rpms/sos
7
0
Fork 1
Code Issues Pull Requests Releases Activity

import CS sos-4.10.2-2.el9

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-03-30 10:04:12 -04:00
parent 2f2c261970
commit 9f7bfc1fb8
11 changed files with 306 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/sos-4.10.0.tar.gz
SOURCES/sos-4.10.2.tar.gz
SOURCES/sos-audit-0.3-1.tgz

2
.sos.metadata
View File

@ -1,2 +1,2 @@
6042daa19f01ecf2f1e331ae70482653fd500d1f SOURCES/sos-4.10.0.tar.gz
b9350b4145cbd8936efe88920a70fcca46824145 SOURCES/sos-4.10.2.tar.gz
00752b68ec5e1141192a9dab7d44377b8d637bf7 SOURCES/sos-audit-0.3-1.tgz

101
SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch
View File

@ -1,101 +0,0 @@
From 3efc8888852225396ebb4f0f9ae95edf4e5badfa Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Wed, 20 Aug 2025 20:07:05 +0200
Subject: [PATCH] [cleaner] Make cleaner's obfuscate_file properly working
The fix is three-fold:
- obfuscate_file must clean file content and not filename
- cleaner's main_archive must be populated by parsers first
- obfuscate_file dont need short_name as it is always called with
implicit value of short_name that cleaner will strip itself
Closes: #4109
Closes: #4110
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/cleaner/__init__.py | 7 ++++---
sos/collector/__init__.py | 9 +++------
sos/report/__init__.py | 9 +++------
3 files changed, 10 insertions(+), 15 deletions(-)
diff --git a/sos/cleaner/__init__.py b/sos/cleaner/__init__.py
index 4a1470b5..dcd60c66 100644
--- a/sos/cleaner/__init__.py
+++ b/sos/cleaner/__init__.py
@@ -537,7 +537,7 @@ third party.
logfile.write(line)
if archive:
- self.obfuscate_file(log_name, short_name="sos_logs/cleaner.log")
+ self.obfuscate_file(log_name)
self.archive.add_file(log_name, dest="sos_logs/cleaner.log")
def get_new_checksum(self, archive_path):
@@ -678,6 +678,7 @@ third party.
for prepper in self.get_preppers():
for archive in self.report_paths:
self._prepare_archive_with_prepper(archive, prepper)
+ self.main_archive.set_parsers(self.parsers)
def obfuscate_report(self, archive): # pylint: disable=too-many-branches
"""Individually handle each archive or directory we've discovered by
@@ -784,8 +785,8 @@ third party.
self.ui_log.info("Exception while processing "
f"{archive.archive_name}: {err}")
- def obfuscate_file(self, filename, short_name):
- self.main_archive.obfuscate_filename(filename, short_name)
+ def obfuscate_file(self, filename):
+ self.main_archive.obfuscate_arc_files([filename])
def obfuscate_symlinks(self, archive):
"""Iterate over symlinks in the archive and obfuscate their names.
diff --git a/sos/collector/__init__.py b/sos/collector/__init__.py
index 7a414501..e6b55f20 100644
--- a/sos/collector/__init__.py
+++ b/sos/collector/__init__.py
@@ -1405,16 +1405,13 @@ this utility or remote systems that it connects to.
if do_clean:
_dir = os.path.join(self.tmpdir, self.archive._name)
cleaner.obfuscate_file(
- os.path.join(_dir, 'sos_logs', 'sos.log'),
- short_name='sos.log'
+ os.path.join(_dir, 'sos_logs', 'sos.log')
)
cleaner.obfuscate_file(
- os.path.join(_dir, 'sos_logs', 'ui.log'),
- short_name='ui.log'
+ os.path.join(_dir, 'sos_logs', 'ui.log')
)
cleaner.obfuscate_file(
- os.path.join(_dir, 'sos_reports', 'manifest.json'),
- short_name='manifest.json'
+ os.path.join(_dir, 'sos_reports', 'manifest.json')
)
arc_name = self.archive.finalize(method=None)
diff --git a/sos/report/__init__.py b/sos/report/__init__.py
index 074afcff..9fb94d6a 100644
--- a/sos/report/__init__.py
+++ b/sos/report/__init__.py
@@ -1571,13 +1571,10 @@ class SoSReport(SoSComponent):
# Now, separately clean the log files that cleaner also wrote to
if do_clean:
_dir = os.path.join(self.tmpdir, self.archive._name)
- cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'sos.log'),
- short_name='sos.log')
- cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'ui.log'),
- short_name='ui.log')
+ cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'sos.log'))
+ cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'ui.log'))
cleaner.obfuscate_file(
- os.path.join(_dir, 'sos_reports', 'manifest.json'),
- short_name='manifest.json'
+ os.path.join(_dir, 'sos_reports', 'manifest.json')
)
# Now, just (optionally) pack the report and print work outcome; let
--
2.49.0

