Dejan, I see. I guess the remaining task is to cleanup all stonith agents to let them pass password parameters to underlying tools in the most concealed way. In the case of IPMI the underlying tool is ipmitool. At least since 1.8.2 released in 2005 passing the password via an environment variable is a valid option.
Is it a valid assumption that all ipmitools in the field used together with cluster-glue are later so passing via env should be implemented as default ? Or should there be a param for backwards compatibility (e.g. passwd_as_param=1) ? Thanx for opinions. Regards Holger -----Ursprüngliche Nachricht----- Von: Dejan Muhamedagic <[email protected]> Gesendet: Aug 25, 2010 4:14:19 PM An: High-Availability Linux Development List <[email protected]> Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" to hide the ipmi password from config and logs >Hi, > >On Thu, Aug 19, 2010 at 11:35:41AM +0200, Holger Teutsch wrote: >> Hi, >> the very sensitive IPMI password now shows up in crm's config, >> log files and ps -ef output. >> >> This patch provides an optional parameter "passwd_method" that >> can be used to hide this information on various levels. >> >> If not defined the old behavior is retained. > >Many thanks for the patch, but we have to go another route for >this issue. It'd be a big effort to provide the same for all >stonith plugins. The basic idea is to enhance lrmd to be able to >read parameters from a file instead of the usual set of nvpairs >in the CIB. See >http://developerbugs.linux-foundation.org/show_bug.cgi?id=2415 >for more information. > >Thanks, > >Dejan > >> Regards >> Holger >> >> # HG changeset patch >> # User Holger Teutsch <[email protected]> >> # Date 1282209948 -7200 >> # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc >> # Parent ba146a145a3ede967af48e8936ac414984aa1e5f >> external/ipmi: Provide opt param "passwd_method" to hide the ipmi password >> from config and logs >> >> diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi >> --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200 >> +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200 >> @@ -60,9 +60,30 @@ >> interface="lan" >> fi >> >> + case "${passwd_method}" in >> + param|'') >> + passwd_method=param >> + M="-P" >> + ;; >> + env) >> + M="-E" >> + ;; >> + file) >> + M="-f" >> + ;; >> + *) >> + ha_log.sh err "invalid passwd_method: \"${passwd_method}\"" >> + return 1 >> + esac >> + >> action="$*" >> >> - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P "${passwd}" >> ${action} 2>&1 >> + if [ $passwd_method = env ] >> + then >> + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H >> ${ipaddr} -U "${userid}" -E ${action} 2>&1 >> + else >> + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M >> "${passwd}" ${action} 2>&1 >> + fi >> } >> >> # Yet another convenience wrapper that invokes run_ipmitool, captures >> @@ -94,7 +115,6 @@ >> esac >> } >> >> - >> # Rewrite the hostname to accept "," as a delimeter for hostnames too. >> >> case ${1} in >> @@ -195,6 +215,19 @@ >> </longdesc> >> </parameter> >> >> + >> +<content type="string" default="param"/> >> + >> +Method for passing passwd parameter >> +</shortdesc> >> +<longdesc lang="en"> >> +Method for passing the passwd parameter to ipmitool >> + param: pass as parameter (-P) >> + env: pass via environment (-E) >> + file: value of "passwd" is actually a file name, pass with (-f) >> +</longdesc> >> +</parameter> >> + >> >> <content type="string" default="lan"/> >> >> ___________________________________________________________ >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! >> Jetzt freischalten unter http://movieflat.web.de >> _______________________________________________________ >> Linux-HA-Dev: [email protected] >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev >> Home Page: http://linux-ha.org/ >_______________________________________________________ >Linux-HA-Dev: [email protected] >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev >Home Page: http://linux-ha.org/ ___________________________________________________________ GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! Jetzt freischalten unter http://movieflat.web.de _______________________________________________________ Linux-HA-Dev: [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
