/.sos.metadata b/.sos.metadata index e84d0ba..f5396df 100644 --- a/.sos.metadata +++ b/.sos.metadata @@ -1,2 +1,2 @@ -928a58267511054d8173802fca3ee8ca087e1eac SOURCES/sos-4.9.2.tar.gz +6042daa19f01ecf2f1e331ae70482653fd500d1f SOURCES/sos-4.10.0.tar.gz 00752b68ec5e1141192a9dab7d44377b8d637bf7 SOURCES/sos-audit-0.3-1.tgz diff --git a/SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch b/SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch new file mode 100644 index 0000000..e45e19e --- /dev/null +++ b/SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch @@ -0,0 +1,101 @@ +From 3efc8888852225396ebb4f0f9ae95edf4e5badfa Mon Sep 17 00:00:00 2001 +From: Pavel Moravec +Date: Wed, 20 Aug 2025 20:07:05 +0200 +Subject: [PATCH] [cleaner] Make cleaner's obfuscate_file properly working + +The fix is three-fold: +- obfuscate_file must clean file content and not filename +- cleaner's main_archive must be populated by parsers first +- obfuscate_file dont need short_name as it is always called with + implicit value of short_name that cleaner will strip itself + +Closes: #4109 +Closes: #4110 + +Signed-off-by: Pavel Moravec +--- + sos/cleaner/__init__.py | 7 ++++--- + sos/collector/__init__.py | 9 +++------ + sos/report/__init__.py | 9 +++------ + 3 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/sos/cleaner/__init__.py b/sos/cleaner/__init__.py +index 4a1470b5..dcd60c66 100644 +--- a/sos/cleaner/__init__.py ++++ b/sos/cleaner/__init__.py +@@ -537,7 +537,7 @@ third party. + logfile.write(line) + + if archive: +- self.obfuscate_file(log_name, short_name="sos_logs/cleaner.log") ++ self.obfuscate_file(log_name) + self.archive.add_file(log_name, dest="sos_logs/cleaner.log") + + def get_new_checksum(self, archive_path): +@@ -678,6 +678,7 @@ third party. + for prepper in self.get_preppers(): + for archive in self.report_paths: + self._prepare_archive_with_prepper(archive, prepper) ++ self.main_archive.set_parsers(self.parsers) + + def obfuscate_report(self, archive): # pylint: disable=too-many-branches + """Individually handle each archive or directory we've discovered by +@@ -784,8 +785,8 @@ third party. + self.ui_log.info("Exception while processing " + f"{archive.archive_name}: {err}") + +- def obfuscate_file(self, filename, short_name): +- self.main_archive.obfuscate_filename(filename, short_name) ++ def obfuscate_file(self, filename): ++ self.main_archive.obfuscate_arc_files([filename]) + + def obfuscate_symlinks(self, archive): + """Iterate over symlinks in the archive and obfuscate their names. +diff --git a/sos/collector/__init__.py b/sos/collector/__init__.py +index 7a414501..e6b55f20 100644 +--- a/sos/collector/__init__.py ++++ b/sos/collector/__init__.py +@@ -1405,16 +1405,13 @@ this utility or remote systems that it connects to. + if do_clean: + _dir = os.path.join(self.tmpdir, self.archive._name) + cleaner.obfuscate_file( +- os.path.join(_dir, 'sos_logs', 'sos.log'), +- short_name='sos.log' ++ os.path.join(_dir, 'sos_logs', 'sos.log') + ) + cleaner.obfuscate_file( +- os.path.join(_dir, 'sos_logs', 'ui.log'), +- short_name='ui.log' ++ os.path.join(_dir, 'sos_logs', 'ui.log') + ) + cleaner.obfuscate_file( +- os.path.join(_dir, 'sos_reports', 'manifest.json'), +- short_name='manifest.json' ++ os.path.join(_dir, 'sos_reports', 'manifest.json') + ) + + arc_name = self.archive.finalize(method=None) +diff --git a/sos/report/__init__.py b/sos/report/__init__.py +index 074afcff..9fb94d6a 100644 +--- a/sos/report/__init__.py ++++ b/sos/report/__init__.py +@@ -1571,13 +1571,10 @@ class SoSReport(SoSComponent): + # Now, separately clean the log files that cleaner also wrote to + if do_clean: + _dir = os.path.join(self.tmpdir, self.archive._name) +- cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'sos.log'), +- short_name='sos.log') +- cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'ui.log'), +- short_name='ui.log') ++ cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'sos.log')) ++ cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'ui.log')) + cleaner.obfuscate_file( +- os.path.join(_dir, 'sos_reports', 'manifest.json'), +- short_name='manifest.json' ++ os.path.join(_dir, 'sos_reports', 'manifest.json') + ) + + # Now, just (optionally) pack the report and print work outcome; let +-- +2.49.0 + diff --git a/SOURCES/0002-openstack_nova-Improve-scrubbing.patch b/SOURCES/0002-openstack_nova-Improve-scrubbing.patch new file mode 100644 index 0000000..91b376c --- /dev/null +++ b/SOURCES/0002-openstack_nova-Improve-scrubbing.patch @@ -0,0 +1,72 @@ +From 6378a4ee9fa3eeaf384bd87fc87e24a0c5608658 Mon Sep 17 00:00:00 2001 +From: Pavel Moravec +Date: Tue, 19 Aug 2025 09:08:15 +0200 +Subject: [PATCH] [openstack_nova] Improve scrubbing + +Improve postproc obfuscation in two ways: +- apply postproc also to /var/lib/openstack/config/nova on RedHatNova +- obfuscate just password from transport_url, not the whole URL + +Closes: #4108 + +Signed-off-by: Pavel Moravec +--- + sos/report/plugins/openstack_nova.py | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/sos/report/plugins/openstack_nova.py b/sos/report/plugins/openstack_nova.py +index 728aed1e..2635866e 100644 +--- a/sos/report/plugins/openstack_nova.py ++++ b/sos/report/plugins/openstack_nova.py +@@ -29,6 +29,7 @@ class OpenStackNova(Plugin): + var_puppet_gen = "/var/lib/config-data/puppet-generated/nova" + service_name = "openstack-nova-api.service" + apachepkg = None ++ postproc_dirs = ["/etc/nova/",] + + def setup(self): + +@@ -141,12 +142,13 @@ class OpenStackNova(Plugin): + self.add_copy_spec(specs) + + def apply_regex_sub(self, regexp, subst): +- """ Apply regex substitution """ +- self.do_path_regex_sub("/etc/nova/*", regexp, subst) +- for npath in ['', '_libvirt', '_metadata', '_placement']: +- self.do_path_regex_sub( +- f"{self.var_puppet_gen}{npath}/etc/nova/*", +- regexp, subst) ++ """ Apply regex substitution to all sensitive dirs """ ++ for _dir in self.postproc_dirs: ++ self.do_path_regex_sub(f"{_dir}/*", regexp, subst) ++ for npath in ['', '_libvirt', '_metadata', '_placement']: ++ self.do_path_regex_sub( ++ f"{self.var_puppet_gen}{npath}{_dir}/*", ++ regexp, subst) + + def postproc(self): + protect_keys = [ +@@ -155,10 +157,9 @@ class OpenStackNova(Plugin): + "xenapi_connection_password", "password", "host_password", + "vnc_password", "admin_password", "connection_password", + "memcache_secret_key", "s3_secret_key", +- "metadata_proxy_shared_secret", "fixed_key", "transport_url", +- "rbd_secret_uuid" ++ "metadata_proxy_shared_secret", "fixed_key", "rbd_secret_uuid" + ] +- connection_keys = ["connection", "sql_connection"] ++ connection_keys = ["connection", "sql_connection", "transport_url"] + + join_con_keys = "|".join(connection_keys) + +@@ -214,6 +215,7 @@ class RedHatNova(OpenStackNova, RedHatPlugin): + apachepkg = "httpd" + nova = False + packages = ('openstack-selinux',) ++ postproc_dirs = ["/etc/nova/", "/var/lib/openstack/config/nova"] + + def setup(self): + super().setup() +-- +2.49.0 + diff --git a/SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch b/SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch new file mode 100644 index 0000000..cfdd658 --- /dev/null +++ b/SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch @@ -0,0 +1,36 @@ +From c0e514894b2c35c2b36f247f8b84dd4311034fb6 Mon Sep 17 00:00:00 2001 +From: Pavel Moravec +Date: Fri, 12 Sep 2025 11:36:02 +0200 +Subject: [PATCH] [component] Fix regression 57bbc89 in toolbox containers + +57bbc89 commit set tmpdir to source the dir from Policy. Which means +HOST sysroot directory is newly applied already in +LinuxPolicy._container_init