0
SOURCES/sosreport-binary.patch → SOURCES/0001-sosreport-binary.patch
View File

36
SOURCES/0002-gcp-Catch-exceptions-when-PRODUCT_PATH-doesnt-exist.patch Normal file
View File

@ -0,0 +1,36 @@
From 178d7fb1296dbcb744867d1b8a29678d1a3b0820 Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Mon, 26 Jan 2026 12:14:19 +0100
Subject: [PATCH] [gcp] Catch exceptions when PRODUCT_PATH doesnt exist
Catch exceptions when /sys/devices/virtual/dmi/id/product_name does not
exist on a (rare) system, while user manually enabled gcp plugin.
Closes: #4215
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/report/plugins/gcp.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/sos/report/plugins/gcp.py b/sos/report/plugins/gcp.py
index 24b50323..43ceec00 100644
--- a/sos/report/plugins/gcp.py
+++ b/sos/report/plugins/gcp.py
@@ -38,8 +38,11 @@ class GCP(Plugin, IndependentPlugin):
Checks if this plugin should be executed based on the presence of
GCE entry in sysfs.
"""
- with open(self.PRODUCT_PATH, encoding='utf-8') as sys_file:
- return "Google Compute Engine" in sys_file.read()
+ try:
+ with open(self.PRODUCT_PATH, encoding='utf-8') as sys_file:
+ return "Google Compute Engine" in sys_file.read()
+ except OSError:
+ return False
def setup(self):
"""
--
2.52.0

72
SOURCES/0002-openstack_nova-Improve-scrubbing.patch
View File

@ -1,72 +0,0 @@
From 6378a4ee9fa3eeaf384bd87fc87e24a0c5608658 Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Tue, 19 Aug 2025 09:08:15 +0200
Subject: [PATCH] [openstack_nova] Improve scrubbing
Improve postproc obfuscation in two ways:
- apply postproc also to /var/lib/openstack/config/nova on RedHatNova
- obfuscate just password from transport_url, not the whole URL
Closes: #4108
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/report/plugins/openstack_nova.py | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/sos/report/plugins/openstack_nova.py b/sos/report/plugins/openstack_nova.py
index 728aed1e..2635866e 100644
--- a/sos/report/plugins/openstack_nova.py
+++ b/sos/report/plugins/openstack_nova.py
@@ -29,6 +29,7 @@ class OpenStackNova(Plugin):
var_puppet_gen = "/var/lib/config-data/puppet-generated/nova"
service_name = "openstack-nova-api.service"
apachepkg = None
+ postproc_dirs = ["/etc/nova/",]
def setup(self):
@@ -141,12 +142,13 @@ class OpenStackNova(Plugin):
self.add_copy_spec(specs)
def apply_regex_sub(self, regexp, subst):
- """ Apply regex substitution """
- self.do_path_regex_sub("/etc/nova/*", regexp, subst)
- for npath in ['', '_libvirt', '_metadata', '_placement']:
- self.do_path_regex_sub(
- f"{self.var_puppet_gen}{npath}/etc/nova/*",
- regexp, subst)
+ """ Apply regex substitution to all sensitive dirs """
+ for _dir in self.postproc_dirs:
+ self.do_path_regex_sub(f"{_dir}/*", regexp, subst)
+ for npath in ['', '_libvirt', '_metadata', '_placement']:
+ self.do_path_regex_sub(
+ f"{self.var_puppet_gen}{npath}{_dir}/*",
+ regexp, subst)
def postproc(self):
protect_keys = [
@@ -155,10 +157,9 @@ class OpenStackNova(Plugin):
"xenapi_connection_password", "password", "host_password",
"vnc_password", "admin_password", "connection_password",
"memcache_secret_key", "s3_secret_key",
- "metadata_proxy_shared_secret", "fixed_key", "transport_url",
- "rbd_secret_uuid"
+ "metadata_proxy_shared_secret", "fixed_key", "rbd_secret_uuid"
]
- connection_keys = ["connection", "sql_connection"]
+ connection_keys = ["connection", "sql_connection", "transport_url"]
join_con_keys = "|".join(connection_keys)
@@ -214,6 +215,7 @@ class RedHatNova(OpenStackNova, RedHatPlugin):
apachepkg = "httpd"
nova = False
packages = ('openstack-selinux',)
+ postproc_dirs = ["/etc/nova/", "/var/lib/openstack/config/nova"]
def setup(self):
super().setup()
--
2.49.0

