import sos-4.2-20.el8_6

2022-08-03 04:24:22 -04:00 · 2022-08-03 04:24:22 -04:00 · ab21b6ae02
commit ab21b6ae02
parent fb57ab1960
3 changed files with 150 additions and 1 deletions
--- a/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
+++ b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
@ -0,0 +1,66 @@
 From 5fd872c64c53af37015f366295e0c2418c969757 Mon Sep 17 00:00:00 2001
 From: Yedidyah Bar David <didi@redhat.com>
 Date: Thu, 26 May 2022 16:43:21 +0300
 Subject: [PATCH] [ovirt] answer files: Filter out all password keys
 Instead of hard-coding specific keys and having to maintain them over
 time, replace the values of all keys that have 'password' in their name.
 I think this covers all our current and hopefully future keys. It might
 add "false positives" - keys that are not passwords but have 'password'
 in their name - and I think that's a risk worth taking.
 Sadly, the engine admin password prompt's name is
 'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has
 to be listed specifically.
 A partial list of keys added since the replaced code was written:
 - grafana-related stuff
 - keycloak-related stuff
 - otopi-style answer files
 Signed-off-by: Yedidyah Bar David <didi@redhat.com>
 Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
 ---
 sos/report/plugins/ovirt.py | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)
 diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
 index 09647bf1..3b1bb29b 100644
 --- a/sos/report/plugins/ovirt.py
 +++ b/sos/report/plugins/ovirt.py
@@ -241,19 +241,22 @@ class Ovirt(Plugin, RedHatPlugin):
                 r'{key}=********'.format(key=key)
             )
 -        # Answer files contain passwords
 -        for key in (
 -            'OVESETUP_CONFIG/adminPassword',
 -            'OVESETUP_CONFIG/remoteEngineHostRootPassword',
 -            'OVESETUP_DWH_DB/password',
 -            'OVESETUP_DB/password',
 -            'OVESETUP_REPORTS_CONFIG/adminPassword',
 -            'OVESETUP_REPORTS_DB/password',
 +        # Answer files contain passwords.
 +        # Replace all keys that have 'password' in them, instead of hard-coding
 +        # here the list of keys, which changes between versions.
 +        # Sadly, the engine admin password prompt name does not contain
 +        # 'password'... so neither does the env key.
 +        for item in (
 +            'password',
 +            'OVESETUP_CONFIG_ADMIN_SETUP',
         ):
             self.do_path_regex_sub(
                 r'/var/lib/ovirt-engine/setup/answers/.*',
 -                r'{key}=(.*)'.format(key=key),
 -                r'{key}=********'.format(key=key)
 +                re.compile(
 +                    r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
 +                    flags=re.IGNORECASE
 +                ),
 +                r'\g<key>=********'
             )
         # aaa profiles contain passwords
 -- 
 2.27.0
--- a/SOURCES/sos-bz2098643-crio-output-to-json.patch
+++ b/SOURCES/sos-bz2098643-crio-output-to-json.patch
@ -0,0 +1,73 @@
 From c2e66fa4dae51f03c7310ba5278897ddecac1aad Mon Sep 17 00:00:00 2001
 From: Nadia Pinaeva <npinaeva@redhat.com>
 Date: Thu, 2 Jun 2022 15:43:09 +0200
 Subject: [PATCH] crio: switch from parsing output in table format to json
 Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
 ---
 sos/policies/runtimes/crio.py | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)
 diff --git a/sos/policies/runtimes/crio.py b/sos/policies/runtimes/crio.py
 index 55082d07..4cae1ecc 100644
 --- a/sos/policies/runtimes/crio.py
 +++ b/sos/policies/runtimes/crio.py
@@ -7,6 +7,7 @@
 # version 2 of the GNU General Public License.
 #
 # See the LICENSE file in the source distribution for further information.
 +import json
 from sos.policies.runtimes import ContainerRuntime
 from sos.utilities import sos_get_command_output
@@ -29,14 +30,15 @@ class CrioContainerRuntime(ContainerRuntime):
         :type get_all: ``bool``
         """
         containers = []
 -        _cmd = "%s ps %s" % (self.binary, '-a' if get_all else '')
 +        _cmd = "%s ps %s -o json" % (self.binary, '-a' if get_all else '')
         if self.active:
             out = sos_get_command_output(_cmd, chroot=self.policy.sysroot)
 -            if out['status'] == 0:
 -                for ent in out['output'].splitlines()[1:]:
 -                    ent = ent.split()
 +            if out["status"] == 0:
 +                out_json = json.loads(out["output"])
 +                for container in out_json["containers"]:
                     # takes the form (container_id, container_name)
 -                    containers.append((ent[0], ent[-3]))
 +                    containers.append(
 +                        (container["id"], container["metadata"]["name"]))
         return containers
     def get_images(self):
@@ -47,13 +49,21 @@ class CrioContainerRuntime(ContainerRuntime):
         """
         images = []
         if self.active:
 -            out = sos_get_command_output("%s images" % self.binary,
 +            out = sos_get_command_output("%s images -o json" % self.binary,
                                          chroot=self.policy.sysroot)
             if out['status'] == 0:
 -                for ent in out['output'].splitlines():
 -                    ent = ent.split()
 -                    # takes the form (image_name, image_id)
 -                    images.append((ent[0] + ':' + ent[1], ent[2]))
 +                out_json = json.loads(out["output"])
 +                for image in out_json["images"]:
 +                    # takes the form (repository:tag, image_id)
 +                    if len(image["repoTags"]) > 0:
 +                        for repo_tag in image["repoTags"]:
 +                            images.append((repo_tag, image["id"]))
 +                    else:
 +                        if len(image["repoDigests"]) == 0:
 +                            image_name = "<none>"
 +                        else:
 +                            image_name = image["repoDigests"][0].split("@")[0]
 +                        images.append((image_name + ":<none>", image["id"]))
         return images
     def fmt_container_cmd(self, container, cmd, quotecmd):
 -- 
 2.27.0
--- a/SPECS/sos.spec
+++ b/SPECS/sos.spec
@ -5,7 +5,7 @@
 Summary: A set of tools to gather troubleshooting information from a system
 Name: sos
 Version: 4.2
-Release: 19%{?dist}
+Release: 20%{?dist}
 Group: Applications/System
 Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
 Source1: sos-audit-%{auditversion}.tgz
@ -45,6 +45,8 @@ Patch21: sos-bz2042966-ovn-proper-package-enablement.patch
 Patch22: sos-bz2054882-plugopt-logging-effective-opts.patch
 Patch23: sos-bz2055547-honour-plugins-timeout-hardcoded.patch
 Patch24: sos-bz2071825-merged-8.6.z.patch
 Patch25: sos-bz2098639-ovirt-obfuscation_answer_file.patch
 Patch26: sos-bz2098643-crio-output-to-json.patch
 %description
 Sos is a set of tools that gathers information about system
@ -79,6 +81,8 @@ support technicians and developers.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
 %build
 %py3_build
@ -145,6 +149,12 @@ of the system. Currently storage and filesystem commands are audited.
 %ghost /etc/audit/rules.d/40-sos-storage.rules
 %changelog
 * Fri Jul 24 2022 Jan Jansky <jjansky@redhat.com> = 4.2-20
 - [ovirt] obfuscate answer file
  Resolves: bz2098639
 - [crio] from output to json
  Resolves: bz2098643
 * Mon May 09 2022 Jan Jansky <jjansky@redhat.com> = 4.2-19
 - OCP backport
  Resolves: bz2071824