method. + +Removed lines mimic the same in a worse way, so let drop them here. + +Resolves: #4116 +Closes: #4118 + +Signed-off-by: Pavel Moravec +--- + sos/component.py | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/sos/component.py b/sos/component.py +index a110c270..3e53fe3d 100644 +--- a/sos/component.py ++++ b/sos/component.py +@@ -170,9 +170,6 @@ class SoSComponent(): + else: + tmpdir = os.getenv('TMPDIR', None) or self.policy.get_tmp_dir(None) + +- if os.getenv('HOST', None) and os.getenv('container', None): +- tmpdir = os.path.join(os.getenv('HOST'), tmpdir.lstrip('/')) +- + # no standard library method exists for this, so call out to stat to + # avoid bringing in a dependency on psutil + self.tmpfstype = shell_out( +-- +2.49.0 + diff --git a/SOURCES/0004-revert-PR4092.patch b/SOURCES/0004-revert-PR4092.patch new file mode 100644 index 0000000..04539d0 --- /dev/null +++ b/SOURCES/0004-revert-PR4092.patch @@ -0,0 +1,49 @@ +--- a/sos/upload/targets/__init__.py 2025-09-16 19:57:27.294642506 +0200 ++++ b/sos/upload/targets/__init__.py 2025-09-16 19:59:44.498573843 +0200 +@@ -465,7 +465,7 @@ + self.upload_password or + self._upload_password) + +- def upload_sftp(self, user=None, password=None, user_dir=None): ++ def upload_sftp(self, user=None, password=None): + """Attempts to upload the archive to an SFTP location. + + Due to the lack of well maintained, secure, and generally widespread +@@ -540,13 +540,10 @@ + raise Exception("Unable to connect via SFTP to " + f"{self.get_upload_url_string()}") + +- # certain implementations require file to be put in the user dir +- put_cmd = ( +- f"put {self.upload_archive_name} " +- f"{f'{user_dir}/' if user_dir else ''}" +- f"{self._get_sftp_upload_name()}" +- ) ++ put_cmd = (f'put {self.upload_archive_name} ' ++ f'{self._get_sftp_upload_name()}') + ret.sendline(put_cmd) ++ + put_expects = [ + '100%', + pexpect.TIMEOUT, +--- a/sos/upload/targets/redhat.py 2025-09-16 19:57:36.804628207 +0200 ++++ b/sos/upload/targets/redhat.py 2025-09-16 20:00:52.578728154 +0200 +@@ -145,7 +145,7 @@ + return fname + + # pylint: disable=too-many-branches +- def upload_sftp(self, user=None, password=None, user_dir=None): ++ def upload_sftp(self, user=None, password=None): + """Override the base upload_sftp to allow for setting an on-demand + generated anonymous login for the RH SFTP server if a username and + password are not given +@@ -217,8 +217,7 @@ + f"{anon.status_code}): {anon.json()}" + ) + if _user and _token: +- return super().upload_sftp(user=_user, password=_token, +- user_dir=_user) ++ return super().upload_sftp(user=_user, password=_token) + raise Exception("Could not retrieve valid or anonymous credentials") + + def check_file_too_big(self, archive): diff --git a/SOURCES/0005-cleaner-rhel8.patch b/SOURCES/0005-cleaner-rhel8.patch new file mode 100644 index 0000000..36dd990 --- /dev/null +++ b/SOURCES/0005-cleaner-rhel8.patch @@ -0,0 +1,36 @@ +--- a/sos/cleaner/archives/__init__.py 2025-09-22 19:44:51.272619200 +0200 ++++ b/sos/cleaner/archives/__init__.py 2025-09-22 23:28:15.116001268 +0200 +@@ -118,6 +118,8 @@ class SoSObfuscationArchive(): + self.parsers = parsers # TODO: include this in __init__? + + def load_parser_entries(self): ++ self.soslog = logging.getLogger('sos') ++ self.ui_log = logging.getLogger('sos_ui') + for parser in self.parsers: + parser.load_map_entries() + +@@ -150,6 +152,7 @@ class SoSObfuscationArchive(): + return line, count + + def obfuscate_arc_files(self, flist): ++ self.load_parser_entries() + for filename in flist: + self.log_debug(f" pid={os.getpid()}: obfuscating {filename}") + try: +--- a/sos/cleaner/__init__.py 2025-09-22 19:44:51.272619200 +0200 ++++ b/sos/cleaner/__init__.py 2025-09-22 23:32:17.606745778 +0200 +@@ -720,10 +720,11 @@ third party. + # based on