Dejan, no problem. The patch now as attachment. Thanx Holger ----Ursprüngliche Nachricht----- Von: Dejan Muhamedagic <deja...@fastmail.fm> Gesendet: Aug 26, 2010 6:38:47 PM An: High-Availability Linux Development List <linux-ha-dev@lists.linux-ha.org> Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs
>Hi Holger, > >On Thu, Aug 26, 2010 at 05:10:13PM +0200, Holger Teutsch wrote: >> Dejan, >> I see. >> I guess the remaining task is to cleanup all stonith agents to >> let them pass password parameters to underlying tools in the >> most concealed way. In the case of IPMI the underlying tool is >> ipmitool. At least since 1.8.2 released in 2005 passing the >> password via an environment variable is a valid option. >> >> Is it a valid assumption that all ipmitools in the field used >> together with cluster-glue are later so passing via env should >> be implemented as default ? >> Or should there be a param for backwards compatibility (e.g. >> passwd_as_param=1) ? > >I misunderstood your patch in part and owe you an apology. What >you implemented has a benefit of its own. lrmd cannot help >individual plugins or resource agents to hide passwords. We can >also keep the option to pass a password in a file. > >Can you please send the patch again, this time as an attachment. >The copy I have seems to have broken indentation and won't apply. > >Sorry for the confusion. > >Cheers, > >Dejan > > >> Thanx for opinions. >> Regards >> Holger >> >> -----Ursprüngliche Nachricht----- >> Von: Dejan Muhamedagic <deja...@fastmail.fm> >> Gesendet: Aug 25, 2010 4:14:19 PM >> An: High-Availability Linux Development List * >> Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" >> to hide the ipmi password from config and logs >> >> >Hi, >> > >> >On Thu, Aug 19, 2010 at 11:35:41AM +0200, Holger Teutsch wrote: >> >> Hi, >> >> the very sensitive IPMI password now shows up in crm's config, >> >> log files and ps -ef output. >> >> >> >> This patch provides an optional parameter "passwd_method" that >> >> can be used to hide this information on various levels. >> >> >> >> If not defined the old behavior is retained. >> > >> >Many thanks for the patch, but we have to go another route for >> >this issue. It'd be a big effort to provide the same for all >> >stonith plugins. The basic idea is to enhance lrmd to be able to >> >read parameters from a file instead of the usual set of nvpairs >> >in the CIB. See >> >http://developerbugs.linux-foundation.org/show_bug.cgi?id=2415 >> >for more information. >> > >> >Thanks, >> > >> >Dejan >> > >> >> Regards >> >> Holger >> >> >> >> # HG changeset patch >> >> # User Holger Teutsch <holger.teut...@web.de> >> >> # Date 1282209948 -7200 >> >> # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc >> >> # Parent ba146a145a3ede967af48e8936ac414984aa1e5f >> >> external/ipmi: Provide opt param "passwd_method" to hide the ipmi >> >> password from config and logs >> >> >> >> diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi >> >> --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200 >> >> +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200 >> >> @@ -60,9 +60,30 @@ >> >> interface="lan" >> >> fi >> >> >> >> + case "${passwd_method}" in >> >> + param|'') >> >> + passwd_method=param >> >> + M="-P" >> >> + ;; >> >> + env) >> >> + M="-E" >> >> + ;; >> >> + file) >> >> + M="-f" >> >> + ;; >> >> + *) >> >> + ha_log.sh err "invalid passwd_method: \"${passwd_method}\"" >> >> + return 1 >> >> + esac >> >> + >> >> action="$*" >> >> >> >> - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P >> >> "${passwd}" ${action} 2>&1 >> >> + if [ $passwd_method = env ] >> >> + then >> >> + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H >> >> ${ipaddr} -U "${userid}" -E ${action} 2>&1 >> >> + else >> >> + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M >> >> "${passwd}" ${action} 2>&1 >> >> + fi >> >> } >> >> >> >> # Yet another convenience wrapper that invokes run_ipmitool, captures >> >> @@ -94,7 +115,6 @@ >> >> esac >> >> } >> >> >> >> - >> >> # Rewrite the hostname to accept "," as a delimeter for hostnames too. >> >> >> >> case ${1} in >> >> @@ -195,6 +215,19 @@ >> >> </longdesc> >> >> </parameter> >> >> >> >> + >> >> +<content type="string" default="param"/> >> >> + >> >> +Method for passing passwd parameter >> >> +</shortdesc> >> >> +<longdesc lang="en"> >> >> +Method for passing the passwd parameter to ipmitool >> >> + param: pass as parameter (-P) >> >> + env: pass via environment (-E) >> >> + file: value of "passwd" is actually a file name, pass with (-f) >> >> +</longdesc> >> >> +</parameter> >> >> + >> >> >> >> <content type="string" default="lan"/> >> >> >> >> ___________________________________________________________ >> >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! >> >> Jetzt freischalten unter http://movieflat.web.de >> >> _______________________________________________________ >> >> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org >> >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev >> >> Home Page: http://linux-ha.org/ >> >_______________________________________________________ >> >Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org >> >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev >> >Home Page: http://linux-ha.org/ >> ___________________________________________________________ >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! >> Jetzt freischalten unter http://movieflat.web.de >> _______________________________________________________ >> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev >> Home Page: http://linux-ha.org/ >_______________________________________________________ >Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev >Home Page: http://linux-ha.org/ ___________________________________________________________ GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! Jetzt freischalten unter http://movieflat.web.de
# HG changeset patch # User Holger Teutsch <holger.teut...@web.de> # Date 1282209948 -7200 # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc # Parent ba146a145a3ede967af48e8936ac414984aa1e5f external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200 +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200 @@ -60,9 +60,30 @@ interface="lan" fi + case "${passwd_method}" in + param|'') + passwd_method=param + M="-P" + ;; + env) + M="-E" + ;; + file) + M="-f" + ;; + *) + ha_log.sh err "invalid passwd_method: \"${passwd_method}\"" + return 1 + esac + action="$*" - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P "${passwd}" ${action} 2>&1 + if [ $passwd_method = env ] + then + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -E ${action} 2>&1 + else + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M "${passwd}" ${action} 2>&1 + fi } # Yet another convenience wrapper that invokes run_ipmitool, captures @@ -94,7 +115,6 @@ esac } - # Rewrite the hostname to accept "," as a delimeter for hostnames too. case ${1} in @@ -195,6 +215,19 @@ </longdesc> </parameter> +<parameter name="passwd_method" unique="1"> +<content type="string" default="param"/> +<shortdesc lang="en"> +Method for passing passwd parameter +</shortdesc> +<longdesc lang="en"> +Method for passing the passwd parameter to ipmitool + param: pass as parameter (-P) + env: pass via environment (-E) + file: value of "passwd" is actually a file name, pass with (-f) +</longdesc> +</parameter> + <parameter name="interface" unique="1"> <content type="string" default="lan"/> <shortdesc lang="en">
_______________________________________________________ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/