On the other side, it would mean that you've got to have this key installed on
each of your API-client (even to the web-client), as without this key the
frontend app couldn't decrypt the password that is being sent when a client
deploys a new VM or changes the VM's password. :-)
On Tue, Nov 28, 2017 at 02:18:03PM +0200, Vladimir Melnik wrote:
> Aye, should be cool to have them encrypted by some RSA-key that would be
> installed to the VM's template.
>
> Though at this moment one should keep an eye on the systems where these logs
> are stored.
>
> On Tue, Nov 28, 2017 at 03:39:55PM +0530, Makrand wrote:
> > Assuming all the passwords appearing in logs must be masked (kind of
> > encrypted) How does one decrypt those password from logs?
> >
> > BTW, if passwords are just logged as plain text (even for temp amount of
> > time), or stored as plain text over VR, then that's not a very secure
> > thing, is it??
> >
> > --
> > Makrand
> >
> >
> > On Tue, Nov 28, 2017 at 2:58 PM, Vladimir Melnik <v.mel...@uplink.ua> wrote:
> >
> > > Hello,
> > >
> > > Would you mind if I share a sample line from the log-file containing a
> > > password assigned (you can find similar ones in your log-files as well)?
> > >
> > > 2017-11-28 10:19:27,981 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
> > > (API-Job-Executor-14:ctx-6858662d job-1158151 ctx-1967e9d7)
> > > (logid:eed0e79e) Complete async job-1158151, jobStatus: SUCCEEDED,
> > > resultCode: 0, result: org.apache.cloudstack.api.resp
> > > onse.UserVmResponse/virtualmachine/{"id":"57ec4f9a-9f65-
> > > 46c5-926d-a475bbe5c1d5","name":"VM-57ec4f9a-9f65-46c5-926d-a
> > > 475bbe5c1d5","displayname":"VM-57ec4f9a-9f65-46c5-926d-a475b
> > > be5c1d5","account":"admin","userid":"b11c5858-5357-497d-
> > > 93e7-f68db82535e7","username":"admin","domainid":"4d767ff4-
> > > 8216-4718-8f04-4626eeb5180f","domain":"2017102413000103","
> > > created":"2017-10-27T10:57:11+0300","state":"Stopped","
> > > haenable":false,"zoneid":"c8d773fa-76ca-4637-8ecf-
> > > 88656444fc86","zonename":"z2.tucha13.net","templateid":"
> > > 3b4b2504-9718-407e-8cf2-cdd286a90e52","templatename":"
> > > linux-ubuntu-desktop-16.04-x64-20170819","templatedisplaytext":"Linux
> > > Ubuntu 16.04 x64 Desktop version (rev.20170819)","passwordenabl
> > > ed":true,"serviceofferingid":"5248afa9-f896-4608-bf3b-
> > > 316262c21b9d","serviceofferingname":"custom-ssd-a1","
> > > cpunumber":1,"cpuspeed":2399,"memory":1024,"cpuused":"0.07%"
> > > ,"networkkbsread":417369,"networkkbswrite":58495,"diskkbsrea
> > > d":360776,"diskkbswrite":1978872,"memorykbs":1048576,"m
> > > emoryintfreekbs":1112364,"memorytargetkbs":1048576,"diskiore
> > > ad":11950,"diskiowrite":149126,"guestosid":"ca0edf48-
> > > bd31-11e6-b74f-06973a00088a","rootdeviceid":0,"rootdevicetyp
> > > e":"ROOT","securitygroup":[],"password":"*************","
> > > nic":[{"id":"677447a3-de67-4477-b3fc-213ab12bf0d6","
> > > networkid":"1093f687-0581-4c63-9077-1471a8bfe7fd","
> > > networkname":"NET-PUB-193.151.666.666-24","netmask":"255.
> > > 255.255.0","gateway":"193.151.666.666","ipaddress":"193.151.
> > > 666.666","isolationuri":"vlan://100","broadcasturi":"vlan://
> > > 100","traffictype":"Guest","type":"Shared","isdefault":
> > > true,"macaddress":"66:66:66:66:66:66","secondaryip":[]},{"
> > > id":"3f71910e-cfe5-4d61-b725-e78e1d434cd8","networkid":"3422
> > > bda5-f206-4418-8a8a-30372a4f1e4a","networkname":"NET-
> > > 2017102413000103","netmask":"255.255.255.0","gateway":"192.
