import sos-4.2-20.el8_6

2022-08-03 04:24:22 -04:00 · 2022-08-03 04:24:22 -04:00 · ab21b6ae02
commit ab21b6ae02
parent fb57ab1960
3 changed files with 150 additions and 1 deletions
--- a/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
+++ b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
@ -0,0 +1,66 @@
+From 5fd872c64c53af37015f366295e0c2418c969757 Mon Sep 17 00:00:00 2001
+From: Yedidyah Bar David <didi@redhat.com>
+Date: Thu, 26 May 2022 16:43:21 +0300
+Subject: [PATCH] [ovirt] answer files: Filter out all password keys
+
+Instead of hard-coding specific keys and having to maintain them over
+time, replace the values of all keys that have 'password' in their name.
+I think this covers all our current and hopefully future keys. It might
+add "false positives" - keys that are not passwords but have 'password'
+in their name - and I think that's a risk worth taking.
+
+Sadly, the engine admin password prompt's name is
+'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has
+to be listed specifically.
+
+A partial list of keys added since the replaced code was written:
+- grafana-related stuff
+- keycloak-related stuff
+- otopi-style answer files
+
+Signed-off-by: Yedidyah Bar David <didi@redhat.com>
+Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
+---
+ sos/report/plugins/ovirt.py | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
+index 09647bf1..3b1bb29b 100644
+--- a/sos/report/plugins/ovirt.py
+++ b/sos/report/plugins/ovirt.py
+@@ -241,19 +241,22 @@ class Ovirt(Plugin, RedHatPlugin):
+                 r'{key}=********'.format(key=key)
+             )
+ 
+-        # Answer files contain passwords
+-        for key in (
+-            'OVESETUP_CONFIG/adminPassword',
+-            'OVESETUP_CONFIG/remoteEngineHostRootPassword',
+-            'OVESETUP_DWH_DB/password',
+-            'OVESETUP_DB/password',
+-            'OVESETUP_REPORTS_CONFIG/adminPassword',
+-            'OVESETUP_REPORTS_DB/password',
+        # Answer files contain passwords.
+        # Replace all keys that have 'password' in them, instead of hard-coding
+        # here the list of keys, which changes between versions.
+        # Sadly, the engine admin password prompt name does not contain
+        # 'password'... so neither does the env key.
+        for item in (
+            'password',
+            'OVESETUP_CONFIG_ADMIN_SETUP',
+         ):
+             self.do_path_regex_sub(
+                 r'/var/lib/ovirt-engine/setup/answers/.*',
+-                r'{key}=(.*)'.format(key=key),
+-                r'{key}=********'.format(key=key)
+                re.compile(
+                    r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
+                    flags=re.IGNORECASE
+                ),
+                r'\g<key>=********'
+             )
+ 
+         # aaa profiles contain passwords
+-- 
+2.27.0
+
--- a/SOURCES/sos-bz2098643-crio-output-to-json.patch
+++ b/SOURCES/sos-bz2098643-crio-output-to-json.patch
@ -0,0 +1,73 @@
+From c2e66fa4dae51f03c7310ba5278897ddecac1aad Mon Sep 17 00:00:00 2001
+From: Nadia Pinaeva <npinaeva@redhat.com>
+Date: Thu, 2 Jun 2022 15:43:09 +0200
+Subject: [PATCH] crio: switch from parsing output in table format to json
+
+Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
+---
+ sos/policies/runtimes/crio.py | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/sos/policies/runtimes/crio.py b/sos/policies/runtimes/crio.py
+index 55082d07..4cae1ecc 100644
+--- a/sos/policies/runtimes/crio.py
+++ b/sos/policies/runtimes/crio.py
+@@ -7,6 +7,7 @@
+ # version 2 of the GNU General Public License.
+ #
+ # See the LICENSE file in the source distribution for further information.
+import json
+ 
+ from sos.policies.runtimes import ContainerRuntime
+ from sos.utilities import sos_get_command_output
+@@ -29,14 +30,15 @@ class CrioContainerRuntime(ContainerRuntime):
+         :type get_all: ``bool``
+         """
+         containers = []
+-        _cmd = "%s ps %s" % (self.binary, '-a' if get_all else '')
+        _cmd = "%s ps %s -o json" % (self.binary, '-a' if get_all else '')
+         if self.active:
+             out = sos_get_command_output(_cmd, chroot=self.policy.sysroot)
+-            if out['status'] == 0:
+-                for ent in out['output'].splitlines()[1:]:
+-                    ent = ent.split()
+            if out["status"] == 0:
+                out_json = json.loads(out["output"])
+                for container in out_json["containers"]:
+                     # takes the form (container_id, container_name)
+-                    containers.append((ent[0], ent[-3]))
+                    containers.append(
+                        (container["id"], container["metadata"]["name"]))
+         return containers
+ 
+     def get_images(self):
+@@ -47,13 +49,21 @@ class CrioContainerRuntime(ContainerRuntime):
+         """
+         images = []
+         if self.active:
+-            out = sos_get_command_output("%s images" % self.binary,
+            out = sos_get_command_output("%s images -o json" % self.binary,
+                                          chroot=self.policy.sysroot)
+             if out['status'] == 0:
+-                for ent in out['output'].splitlines():
+-                    ent = ent.split()
+-                    # takes the form (image_name, image_id)
+-                    images.append((ent[0] + ':' + ent[1], ent[2]))
+                out_json = json.loads(out["output"])
+                for image in out_json["images"]:
+                    # takes the form (repository:tag, image_id)
+                    if len(image["repoTags"]) > 0:
+                        for repo_tag in image["repoTags"]:
+                            images.append((repo_tag, image["id"]))
+                    else:
+                        if len(image["repoDigests"]) == 0:
+                            image_name = "<none>"
+                        else:
+                            image_name = image["repoDigests"][0].split("@")[0]
+                        images.append((image_name + ":<none>", image["id"]))
+         return images
+ 
+     def fmt_container_cmd(self, container, cmd, quotecmd):
+-- 
+2.27.0
+
--- a/SPECS/sos.spec
+++ b/SPECS/sos.spec
@ -5,7 +5,7 @@
 Summary: A set of tools to gather troubleshooting information from a system
 Name: sos
 Version: 4.2
-Release: 19%{?dist}
+Release: 20%{?dist}
 Group: Applications/System
 Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
 Source1: sos-audit-%{auditversion}.tgz
@ -45,6 +45,8 @@ Patch21: sos-bz2042966-ovn-proper-package-enablement.patch
 Patch22: sos-bz2054882-plugopt-logging-effective-opts.patch
 Patch23: sos-bz2055547-honour-plugins-timeout-hardcoded.patch
 Patch24: sos-bz2071825-merged-8.6.z.patch
+Patch25: sos-bz2098639-ovirt-obfuscation_answer_file.patch
+Patch26: sos-bz2098643-crio-output-to-json.patch

 %description
 Sos is a set of tools that gathers information about system
@ -79,6 +81,8 @@ support technicians and developers.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
+%patch26 -p1

 %build
 %py3_build
@ -145,6 +149,12 @@ of the system. Currently storage and filesystem commands are audited.
 %ghost /etc/audit/rules.d/40-sos-storage.rules

 %changelog
+* Fri Jul 24 2022 Jan Jansky <jjansky@redhat.com> = 4.2-20
+- [ovirt] obfuscate answer file
+  Resolves: bz2098639
+- [crio] from output to json
+  Resolves: bz2098643
+
 * Mon May 09 2022 Jan Jansky <jjansky@redhat.com> = 4.2-19
 - OCP backport
  Resolves: bz2071824