Hi, On Fri, Aug 27, 2010 at 11:17:08AM +0200, Holger Teutsch wrote: > Dejan, > no problem. > The patch now as attachment.
Applied. Many thanks for the contribution. Cheers, Dejan > Thanx > Holger > ----Ursprüngliche Nachricht----- > Von: Dejan Muhamedagic <[email protected]> > Gesendet: Aug 26, 2010 6:38:47 PM > An: High-Availability Linux Development List <[email protected]> > Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param "passwd_method" > to hide the ipmi password from config and logs > > >Hi Holger, > > > >On Thu, Aug 26, 2010 at 05:10:13PM +0200, Holger Teutsch wrote: > >> Dejan, > >> I see. > >> I guess the remaining task is to cleanup all stonith agents to > >> let them pass password parameters to underlying tools in the > >> most concealed way. In the case of IPMI the underlying tool is > >> ipmitool. At least since 1.8.2 released in 2005 passing the > >> password via an environment variable is a valid option. > >> > >> Is it a valid assumption that all ipmitools in the field used > >> together with cluster-glue are later so passing via env should > >> be implemented as default ? > >> Or should there be a param for backwards compatibility (e.g. > >> passwd_as_param=1) ? > > > >I misunderstood your patch in part and owe you an apology. What > >you implemented has a benefit of its own. lrmd cannot help > >individual plugins or resource agents to hide passwords. We can > >also keep the option to pass a password in a file. > > > >Can you please send the patch again, this time as an attachment. > >The copy I have seems to have broken indentation and won't apply. > > > >Sorry for the confusion. > > > >Cheers, > > > >Dejan > > > > > >> Thanx for opinions. > >> Regards > >> Holger > >> > >> -----Ursprüngliche Nachricht----- > >> Von: Dejan Muhamedagic <[email protected]> > >> Gesendet: Aug 25, 2010 4:14:19 PM > >> An: High-Availability Linux Development List * > >> Betreff: Re: [Linux-ha-dev] external/ipmi: Provide opt param > >> "passwd_method" to hide the ipmi password from config and logs > >> > >> >Hi, > >> > > >> >On Thu, Aug 19, 2010 at 11:35:41AM +0200, Holger Teutsch wrote: > >> >> Hi, > >> >> the very sensitive IPMI password now shows up in crm's config, > >> >> log files and ps -ef output. > >> >> > >> >> This patch provides an optional parameter "passwd_method" that > >> >> can be used to hide this information on various levels. > >> >> > >> >> If not defined the old behavior is retained. > >> > > >> >Many thanks for the patch, but we have to go another route for > >> >this issue. It'd be a big effort to provide the same for all > >> >stonith plugins. The basic idea is to enhance lrmd to be able to > >> >read parameters from a file instead of the usual set of nvpairs > >> >in the CIB. See > >> >http://developerbugs.linux-foundation.org/show_bug.cgi?id=2415 > >> >for more information. > >> > > >> >Thanks, > >> > > >> >Dejan > >> > > >> >> Regards > >> >> Holger > >> >> > >> >> # HG changeset patch > >> >> # User Holger Teutsch <[email protected]> > >> >> # Date 1282209948 -7200 > >> >> # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc > >> >> # Parent ba146a145a3ede967af48e8936ac414984aa1e5f > >> >> external/ipmi: Provide opt param "passwd_method" to hide the ipmi > >> >> password from config and logs > >> >> > >> >> diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi > >> >> --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 > >> >> +0200 > >> >> +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 > >> >> +0200 > >> >> @@ -60,9 +60,30 @@ > >> >> interface="lan" > >> >> fi > >> >> > >> >> + case "${passwd_method}" in > >> >> + param|'') > >> >> + passwd_method=param > >> >> + M="-P" > >> >> + ;; > >> >> + env) > >> >> + M="-E" > >> >> + ;; > >> >> + file) > >> >> + M="-f" > >> >> + ;; > >> >> + *) > >> >> + ha_log.sh err "invalid passwd_method: \"${passwd_method}\"" > >> >> + return 1 > >> >> + esac > >> >> + > >> >> action="$*" > >> >> > >> >> - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P > >> >> "${passwd}" ${action} 2>&1 > >> >> + if [ $passwd_method = env ] > >> >> + then > >> >> + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H > >> >> ${ipaddr} -U "${userid}" -E ${action} 2>&1 > >> >> + else > >> >> + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M > >> >> "${passwd}" ${action} 2>&1 > >> >> + fi > >> >> } > >> >> > >> >> # Yet