[openstack-dev] [cinder] CHAP secret is visible in cinder volume log
Hi, I am wondering why screen-c-vol.log is displaying the CHAP secret. Logs: 2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - -] CMD sudo cinder-rootwrap /etc/cinder/rootwrap.conf iscsiadm -m node -T iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p 192.10.44.48:3260 --op update -n* node.session.auth.password -v *** returned:* 0 in 0.088s execute /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225 Above log hides the secret. 2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*: stdout= stderr= _run_iscsiadm /opt/stack/cinder/cinder/brick/initiator/connector.py:455 However, this one does not hide the secret. In addition, i find that the CHAP credentials are stored as plain string the database table (volumes). I guess these are security risks in the current implementation. Any comments ? Regards, Yogesh *CloudByte Inc.* http://www.cloudbyte.com/ __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder] CHAP secret is visible in cinder volume log
Hi All, Thanks for your comments, due to time zone difference i was not able to interact. Regards, Yogesh *CloudByte Inc.* http://www.cloudbyte.com/ On Thu, Apr 16, 2015 at 11:19 PM, Mike Perez thin...@gmail.com wrote: On 09:41 Apr 16, Mike Perez wrote: On 18:24 Apr 16, Yogesh Prasad wrote: Hi, I am wondering why screen-c-vol.log is displaying the CHAP secret. Logs: 2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - -] CMD sudo cinder-rootwrap /etc/cinder/rootwrap.conf iscsiadm -m node -T iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p 192.10.44.48:3260 --op update -n* node.session.auth.password -v *** returned:* 0 in 0.088s execute /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225 Above log hides the secret. 2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*: stdout= stderr= _run_iscsiadm /opt/stack/cinder/cinder/brick/initiator/connector.py:455 However, this one does not hide the secret. This is is specifically happening in oslo_concurrency lib. We could add 'v' to the sanitize_keys in oslo_utils.strutils, but that seems a bit weird. I'm waiting for someone to get back to me #openstack-oslo on how to best deal with this. Duh thanks Walt. https://review.openstack.org/174484 https://review.openstack.org/174485 -- Mike Perez __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [devstack] [IceHouse] Install prettytable=0.7 to satisfy pip 6/PEP 440
Hi Stackers, I observe that this commit is present in master branch. commit 6ec66bb3d1354062ec70be972dba990e886084d5 Install prettytable=0.7 to satisfy pip 6/PEP 440 ... However, I am facing the issues due to PEP 440 in devstack's stable/icehouse branch. Is devstack icehouse still maintained ? In other words will these fixes get into icehouse branch ? Regards, Yogesh *CloudByte Inc.* http://www.cloudbyte.com/ ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder] volume creation faild.
Hi All, I have a devstack setup , and i am trying to create a volume but it is creating with error status. Can any one tell me what is the problem? Screen logs -- .py:297 2014-06-26 17:37:04.370 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'agent': 'python-keystoneclient', 'address': '20.10.22.245'}, 'id': 'openstack:d58d5688-f604-4362-9069-8cb217c029c8', 'name': u'6fcd84d16da646dc825411da06bf26b2'}, 'target': {'typeURI': 'service/security/account/user', 'id': 'openstack:85ef43dd-b0ab-4726-898e-36107b06a231'}, 'observer': {'typeURI': 'service/security', 'id': 'openstack:120866e8-51b9-4338-b41b-2dbea3aa4f17'}, 'eventType': 'activity', 'eventTime': '2014-06-26T12:07:04.368547+', 'action': 'authenticate', 'outcome': 'success', 'id': 'openstack:dda01da7-1274-4b4f-8ff5-1dcdb6d80ff4'} from (pid=7033) _send_audit_notification /opt/stack/keystone/keystone/notifications.py:297 2014-06-26 17:37:04.902 INFO eventlet.wsgi.server [-] 20.10.22.245 - - [26/Jun/2014 17:37:04] POST /v2.0//tokens HTTP/1.1 200 6913 0.771471 2014-06-26 17:37:04.992 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'user_id': u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'], 'trustee_id': None, 'trustor_id': None, 'project_id': u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033) process_request /opt/stack/keystone/keystone/middleware/core.py:286 2014-06-26 17:37:05.009 DEBUG keystone.common.wsgi [-] arg_dict: {} from (pid=7033) __call__ /opt/stack/keystone/keystone/common/wsgi.py:181 2014-06-26 17:37:05.023 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:revocation_list() from (pid=7033) _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:54 2014-06-26 17:37:05.027 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment from (pid=7033) _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:59 2014-06-26 17:37:05.033 DEBUG keystone.policy.backends.rules [-] enforce identity:revocation_list: {'is_delegated_auth': False, 'user_id': u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'], 'trustee_id': None, 'trustor_id': None, 'project_id': u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033) enforce /opt/stack/keystone/keystone/policy/backends/rules.py:101 2014-06-26 17:37:05.040 DEBUG keystone.openstack.common.policy [-] Rule identity:revocation_list will be now enforced from (pid=7033) enforce /opt/stack/keystone/keystone/openstack/common/policy.py:288 2014-06-26 17:37:05.043 DEBUG keystone.common.controller [-] RBAC: Authorization granted from (pid=7033) inner /opt/stack/keystone/keystone/common/controller.py:151 2014-06-26 17:37:05.228 INFO eventlet.wsgi.server [-] 20.10.22.245 - - [26/Jun/2014 17:37:05] GET /v2.0/tokens/revoked HTTP/1.1 200 815 0.277525 -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder] volume creation failed.
