Hi, On Thu, Aug 19, 2010 at 11:35:41AM +0200, Holger Teutsch wrote: > Hi, > the very sensitive IPMI password now shows up in crm's config, > log files and ps -ef output. > > This patch provides an optional parameter "passwd_method" that > can be used to hide this information on various levels. > > If not defined the old behavior is retained.
Many thanks for the patch, but we have to go another route for this issue. It'd be a big effort to provide the same for all stonith plugins. The basic idea is to enhance lrmd to be able to read parameters from a file instead of the usual set of nvpairs in the CIB. See http://developerbugs.linux-foundation.org/show_bug.cgi?id=2415 for more information. Thanks, Dejan > Regards > Holger > > # HG changeset patch > # User Holger Teutsch <holger.teut...@web.de> > # Date 1282209948 -7200 > # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc > # Parent ba146a145a3ede967af48e8936ac414984aa1e5f > external/ipmi: Provide opt param "passwd_method" to hide the ipmi password > from config and logs > > diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi > --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200 > +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200 > @@ -60,9 +60,30 @@ > interface="lan" > fi > > + case "${passwd_method}" in > + param|'') > + passwd_method=param > + M="-P" > + ;; > + env) > + M="-E" > + ;; > + file) > + M="-f" > + ;; > + *) > + ha_log.sh err "invalid passwd_method: \"${passwd_method}\"" > + return 1 > + esac > + > action="$*" > > - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P "${passwd}" > ${action} 2>&1 > + if [ $passwd_method = env ] > + then > + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H > ${ipaddr} -U "${userid}" -E ${action} 2>&1 > + else > + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M > "${passwd}" ${action} 2>&1 > + fi > } > > # Yet another convenience wrapper that invokes run_ipmitool, captures > @@ -94,7 +115,6 @@ > esac > } > > - > # Rewrite the hostname to accept "," as a delimeter for hostnames too. > > case ${1} in > @@ -195,6 +215,19 @@ > </longdesc> > </parameter> > > +<parameter name="passwd_method" unique="1"> > +<content type="string" default="param"/> > +<shortdesc lang="en"> > +Method for passing passwd parameter > +</shortdesc> > +<longdesc lang="en"> > +Method for passing the passwd parameter to ipmitool > + param: pass as parameter (-P) > + env: pass via environment (-E) > + file: value of "passwd" is actually a file name, pass with (-f) > +</longdesc> > +</parameter> > + > <parameter name="interface" unique="1"> > <content type="string" default="lan"/> > <shortdesc lang="en"> > ___________________________________________________________ > GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://movieflat.web.de > _______________________________________________________ > Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > Home Page: http://linux-ha.org/ _______________________________________________________ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/