124
SOURCES/0003-aap_containerized-Carry-forward-postproc-from-other.patch Normal file
View File

@ -0,0 +1,124 @@
From 0c237bcaf476c9b5a28165b9124e08163af707ab Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Fri, 30 Jan 2026 21:50:52 +0100
Subject: [PATCH] [aap_containerized] Carry forward postproc from other AAP
plugins
Secrets obfuscations from 2a46e99 commit must be reflected in
containerized plugin.
Further, fix a typo in a regexp, to properly obfuscate:
EMAIL_HOST_PASSWORD = 'FAKESECRET!!!'
in (both) controller's settings.
Closes: #4213
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/report/plugins/aap_containerized.py | 37 +++++++++++++++++++------
sos/report/plugins/aap_controller.py | 4 +--
2 files changed, 30 insertions(+), 11 deletions(-)
diff --git a/sos/report/plugins/aap_containerized.py b/sos/report/plugins/aap_containerized.py
index 7baa5fb3..0c85d4b2 100644
--- a/sos/report/plugins/aap_containerized.py
+++ b/sos/report/plugins/aap_containerized.py
@@ -41,6 +41,7 @@ class AAPContainerized(Plugin, RedHatPlugin):
def setup(self):
# Check if username is passed as argument
username = self.get_option("username")
+ self.aap_directory_name = self.get_option("directory")
if not username:
self._log_warn("AAP username is missing, use '-k "
"aap_containerized.username=<user>' to set it")
@@ -61,16 +62,15 @@ class AAPContainerized(Plugin, RedHatPlugin):
return
# Grab aap installation directory under user's home
- if not self.get_option("directory"):
+ if not self.aap_directory_name:
user_home_directory = os.path.expanduser(f"~{username}")
- aap_directory_name = self.path_join(user_home_directory, "aap")
- else:
- aap_directory_name = self.get_option("directory")
+ self.aap_directory_name = self.path_join(user_home_directory,
+ "aap")
# Don't collect cert and key files from the installation directory
- if self.path_exists(aap_directory_name):
+ if self.path_exists(self.aap_directory_name):
forbidden_paths = [
- self.path_join(aap_directory_name, path)
+ self.path_join(self.aap_directory_name, path)
for path in [
"containers",
"tls",
@@ -93,10 +93,10 @@ class AAPContainerized(Plugin, RedHatPlugin):
]
]
self.add_forbidden_path(forbidden_paths)
- self.add_copy_spec(aap_directory_name)
+ self.add_copy_spec(self.aap_directory_name)
else:
- self._log_error(f"Directory {aap_directory_name} does not exist "
- "or invalid absolute path provided")
+ self._log_error(f"Directory {self.aap_directory_name} does not "
+ "exist or invalid absolute path provided.")
# Gather output of following podman commands as user
podman_commands = [
@@ -200,6 +200,24 @@ class AAPContainerized(Plugin, RedHatPlugin):
return False
def postproc(self):
+ # remove controller email password
+ file_path = f"{self.aap_directory_name}/controller/etc/settings.py"
+ jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
+ repl = r"\1********"
+ self.do_path_regex_sub(file_path, jreg, repl)
+
+ # remove gateway database password
+ file_path = f"{self.aap_directory_name}/gateway/etc/settings.py"
+ jreg = r"(\s*'PASSWORD'\s*:\s*)('.*')"
+ repl = r"\1********"
+ self.do_path_regex_sub(file_path, jreg, repl)
+
+ # Mask EDA optional secrets
+ file_path = f"{self.aap_directory_name}/eda/etc/settings.yaml"
+ regex = r"(\s*)(PASSWORD|MQ_USER_PASSWORD|SECRET_KEY)(:\s*)(.*$)"
+ replacement = r'\1\2\3********'
+ self.do_path_regex_sub(file_path, regex, replacement)
+
# Mask PASSWORD from print_settings command
jreg = r'((["\']?PASSWORD["\']?\s*[:=]\s*)[rb]?["\'])(.*?)(["\'])'
self.do_cmd_output_sub(
@@ -214,4 +232,5 @@ class AAPContainerized(Plugin, RedHatPlugin):
jreg,
r'\1**********\5')
+
# vim: set et ts=4 sw=4 :
diff --git a/sos/report/plugins/aap_controller.py b/sos/report/plugins/aap_controller.py
index afb2508c..e2b5e39e 100644
--- a/sos/report/plugins/aap_controller.py
+++ b/sos/report/plugins/aap_controller.py
@@ -83,12 +83,12 @@ class AAPControllerPlugin(Plugin, RedHatPlugin):
self.do_path_regex_sub("/etc/tower/conf.d/postgres.py", jreg, repl)
# remove email password
- jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
+ jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
repl = r"\1********"
self.do_path_regex_sub("/etc/tower/settings.py", jreg, repl)
# remove email password (if customized)
- jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
+ jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
repl = r"\1********"
self.do_path_regex_sub("/etc/tower/conf.d/custom.py", jreg, repl)
--
2.52.0

