Hi Holger, On Thu, Aug 26, 2010 at 05:10:13PM +0200, Holger Teutsch wrote: > Dejan, > I see. > I guess the remaining task is to cleanup all stonith agents to > let them pass password parameters to underlying tools in the > most concealed way. In the case of IPMI the underlying tool is > ipmitool. At least since 1.8.2 released in 2005 passing the > password via an environment variable is a valid option. > > Is it a valid assumption that all ipmitools in the field used > together with cluster-glue are later so passing via env should > be implemented as default ? > Or should there be a param for backwards compatibility (e.g. > passwd_as_param=1) ?
I misunderstood your patch in part and owe you an apology. What you implemented has a benefit of its own. lrmd cannot help individual plugins or resource agents to hide passwords. We can also keep the option to pass a password in a file. Can you please send the patch again, this time as an attachment. The copy I have seems to have broken indentation and won't apply. Sorry for the confusion. Cheers, Dejan > Thanx for opinions. > Regards > Holger > > -----Ursprüngliche Nachricht----- > Von: Dejan Muhamedagic <[email protected]> > Gesendet: Aug 25, 2010 4:14:19 PM > An: High-Availability Linux Development List <[email protected]> > Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" > to hide the ipmi password from config and logs > > >Hi, > > > >On Thu, Aug 19, 2010 at 11:35:41AM +0200, Holger Teutsch wrote: > >> Hi, > >> the very sensitive IPMI password now shows up in crm's config, > >> log files and ps -ef output. > >> > >> This patch provides an optional parameter "passwd_method" that > >> can be used to hide this information on various levels. > >> > >> If not defined the old behavior is retained. > > > >Many thanks for the patch, but we have to go another route for > >this issue. It'd be a big effort to provide the same for all > >stonith plugins. The basic idea is to enhance lrmd to be able to > >read parameters from a file instead of the usual set of nvpairs > >in the CIB. See > >http://developerbugs.linux-foundation.org/show_bug.cgi?id=2415 > >for more information. > > > >Thanks, > > > >Dejan > > > >> Regards > >> Holger > >> > >> # HG changeset patch > >> # User Holger Teutsch <[email protected]> > >> # Date 1282209948 -7200 > >> # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc > >> # Parent ba146a145a3ede967af48e8936ac414984aa1e5f > >> external/ipmi: Provide opt param "passwd_method" to hide the ipmi password > >> from config and logs > >> > >> diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi > >> --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200 > >> +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200 > >> @@ -60,9 +60,30 @@ > >> interface="lan" > >> fi > >> > >> + case "${passwd_method}" in > >> + param|'') > >> + passwd_method=param > >> + M="-P" > >> + ;; > >> + env) > >> + M="-E" > >> + ;; > >> + file) > >> + M="-f" > >> + ;; > >> + *) > >> + ha_log.sh err "invalid passwd_method: \"${passwd_method}\"" > >> + return 1 > >> + esac > >> + > >> action="$*" > >> > >> - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P > >> "${passwd}" ${action} 2>&1 > >> + if [ $passwd_method = env ] > >> + then > >> + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H > >> ${ipaddr} -U "${userid}" -E ${action} 2>&1 > >> + else > >> + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M > >> "${passwd}" ${action} 2>&1 > >> + fi > >> } > >> > >> # Yet another convenience wrapper that invokes run_ipmitool, captures > >> @@ -94,7 +115,6 @@ > >> esac > >> } > >> > >> - > >> # Rewrite the hostname to accept "," as a delimeter for hostnames too. > >> > >> case ${1} in > >> @@ -195,6 +215,19 @@ > >> </longdesc> > >> </parameter> > >> > >> + > >> +<content type="string" default="param"/> > >> + > >> +Method for passing passwd parameter > >> +</shortdesc> > >> +<longdesc lang="en"> > >> +Method for passing the passwd parameter to ipmitool > >> + param: pass as parameter (-P) > >> + env: pass via environment (-E) > >> + file: value of "passwd" is actually a file name, pass with (-f) > >> +</longdesc> > >> +</parameter> > >> + > >> > >> <content type="string" default="lan"/> > >> > >> ___________________________________________________________ > >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! > >> Jetzt freischalten unter http://movieflat.web.de > >> _______________________________________________________ > >> Linux-HA-Dev: [email protected] > >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > >> Home Page: http://linux-ha.org/ > >_______________________________________________________ > >Linux-HA-Dev: [email protected] > >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > >Home Page: http://linux-ha.org/ > ___________________________________________________________ > GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://movieflat.web.de > _______________________________________________________ > Linux-HA-Dev: [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > Home Page: http://linux-ha.org/ _______________________________________________________ Linux-HA-Dev: [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