another convenience wrapper that invokes run_ipmitool, captures > >> >> @@ -94,7 +115,6 @@ > >> >> esac > >> >> } > >> >> > >> >> - > >> >> # Rewrite the hostname to accept "," as a delimeter for hostnames too. > >> >> > >> >> case ${1} in > >> >> @@ -195,6 +215,19 @@ > >> >> </longdesc> > >> >> </parameter> > >> >> > >> >> + > >> >> +<content type="string" default="param"/> > >> >> + > >> >> +Method for passing passwd parameter > >> >> +</shortdesc> > >> >> +<longdesc lang="en"> > >> >> +Method for passing the passwd parameter to ipmitool > >> >> + param: pass as parameter (-P) > >> >> + env: pass via environment (-E) > >> >> + file: value of "passwd" is actually a file name, pass with (-f) > >> >> +</longdesc> > >> >> +</parameter> > >> >> + > >> >> > >> >> <content type="string" default="lan"/> > >> >> > >> >> ___________________________________________________________ > >> >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! > >> >> Jetzt freischalten unter http://movieflat.web.de > >> >> _______________________________________________________ > >> >> Linux-HA-Dev: [email protected] > >> >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > >> >> Home Page: http://linux-ha.org/ > >> >_______________________________________________________ > >> >Linux-HA-Dev: [email protected] > >> >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > >> >Home Page: http://linux-ha.org/ > >> ___________________________________________________________ > >> GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! > >> Jetzt freischalten unter http://movieflat.web.de > >> _______________________________________________________ > >> Linux-HA-Dev: [email protected] > >> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > >> Home Page: http://linux-ha.org/ > >_______________________________________________________ > >Linux-HA-Dev: [email protected] > >http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > >Home Page: http://linux-ha.org/ > ___________________________________________________________ > GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://movieflat.web.de > # HG changeset patch > # User Holger Teutsch <[email protected]> > # Date 1282209948 -7200 > # Node ID 7d22ef3abd9ceb0379351cee409679b9587eb7fc > # Parent ba146a145a3ede967af48e8936ac414984aa1e5f > external/ipmi: Provide opt param "passwd_method" to hide the ipmi password > from config and logs > > diff -r ba146a145a3e -r 7d22ef3abd9c lib/plugins/stonith/external/ipmi > --- a/lib/plugins/stonith/external/ipmi Thu Aug 12 16:46:02 2010 +0200 > +++ b/lib/plugins/stonith/external/ipmi Thu Aug 19 11:25:48 2010 +0200 > @@ -60,9 +60,30 @@ > interface="lan" > fi > > + case "${passwd_method}" in > + param|'') > + passwd_method=param > + M="-P" > + ;; > + env) > + M="-E" > + ;; > + file) > + M="-f" > + ;; > + *) > + ha_log.sh err "invalid passwd_method: \"${passwd_method}\"" > + return 1 > + esac > + > action="$*" > > - ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" -P "${passwd}" > ${action} 2>&1 > + if [ $passwd_method = env ] > + then > + IPMI_PASSWORD="${passwd}" ${IPMITOOL} -I ${interface} -H > ${ipaddr} -U "${userid}" -E ${action} 2>&1 > + else > + ${IPMITOOL} -I ${interface} -H ${ipaddr} -U "${userid}" $M > "${passwd}" ${action} 2>&1 > + fi > } > > # Yet another convenience wrapper that invokes run_ipmitool, captures > @@ -94,7 +115,6 @@ > esac > } > > - > # Rewrite the hostname to accept "," as a delimeter for hostnames too. > > case ${1} in > @@ -195,6 +215,19 @@ > </longdesc> > </parameter> > > +<parameter name="passwd_method" unique="1"> > +<content type="string" default="param"/> > +<shortdesc lang="en"> > +Method for passing passwd parameter > +</shortdesc> > +<longdesc lang="en"> > +Method for passing the passwd parameter to ipmitool > + param: pass as parameter (-P) > + env: pass via environment (-E) > + file: value of "passwd" is actually a file name, pass with (-f) > +</longdesc> > +</parameter> > + > <parameter name="interface" unique="1"> > <content type="string" default="lan"/> > <shortdesc lang="en"> > _______________________________________________________ > Linux-HA-Dev: [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > Home Page: http://linux-ha.org/ _______________________________________________________ Linux-HA-Dev: [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