> > > 168.131.254","ipaddress":"192.168.131.154","traffictype":"
> > > Guest","type":"Isolated","isdefault":false,"macaddress":
> > > "66:66:66:66:66:66","secondaryip":[]}],"hypervisor"
> > > :"KVM","instancename":"i-6666-6666-VM","affinitygroup":[],"d
> > > isplayvm":true,"isdynamicallyscalable":false,"ostypeid":254,"tags":[]}
> > >
> > > ^^^ That doesn't seem to be cloudmonkey who adds that to the management
> > > log-file, as we don't use it at all.
> > >
> > > But there's a dilemma that needs to be solved, as "fixing" that would mean
> > > that a content-neutral logging module should understand which information
> > > is confidential and shouldn't been logged, not such an easy task to be
> > > solved properly.
> > >
> > > With best,
> > > Vlad
> > >
> > >
> > >
> > > On Mon, Nov 27, 2017 at 05:02:00PM -0200, Rafael Weingärtner wrote:
> > > > Ah, thanks Daan ;)
> > > >
> > > > On Mon, Nov 27, 2017 at 4:27 PM, Daan Hoogland <daan.hoogl...@gmail.com>
> > > > wrote:
> > > >
> > > > > it isn't logged, Rafael, not by cloudstack. It is cloudmonkey that
> > > logs the
> > > > > API response object. It is the same response the UI uses to display it
> > > to
> > > > > the user.
> > > > >
> > > > > On Mon, Nov 27, 2017 at 3:45 PM, Rafael Weingärtner <
> > > > > rafaelweingart...@gmail.com> wrote:
> > > > >
> > > > > > Interesting! I did not know that the password was logged. I thought
> > > it
> > > > > was
> > > > > > a one time thing to show the password in the UI.
> > > > > >
> > > > > > On Mon, Nov 27, 2017 at 1:43 PM, Nux! <n...@li.nux.ro> wrote:
> > > > > >
> > > > > > > Ok, so found out some more stuff.
> > > > > > >
> > > > > > > First of all, the password appears in management-server.log and
> > > > > > > apilog.log, so that's one place to grep into.
> > > > > > >
> > > > > > > Second, I could query the jobid and get the password from there.
> > > E.g.
> > > > > > from
> > > > > > > cloudmonkey
> > > > > > > query asyncjobresult jobid=caac0e1f-0aff-4065-8189-1d32d480e73f |
> > > grep
> > > > > > > password\ =
> > > > > > >
> > > > > > > More info here
> > > > > > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/
> > > > > > > CloudStack+cloudmonkey+CLI#CloudStackcloudmonkeyCLI-AsyncJob
> > > execution
> > > > > > >
> > > > > > > --
> > > > > > > Sent from the Delta quadrant using Borg technology!
> > > > > > >
> > > > > > > Nux!
> > > > > > > www.nux.ro
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Rafael Weingärtner" <rafaelweingart...@gmail.com>
> > > > > > > > To: "users" <users@cloudstack.apache.org>
> > > > > > > > Sent: Monday, 27 November, 2017 15:21:30
> > > > > > > > Subject: Re: Where is the vm root password published?
> > > > > > >
> > > > > > > > Ah, if that is the case, I know it is stored in the VR of the
> > > network
> > > > > > > where
> > > > > > > > the VM is connected to.
> > > > > > > >
> > > > > > > > I forgot now the file, but it is something like
> > > > > “/var/usr?/cloud/cache”
> > > > > > > or
> > > > > > > > something that ends in “/cache/cloud”.
> > > > > > > >
> > > > > > > >
> > > > > > > > Do we store these password in ACS database as well?
> > > > > > > >
> > > > > > > > On Mon, Nov 27, 2017 at 1:18 PM, Nux! <n...@li.nux.ro> wrote:
> > > > > > > >
> > > > > > > >> Rafael,
> > > > > > > >>
> > > > > > > >> Yes indeed, sorry if I wasn't clear.