36
SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch
View File

@ -1,36 +0,0 @@
From c0e514894b2c35c2b36f247f8b84dd4311034fb6 Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Fri, 12 Sep 2025 11:36:02 +0200
Subject: [PATCH] [component] Fix regression 57bbc89 in toolbox containers
57bbc89 commit set tmpdir to source the dir from Policy. Which means
HOST sysroot directory is newly applied already in
LinuxPolicy._container_init method.
Removed lines mimic the same in a worse way, so let drop them here.
Resolves: #4116
Closes: #4118
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/component.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/sos/component.py b/sos/component.py
index a110c270..3e53fe3d 100644
--- a/sos/component.py
+++ b/sos/component.py
@@ -170,9 +170,6 @@ class SoSComponent():
else:
tmpdir = os.getenv('TMPDIR', None) or self.policy.get_tmp_dir(None)
- if os.getenv('HOST', None) and os.getenv('container', None):
- tmpdir = os.path.join(os.getenv('HOST'), tmpdir.lstrip('/'))
-
# no standard library method exists for this, so call out to stat to
# avoid bringing in a dependency on psutil
self.tmpfstype = shell_out(
--
2.49.0

121
SOURCES/0004-cleaner-Update-filename-after-converting-pem-to-text.patch Normal file
View File

@ -0,0 +1,121 @@
From 0c7626683ae2dcbc5f7b0f00e0980895e0e1ce0d Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Mon, 2 Feb 2026 14:03:26 +0100
Subject: [PATCH] [cleaner] Update filename after converting pem to text
When converting PEM certificate to text, we need to update filename and
short_name to the newly created file, to ensure cleaner handles the
right file.
Also, rename misleading short_name to rel_name as it keeps the rel.path
to the filename.
Closes: #4219
Relevant: RHEL-145301
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/cleaner/archives/__init__.py | 34 +++++++++++++++++++-------------
1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/sos/cleaner/archives/__init__.py b/sos/cleaner/archives/__init__.py
index e918e2e3..af6ed222 100644
--- a/sos/cleaner/archives/__init__.py
+++ b/sos/cleaner/archives/__init__.py
@@ -156,18 +156,18 @@ class SoSObfuscationArchive():
for filename in flist:
self.log_debug(f" pid={os.getpid()}: obfuscating {filename}")
try:
- short_name = filename.split(self.archive_name + '/')[1]
- if self.should_skip_file(short_name):
+ rel_name = os.path.relpath(filename, start=self.extracted_path)
+ if self.should_skip_file(rel_name):
continue
if (not self.keep_binary_files and
- self.should_remove_file(short_name)):
+ self.should_remove_file(rel_name)):
# We reach this case if the option --keep-binary-files
# was not used, and the file is in a list to be removed
- self.remove_file(short_name)
+ self.remove_file(rel_name)
continue
if (self.keep_binary_files and
(file_is_binary(filename) or
- self.should_remove_file(short_name))):
+ self.should_remove_file(rel_name))):
# We reach this case if the option --keep-binary-files
# is used. In this case we want to make sure
# the cleaner doesn't try to clean a binary file
@@ -180,28 +180,32 @@ class SoSObfuscationArchive():
if is_certificate:
if is_certificate == "certificatekey":
# Always remove certificate Key files
- self.remove_file(short_name)
+ self.remove_file(rel_name)
continue
if self.treat_certificates == "keep":
continue
if self.treat_certificates == "remove":
- self.remove_file(short_name)
+ self.remove_file(rel_name)
continue
if self.treat_certificates == "obfuscate":
- self.certificate_to_text(filename)
+ # since the original filename is deleted, we must
+ # update both "filename" and "rel_name"
+ filename = self.certificate_to_text(filename)
+ rel_name = os.path.relpath(filename,
+ start=self.extracted_path)
_parsers = [
_p for _p in self.parsers if not
any(
- _skip.match(short_name) for _skip in _p.skip_patterns
+ _skip.match(rel_name) for _skip in _p.skip_patterns
)
]
if not _parsers:
self.log_debug(
- f"Skipping obfuscation of {short_name or filename} "
+ f"Skipping obfuscation of {rel_name or filename} "
f"due to matching file skip pattern"
)
continue
- self.log_debug(f"Obfuscating {short_name or filename}")
+ self.log_debug(f"Obfuscating {rel_name or filename}")
subs = 0
with tempfile.NamedTemporaryFile(mode='w', dir=self.tmpdir) \
as tfile:
@@ -214,13 +218,13 @@ class SoSObfuscationArchive():
tfile.write(line)
except Exception as err:
self.log_debug(f"Unable to obfuscate "
- f"{short_name}: {err}")
+ f"{rel_name}: {err}")
tfile.seek(0)
if subs:
shutil.copyfile(tfile.name, filename)
self.update_sub_count(subs)
- self.obfuscate_filename(short_name, filename)
+ self.obfuscate_filename(rel_name, filename)
except Exception as err:
self.log_debug(f" pid={os.getpid()}: caught exception on "
@@ -309,11 +313,13 @@ class SoSObfuscationArchive():
"""Convert a certificate to text. This is used when cleaner encounters
a certificate file and the option 'treat_certificates' is 'obfuscate'.
"""
+ out_fn = f"{fname}.text"
self.log_info(f"Converting certificate file '{fname}' to text")
sos_get_command_output(
f"openssl storeutl -noout -text -certs {str(fname)}",
- to_file=f"{fname}.text")
+ to_file=out_fn)
os.remove(fname)
+ return out_fn
def remove_file(self, fname):
"""Remove a file from the archive. This is used when cleaner encounters
--
2.52.0

