Oracular Verification ===================== I've verified this by deploying OpenStack Dalmation on Oracular via juju and running sos report on the various machines
## Check ceph obfuscation ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh ceph- rgw/0 # Before enabling proposed ubuntu@juju-f7b966-verif-testing-4:~$ sudo sos report ubuntu@juju-f7b966-verif-testing-4:~$ tar -xf /tmp/sosreport-juju-f7b966-verif-testing-4-2025-06-08-nmayyeg.tar.xz ubuntu@juju-f7b966-verif-testing-4:~$ cat sosreport-juju-f7b966-verif-testing-4-2025-06-08-nmayyeg/etc/ceph/ceph.conf Observed that password (rgw keystone admin password) is present in plaintext # After enabling proposed # modified /etc/apt/sources.list.d/ubuntu.sources to contain: Types: deb URIs: http://availability-zone-2.clouds.archive.ubuntu.com/ubuntu/ Suites: oracular-proposed Components: main universe restricted multiverse Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg ubuntu@juju-f7b966-verif-testing-4:~$ sudo apt update && sudo apt upgrade -y ubuntu@juju-f7b966-verif-testing-4:~$ sudo sos report ubuntu@juju-f7b966-verif-testing-4:~$ tar -xf /tmp/sosreport-juju-f7b966-verif-testing-4-2025-06-08-bospzvs.tar.xz ubuntu@juju-f7b966-verif-testing-4:~$ cat sosreport-juju-f7b966-verif-testing-4-2025-06-08-bospzvs/etc/ceph/ceph.conf [global] ... File contents ... rgw keystone admin user = s3_swift rgw keystone admin password = ********* rgw keystone api version = 3 rgw keystone admin domain = service_domain ... Continued file contents Note that rgw keystone admin password is successfully obfuscated # Check for existence of auth.log, syslog, kern.log, and ubuntu- advantage.log ubuntu@juju-f7b966-verif-testing-4:~$ ls -alh sosreport-juju-f7b966-verif-testing-4-2025-06-08-bospzvs/var/log/ # Note that I truncated the listing to just those of concern for brevity total 1.9M -rw-r----- 1 syslog adm 49K Jun 8 19:57 auth.log -rw-r----- 1 syslog adm 70K Jun 8 00:25 auth.log.1 -rw-r----- 1 root adm 50K Jun 8 19:51 dmesg -rw-r----- 1 syslog adm 75K Jun 8 19:58 kern.log -rw-r----- 1 syslog adm 78K Jun 7 21:27 kern.log.1 -rw-r----- 1 syslog adm 305K Jun 8 19:58 syslog -rw-r----- 1 syslog adm 476K Jun 8 00:29 syslog.1 -rw-r----- 1 root root 4.0K Jun 8 19:58 ubuntu-advantage.log ## Check Horizon obfuscation ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh openstack-dashboard/0 # Before enabling proposed ubuntu@juju-f7b966-verif-testing-14:~$ sudo sos report ubuntu@juju-f7b966-verif-testing-14:~$ tar -xf /tmp/sosreport-juju-f7b966-verif-testing-14-2025-06-08-thmzzfa.tar.xz ubuntu@juju-f7b966-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" sosreport-juju-f7b966-verif-testing-14-2025-06-08-thmzzfa/etc/openstack-dashboard/local_settings.py Observed that SECRET_KEY, PASSWORD, and EMAIL_HOST_PASSWORD are not obfuscated # After enabling proposed # modified /etc/apt/sources.list.d/ubuntu.sources to contain: Types: deb URIs: http://availability-zone-1.clouds.archive.ubuntu.com/ubuntu/ Suites: oracular-proposed Components: main universe restricted multiverse Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg ubuntu@juju-f7b966-verif-testing-14:~$ sudo apt update && sudo apt upgrade -y ubuntu@juju-f7b966-verif-testing-14:~$ sudo sos report ubuntu@juju-f7b966-verif-testing-14:~$ tar -xf /tmp/sosreport-juju-f7b966-verif-testing-14-2025-06-08-anfuvdh.tar.xz ubuntu@juju-f7b966-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" sosreport-juju-f7b966-verif-testing-14-2025-06-08-anfuvdh/etc/openstack-dashboard/local_settings.py SECRET_KEY = ********* 'PASSWORD': ********* EMAIL_HOST_PASSWORD = ********* Note that all are now successfully obfuscated # Check for auth.log, syslog, kern.log, and ubuntu-advantage.log ubuntu@juju-f7b966-verif-testing-14:~$ ls -alh sosreport-juju-f7b966-verif-testing-14-2025-06-08-anfuvdh/var/log/ # Note that I truncated the listing to just those of concern for brevity total 2.1M -rw-r----- 1 syslog adm 53K Jun 8 20:05 auth.log -rw-r----- 1 syslog adm 70K Jun 8 00:05 auth.log.1 -rw-r----- 1 root adm 50K Jun 8 19:51 dmesg -rw-r----- 1 syslog adm 75K Jun 8 20:05 kern.log -rw-r----- 1 syslog adm 79K Jun 7 21:32 kern.log.1 -rw-r----- 1 syslog adm 323K Jun 8 20:05 syslog -rw-r----- 1 syslog adm 512K Jun 8 00:05 syslog.1 -rw-r----- 1 root root 4.0K Jun 8 20:05 ubuntu-advantage.log ** Tags removed: verification-needed verification-needed-oracular ** Tags added: verification-done verification-done-oracular -- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to sos in Ubuntu. https://bugs.launchpad.net/bugs/2101134 Title: [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2 Status in Ubuntu Pro: New Status in Ubuntu Pro 20.04 series: New Status in sos package in Ubuntu: Fix Released Status in sosreport source package in Focal: Won't Fix Status in sosreport source package in Jammy: Fix Committed Status in sosreport source package in Noble: Fix Committed Status in sosreport source package in Oracular: Fix Committed Status in sos source package in Plucky: Fix Released Bug description: [ Impact ] When doing SRU for sos 4.8.2 we encountered obfuscation issues, although not a regression at the time, it was still an issue that had been present for a while 1. So, these passwords would be fully visible to the end support personnel and therefore leaked passwords. 2. Some logs had not longer being collected which are essential for debugging, such as auth.log, syslog and kern.log in /var/log 3. The ubuntu plugin was no longer collecting Ubuntu Pro details due to the package name for ubuntu-pro, and hence essential for supportability for customers that have Ubuntu Pro 4. autopkgtest for focal rendered a new issue, was not necessarily an issue, but the script was catching it [ Test Plan ] Test 1. Deploy a openstack simple cloud, and run the sos report, check to see if passwords are obfuscated in configuration file for radosgw and horizon config in particular /etc/ceph/ceph.conf and /etc/horizon/local_settings.py Test 2. Deploy all series, and ensure the the auth.log, syslog and kerne.log are collected from /var/log. Test 3. On the same hosts as Test 2, ensure that /var/log/ubuntu-advantage logs are collected Test 4. Ensure to do autopkgtest via PPA for arm64 before going for SRU, and ensure all is good before submitting The majority of the testing will follow ythe process detailed in the following URL: https://wiki.ubuntu.com/SosreportUpdates [ Where problems could occur ] 1. The corresponding files are not obfuscated, and we need to update the patches. 2. The files that have been specified are not being collected. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-pro/+bug/2101134/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
