CASMMON-564 passwords leaked to container logs in csm cray-sysmgmt-health- canu-test#4432
Open
rambabubolla wants to merge 1 commit intorelease/1.7from
Open
CASMMON-564 passwords leaked to container logs in csm cray-sysmgmt-health- canu-test#4432rambabubolla wants to merge 1 commit intorelease/1.7from
rambabubolla wants to merge 1 commit intorelease/1.7from
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary and Scope
This fix is targeted for CSM 1.7.2, if we end up making that patch version.
_CASMMON-564 passwords leaked to container logs in csm cray-sysmgmt-health- canu-test
Is this change backwards incompatible, backwards compatible, or a backwards compatible bugfix?
Issues and Related PRs
https://jira-pro.it.hpe.com:8443/browse/CASMMON-564
Cray-HPE/container-images#728
Cray-HPE/cray-sysmgmt-health#219
found the !nitial0 password in the container logs for deployment.apps/cray-sysmgmt-health-canu-tes
This is installed as part of the helm chart cray-sysmgmt-health
The helm chart is found in csm-1.6.2.tar.gz -> cray-sysmgmt-health-1.1.7.tgz
The content of cray-sysmgmt-health-1.1.7.tgz shows that the passwords are read as env vars, rather than simply read from the file, and exposed on the container logs when passed as arugments.
Tested on:
<development system>Test description:
Tested on starlord2
kubectl get pods -n sysmgmt-health -o wide|grep canu
cray-sysmgmt-health-canu-test-5d98d649cb-6fqts 2/2 Running 0 101s 10.48.10.239 ncn-w005
ssh ncn-w005
kubectl describe pod -n sysmgmt-health cray-sysmgmt-health-canu-test-5d98d649cb-6fqts
Container ID: containerd://4b018db92b305b1b957c3ac8dabc5229d3f47ac16676a89753235111eafe94a4
Image: artifactory.algol60.net/csm-docker/unstable/cray-canu/canu-test:2.0.2
ncn-w005:~ # crictl inspect 4b018db92b305b1b957c3ac8dabc5229d3f47ac16676a89753235111eafe94a4 |grep pid
"pid": 1
"pid": 702095,
"type": "pid"
sudo cat /proc/702095/environ | tr '\0' '\n' | grep -iE "password|secret|token|aut
h"
USERNAME_FILE=/etc/canu-secret/USERNAME
PASSWORD_FILE=/etc/canu-secret/PASSWORD
without the fix we are seeing the passwords
ncn-w001:~ # sudo cat /proc/497150/environ |grep password
ncn-w001:~ # sudo cat /proc/497150/environ | tr '\0' '\n' | grep -iE "password"
PASSWORD=!nitial0