0
SOURCES/0004-revert-PR4092.patch → SOURCES/0005-revert-PR4092.patch
View File

30
SPECS/sos.spec
View File

@ -4,8 +4,8 @@
Summary: A set of tools to gather troubleshooting information from a system
Name: sos
Version: 4.10.0
Release: 4%{?dist}
Version: 4.10.2
Release: 2%{?dist}
Group: Applications/System
Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
Source1: sos-audit-%{auditversion}.tgz
@ -22,11 +22,11 @@ Recommends: python3-pexpect
Recommends: python3-pyyaml
Conflicts: vdsm < 4.40
Obsoletes: sos-collector <= 1.9
Patch1: sosreport-binary.patch
Patch2: 0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch
Patch3: 0002-openstack_nova-Improve-scrubbing.patch
Patch4: 0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch
Patch5: 0004-revert-PR4092.patch
Patch1: 0001-sosreport-binary.patch
Patch2: 0002-gcp-Catch-exceptions-when-PRODUCT_PATH-doesnt-exist.patch
Patch3: 0003-aap_containerized-Carry-forward-postproc-from-other.patch
Patch4: 0004-cleaner-Update-filename-after-converting-pem-to-text.patch
Patch5: 0005-revert-PR4092.patch
%description
Sos is a set of tools that gathers information about system
@ -114,6 +114,22 @@ of the system. Currently storage and filesystem commands are audited.
%license LICENSE
%changelog
* Thu Feb 26 2026 Jan Jansky <jjansky@redhat.com> = 4.10.2-2
- Update to 4.10.2-2
Resolves: RHEL-152471
* Thu Jan 22 2026 Jan Jansky <jjansky@redhat.com> = 4.10.2-1
- Update to 4.10.2-1
Resolves: RHEL-142635
* Fri Dec 05 2025 Jan Jansky <jjansky@redhat.com> = 4.10.1-2
- Update to 4.10.1-2
Resolves: RHEL-121474
* Tue Nov 25 2025 Jan Jansky <jjansky@redhat.com> = 4.10.1-1
- Update to 4.10.1-1
Resolves: RHEL-121474
* Tue Sep 23 2025 Jan Jansky <jjansky@redhat.com> = 4.10.0-4
- Update to 4.10.0-4
Resolves: RHEL-113795