> > > > > > > >>
> > > > > > > >> --
> > > > > > > >> Sent from the Delta quadrant using Borg technology!
> > > > > > > >>
> > > > > > > >> Nux!
> > > > > > > >> www.nux.ro
> > > > > > > >>
> > > > > > > >> ----- Original Message -----
> > > > > > > >> > From: "Rafael Weingärtner" <rafaelweingart...@gmail.com>
> > > > > > > >> > To: "users" <users@cloudstack.apache.org>
> > > > > > > >> > Sent: Monday, 27 November, 2017 14:58:20
> > > > > > > >> > Subject: Re: Where is the vm root password published?
> > > > > > > >>
> > > > > > > >> > Are you talking about the generated passwords to be injected
> > > in
> > > > > user
> > > > > > > vms?
> > > > > > > >> > Besides that, we do not have any other password. At least
> > > that I
> > > > > > know.
> > > > > > > >> >
> > > > > > > >> > On Mon, Nov 27, 2017 at 12:56 PM, Nux! <n...@li.nux.ro>
> > > > > > > >> > wrote:
> > > > > > > >> >
> > > > > > > >> >> No, I mean the regular user VM instances.
> > > > > > > >> >> I know they are held somewhere temporarily, just don't know
> > > > > where.
> > > > > > :)
> > > > > > > >> >>
> > > > > > > >> >> --
> > > > > > > >> >> Sent from the Delta quadrant using Borg technology!
> > > > > > > >> >>
> > > > > > > >> >> Nux!
> > > > > > > >> >> www.nux.ro
> > > > > > > >> >>
> > > > > > > >> >> ----- Original Message -----
> > > > > > > >> >> > From: "Rafael Weingärtner" <rafaelweingart...@gmail.com>
> > > > > > > >> >> > To: "users" <users@cloudstack.apache.org>
> > > > > > > >> >> > Sent: Monday, 27 November, 2017 12:26:59
> > > > > > > >> >> > Subject: Re: Where is the vm root password published?
> > > > > > > >> >>
> > > > > > > >> >> > If you are talking about the system VMs password.
> > > > > > > >> >> > If you set the parameter "system.vm.random.password" to
> > > "true",
> > > > > > > then
> > > > > > > >> you
> > > > > > > >> >> > can see the password at "system.vm.password"
> > > > > > > >> >> >
> > > > > > > >> >> > On Mon, Nov 27, 2017 at 10:24 AM, Nux! <n...@li.nux.ro>
> > > wrote:
> > > > > > > >> >> >
> > > > > > > >> >> >> Hello,
> > > > > > > >> >> >>
> > > > > > > >> >> >> I know that the vm root password is temporarily stored
> > > > > somewhere
> > > > > > > in
> > > > > > > >> the
> > > > > > > >> >> >> system. I need to find it out for accessing the console
> > > > > > > >> >> >> of
> > > > > some
> > > > > > > >> >> instances
> > > > > > > >> >> >> created programmatically.
> > > > > > > >> >> >> Where do I look?
> > > > > > > >> >> >>
> > > > > > > >> >> >> Cheers,
> > > > > > > >> >> >> Lucian
> > > > > > > >> >> >>
> > > > > > > >> >> >> --
> > > > > > > >> >> >> Sent from the Delta quadrant using Borg technology!
> > > > > > > >> >> >>
> > > > > > > >> >> >> Nux!
> > > > > > > >> >> >> www.nux.ro
> > > > > > > >> >> >>
> > > > > > > >> >> >
> > > > > > > >> >> >
> > > > > > > >> >> >
> > > > > > > >> >> > --
> > > > > > > >> >> > Rafael Weingärtner
> > > > > > > >> >>
> > > > > > > >> >
> > > > > > > >> >
> > > > > > > >> >
> > > > > > > >> > --
> > > > > > > >> > Rafael Weingärtner
> > > > > > > >>
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Rafael Weingärtner
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rafael Weingärtner
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Daan
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rafael Weingärtner
> > >
> > > --
> > > V.Melnik
> > >
>
> --
> V.Melnik
--
V.Melnik
