Dejan,
no problem.
The patch now as attachment.
Thanx
Holger
----Ursprüngliche Nachricht-----
Von: Dejan Muhamedagic <deja...@fastmail.fm>
Gesendet: Aug 26, 2010 6:38:47 PM
An: High-Availability Linux Development List <linux-ha-dev@lists.linux-ha.org>
Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" to
hide the ipmi password from config and logs
>Hi Holger,
>
>On Thu, Aug 26, 2010 at 05:10:13PM +0200, Holger Teutsch wrote:
>> Dejan,
>> I see.
>> I guess the remaining task is to cleanup all stonith agents to
>> let them pass password parameters to underlying tools in the
>> most concealed way. In the case of IPMI the underlying tool is
>> ipmitool. At least since 1.8.2 released in 2005 passing the
>> password via an environment variable is a valid option.
>>
>> Is it a valid assumption that all ipmitools in the field used
>> together with cluster-glue are later so passing via env should
>> be implemented as default ?
>> Or should there be a param for backwards compatibility (e.g.
>> passwd_as_param=1) ?
>
>I misunderstood your patch in part and owe you an apology. What
>you implemented has a benefit of its own. lrmd cannot help
>individual plugins or resource agents to hide passwords. We can
>also keep the option to pass a password in a file.
>
>Can you please send the patch again, this time as an attachment.
>The copy I have seems to have broken indentation and won't apply.
>
>Sorry for the confusion.
>
>Cheers,
>
>Dejan
>
>
>> Thanx for opinions.
>> Regards
>> Holger
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Dejan Muhamedagic <deja...@fastmail.fm>
>> Gesendet: Aug 25, 2010 4:14:19 PM
>> An: High-Availability Linux Development List *
>> Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method"
>> to hide the ipmi password from config and logs
>>
>> >Hi,
>> >
>> >On Thu, Aug 19, 2010 at 11:35:41AM +0200, Holger Teutsch wrote:
>> >> Hi,
>> >> the very sensitive IPMI password now shows up in crm's config,
>> >> log files and ps -ef output.
>> >>
>> >> This patch provides an optional parameter "passwd_method" that
>> >> can be used to hide this information on various levels.
>> >>
>> >> If not defined the old behavior is retained.
>> >
>> >Many thanks for the patch, but we have to go another route for
>> >this issue. It'd be a big effort to provide the same for all
>> >stonith plugins. The basic idea is to enhance lrmd to be able to
>> >read parameters from a file instead of the usual set of nvpairs
>> >in the CIB. See
>> >http://developerbugs.linux-foundation.org/show_bug.cgi?id=2415
>> >for more information.
>> >
>> >Thanks,
>> >
>> >Dejan
>> >
>> >> Regards
>> >> Holger
>> >>
>> >> # HG changeset patch
>> >> # User Holger Teutsch <holger.teut...@web.de>
>> >> # Date 1282209948 -7200
>> >> # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc
>> >> # Parent ba146a145a3ede967af48e8936ac414984aa1e5f
>> >> external/ipmi: Provide opt param "passwd_method" to hide the ipmi
>> >> password from config and logs
>> >>
>> >> diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi
>> >> --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200
>> >> +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200
>> >> @@ -60,9 +60,30 @@
>> >> interface="lan"
>> >> fi
>> >>
>> >> + case "${passwd_method}" in
>> >> + param|'')
>> >> + passwd_method=param
>> >> + M="-P"
>> >> + ;;
>> >> + env)
>> >> + M="-E"
>> >> + ;;
>> >> + file)
>> >> + M="-f"
>> >> + ;;
>> >> + *)
>> >> + ha_log.sh err "invalid passwd_method: \"${passwd_method}\""
>> >> + return 1
>> >> + esac
>> >> +
>> >> action="$*"
>> >>
>> >> - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P
>> >> "${passwd}" ${action} 2>&1
>> >> + if [ $passwd_method = env ]
>> >> + then
>> >> + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H
>> >> ${ipaddr} -U "${userid}" -E ${action} 2>&1
>> >> + else
>> >> + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M
>> >> "${passwd}" ${action} 2>&1
>> >> + fi
>> >> }
>> >>
>> >> # Yet another convenience wrapper that invokes run_ipmitool, captures
>> >> @@ -94,7 +115,6 @@
>> >> esac
>> >> }
>> >>
>> >> -
>> >> # Rewrite the hostname to accept "," as a delimeter for hostnames too.
>> >>
>> >> case ${1} in
>> >> @@ -195,6 +215,19 @@
>> >> </longdesc>
>> >> </parameter>
>> >>
>> >> +
>> >> +<content type="string" default="param"/>
>> >> +
>> >> +Method for passing passwd parameter
>> >> +</shortdesc>
>> >> +<longdesc lang="en">
>> >> +Method for passing the passwd parameter to ipmitool
>> >> + param: pass as parameter (-P)
>> >> + env: pass via environment (-E)
>> >> + file: value of "passwd" is actually a file name, pass with (-f)
>> >> +</longdesc>
>> >> +</parameter>
>> >> +
>> >>
>> >> <content type="string" default="lan"/>
>> >>
>> >> ___________________________________________________________
>> >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
>> >> Jetzt freischalten unter http://movieflat.web.de
>> >> _______________________________________________________
>> >> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
>> >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
>> >> Home Page: http://linux-ha.org/
>> >_______________________________________________________
>> >Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
>> >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
>> >Home Page: http://linux-ha.org/
>> ___________________________________________________________
>> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
>> Jetzt freischalten unter http://movieflat.web.de
>> _______________________________________________________
>> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
>> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
>> Home Page: http://linux-ha.org/
>_______________________________________________________
>Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
>http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
>Home Page: http://linux-ha.org/
___________________________________________________________
GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de
# HG changeset patch
# User Holger Teutsch <holger.teut...@web.de>
# Date 1282209948 -7200
# Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc
# Parent ba146a145a3ede967af48e8936ac414984aa1e5f
external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs
diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi
--- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200
+++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200
@@ -60,9 +60,30 @@
interface="lan"
fi
+ case "${passwd_method}" in
+ param|'')
+ passwd_method=param
+ M="-P"
+ ;;
+ env)
+ M="-E"
+ ;;
+ file)
+ M="-f"
+ ;;
+ *)
+ ha_log.sh err "invalid passwd_method: \"${passwd_method}\""
+ return 1
+ esac
+
action="$*"
- ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P "${passwd}" ${action} 2>&1
+ if [ $passwd_method = env ]
+ then
+ IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -E ${action} 2>&1
+ else
+ ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M "${passwd}" ${action} 2>&1
+ fi
}
# Yet another convenience wrapper that invokes run_ipmitool, captures
@@ -94,7 +115,6 @@
esac
}
-
# Rewrite the hostname to accept "," as a delimeter for hostnames too.
case ${1} in
@@ -195,6 +215,19 @@
</longdesc>
</parameter>
+<parameter name="passwd_method" unique="1">
+<content type="string" default="param"/>
+<shortdesc lang="en">
+Method for passing passwd parameter
+</shortdesc>
+<longdesc lang="en">
+Method for passing the passwd parameter to ipmitool
+ param: pass as parameter (-P)
+ env: pass via environment (-E)
+ file: value of "passwd" is actually a file name, pass with (-f)
+</longdesc>
+</parameter>
+
<parameter name="interface" unique="1">
<content type="string" default="lan"/>
<shortdesc lang="en">
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