files' sizes. + + files_obfuscated_count = total_sub_count = removed_file_count = 0 ++ # two nullification required before processes cloning ++ archive.soslog = None ++ archive.ui_log = None + archive_list = [archive for i in range(self.opts.jobs)] +- with ProcessPoolExecutor( +- max_workers=self.opts.jobs, +- initializer=archive.load_parser_entries) as executor: ++ with ProcessPoolExecutor(max_workers=self.opts.jobs) as executor: + futures = executor.map(obfuscate_arc_files, archive_list, + [file_list[i::self.opts.jobs] for i in + range(self.opts.jobs)]) diff --git a/SOURCES/sos-python36-walrus-operator.patch b/SOURCES/sos-python36-walrus-operator.patch index ad84519..5f47fa4 100644 --- a/SOURCES/sos-python36-walrus-operator.patch +++ b/SOURCES/sos-python36-walrus-operator.patch @@ -39,3 +39,16 @@ self.db_folder = "/var/snap/juju-db/current/db" super().setup() +--- a/sos/report/plugins/__init__.py 2025-08-21 12:41:10.418390705 +0200 ++++ b/sos/report/plugins/__init__.py 2025-08-21 12:55:39.546634618 +0200 +@@ -2965,8 +2965,9 @@ + :rtype: ``str`` + """ + if self.container_exists(container, runtime) or \ +- ((_runtime := self._get_container_runtime(runtime)) and ++ ((self._get_container_runtime(runtime)) and + runas is not None): ++ _runtime = self._get_container_runtime(runtime) + return _runtime.fmt_container_cmd(container, cmd, quotecmd) + return '' + diff --git a/SOURCES/sosreport-binary.patch b/SOURCES/sosreport-binary.patch index fd950e2..9cddc9d 100644 --- a/SOURCES/sosreport-binary.patch +++ b/SOURCES/sosreport-binary.patch @@ -1,18 +1,20 @@ --- /dev/null 2025-04-03 01:35:45.132999852 +0200 -+++ sos-4.9.2/bin/sosreport 2025-04-15 13:54:04.924751581 +0200 -@@ -0,0 +1,5 @@ ++++ sos-4.10.0/bin/sosreport 2025-04-15 13:54:04.924751581 +0200 +@@ -0,0 +1,6 @@ +#!/usr/bin/python3 +msg = ("sosreport binary is deprecated, use 'sos report' instead") +print(msg) ++exit(1) + +# vim:ts=4 et sw=4 --- /dev/null 2025-04-03 01:35:45.132999852 +0200 -+++ sos-4.9.2/bin/sos-collector 2025-04-15 15:10:17.780281627 +0200 -@@ -0,0 +1,5 @@ ++++ sos-4.10.0/bin/sos-collector 2025-04-15 15:10:17.780281627 +0200 +@@ -0,0 +1,6 @@ +#!/usr/bin/python3 +msg = ("sos-collector binary is deprecated, use 'sos collector' instead") +print(msg) ++exit(1) + +# vim:ts=4 et sw=4 diff --git a/SPECS/sos.spec b/SPECS/sos.spec index 2f39edd..e2cd6d4 100644 --- a/SPECS/sos.spec +++ b/SPECS/sos.spec @@ -4,8 +4,8 @@ Summary: A set of tools to gather troubleshooting information from a system Name: sos -Version: 4.9.2 -Release: 1%{?dist} +Version: 4.10.0 +Release: 4%{?dist} Group: Applications/System Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz Source1: sos-audit-%{auditversion}.tgz @@ -24,6 +24,11 @@ Conflicts: vdsm < 4.40 Obsoletes: sos-collector Patch1: sos-python36-walrus-operator.patch Patch2: sosreport-binary.patch +Patch3: 0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch +Patch4: 0002-openstack_nova-Improve-scrubbing.patch +Patch5: 0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch +Patch6: 0004-revert-PR4092.patch +Patch7: 0005-cleaner-rhel8.patch %description Sos is a set of tools that gathers information about system @@ -36,6 +41,11 @@ support technicians and developers. %setup -T -D -a1 -q %patch -P 1 -p1 %patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 +%patch -P 6 -p1 +%patch -P 7 -p1 %build %py3_build @@ -108,6 +118,18 @@ of the system. Currently storage and filesystem commands are audited. %license LICENSE %changelog +* Tue Sep 23 2025 Jan Jansky = 4.10.0-4 +- Update to 4.10.0-4 + Resolves: RHEL-112413 + +* Wed Sep 17 2025 Jan Jansky = 4.10.0-2 +- Update to 4.10.0-2 + Resolves: RHEL-112413 + +* Thu Aug 21 2025 Jan Jansky = 4.10.0-1 +- Update to 4.10.0 + Resolves: RHEL-110499 + * Fri Jul 04 2025 Jan Jansky = 4.9.2-1 - Update to 4.9.2 in RHEL 8 Resolves: RHEL-101716