Hi, I have a devstack setup. Please tell me, how i can create separate log file for each type of logs. like cinder-api, cinder-scheduler and cinder-volume logs. On Thu, Jun 26, 2014 at 5:49 PM, Duncan Thomas duncan.tho...@gmail.com wrote: I'm afraid that isn't the log we need to diagnose your problem. Can you put cinder-api, cinder-scheduler and cinder-volume logs up please? On 26 June 2014 13:12, Yogesh Prasad yogesh.pra...@cloudbyte.com wrote: Hi All, I have a devstack setup , and i am trying to create a volume but it is creating with error status. Can any one tell me what is the problem? Screen logs -- .py:297 2014-06-26 17:37:04.370 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'agent': 'python-keystoneclient', 'address': '20.10.22.245'}, 'id': 'openstack:d58d5688-f604-4362-9069-8cb217c029c8', 'name': u'6fcd84d16da646dc825411da06bf26b2'}, 'target': {'typeURI': 'service/security/account/user', 'id': 'openstack:85ef43dd-b0ab-4726-898e-36107b06a231'}, 'observer': {'typeURI': 'service/security', 'id': 'openstack:120866e8-51b9-4338-b41b-2dbea3aa4f17'}, 'eventType': 'activity', 'eventTime': '2014-06-26T12:07:04.368547+', 'action': 'authenticate', 'outcome': 'success', 'id': 'openstack:dda01da7-1274-4b4f-8ff5-1dcdb6d80ff4'} from (pid=7033) _send_audit_notification /opt/stack/keystone/keystone/notifications.py:297 2014-06-26 17:37:04.902 INFO eventlet.wsgi.server [-] 20.10.22.245 - - [26/Jun/2014 17:37:04] POST /v2.0//tokens HTTP/1.1 200 6913 0.771471 2014-06-26 17:37:04.992 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'user_id': u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'], 'trustee_id': None, 'trustor_id': None, 'project_id': u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033) process_request /opt/stack/keystone/keystone/middleware/core.py:286 2014-06-26 17:37:05.009 DEBUG keystone.common.wsgi [-] arg_dict: {} from (pid=7033) __call__ /opt/stack/keystone/keystone/common/wsgi.py:181 2014-06-26 17:37:05.023 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:revocation_list() from (pid=7033) _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:54 2014-06-26 17:37:05.027 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment from (pid=7033) _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:59 2014-06-26 17:37:05.033 DEBUG keystone.policy.backends.rules [-] enforce identity:revocation_list: {'is_delegated_auth': False, 'user_id': u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'], 'trustee_id': None, 'trustor_id': None, 'project_id': u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033) enforce /opt/stack/keystone/keystone/policy/backends/rules.py:101 2014-06-26 17:37:05.040 DEBUG keystone.openstack.common.policy [-] Rule identity:revocation_list will be now enforced from (pid=7033) enforce /opt/stack/keystone/keystone/openstack/common/policy.py:288 2014-06-26 17:37:05.043 DEBUG keystone.common.controller [-] RBAC: Authorization granted from (pid=7033) inner /opt/stack/keystone/keystone/common/controller.py:151 2014-06-26 17:37:05.228 INFO eventlet.wsgi.server [-] 20.10.22.245 - - [26/Jun/2014 17:37:05] GET /v2.0/tokens/revoked HTTP/1.1 200 815 0.277525 -- Thanks Regards, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Duncan Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder][volume/manager.py] volume driver mapping
Hi All, I am observing a bit difference in manager.py file between these branches stable/icehouse and master. In stable/icehouse various driver mapped in manager.py but it is not in master. Please guide me, where i have to map my driver. *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder] set default cinder driver
Hi All, I have devstack setup and i want to put my cinder driver as a default driver. How i can do this? please guide. -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder] set default cinder driver
Hi Lvan, Thanks for reply, but i am still facing same problem. I have tried all of these - 1) Inside /etc/cinder/cinder.conf [DEFAULT] volume_driver=cinder.volume.drivers.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh 2) Inside /devstack/local.conf [[post-config|$CINDER_CONF]] volume_driver = cinder.volume.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh 3) Inside /devstack/local.conf [[local|localrc]] CINDER_DRIVER=cinder.volume.drivers.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh 4) Inside /devstack/local.conf volume_driver = cinder.volume.drivers.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh But it is not working. In addition, what is the py file that reads localrc ? On Mon, Jun 23, 2014 at 2:14 PM, Ivan Kolodyazhny e...@e0ne.info wrote: Hi Yogesh, You need to set CINDER_DRIVER variable in your localrc file Regards, Ivan Kolodyazhny, Software Engineer, Mirantis, Inc. On Mon, Jun 23, 2014 at 10:38 AM, Yogesh Prasad yogesh.pra...@cloudbyte.com wrote: Hi All, I have devstack setup and i want to put my cinder driver as a default driver. How i can do this? please guide. -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [all] Juno setup
Hi All I want to create a juno setup. Please guide me through any links or processes that needs to be followed to have this setup. *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder] Minimum Driver Features for juno
Hi All, Please tell me what are the minimum Driver Features for juno release. -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Unit-test] Cinder Driver
Hi All, I have developed a cinder driver. Can you please share the steps to create an unit test environment and how to run unit test? *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev