Browse Source

Don't log OS_PASSWORD in auth.log

By default, all sudo commands are logged to auth.log with their
full command line. Previously, Shipyard scripts called 'sudo docker'
with -e OS_PASSWORD=foo, resulting in the password value appearing
in auth.log in plaintext. This change adds -E to the sudo command
to pass the user's environment through, and removes the value from
-e OS_PASSWORD which tells Docker to use the environment value
directly. This prevents the password value from being logged.

Change-Id: Ifcf7f6525876144a609ff42be42da57a3f7f6f60
changes/48/655248/4
Crank, Daniel (dc6350) 2 years ago
parent
commit
0ab1bf552d
  1. 5
      tools/run_shipyard.sh
  2. 8
      tools/shipyard.sh
  3. 4
      tools/shipyard_docker_base_command.sh

5
tools/run_shipyard.sh

@ -34,6 +34,11 @@ set -e
DIR="$(realpath $(dirname "${BASH_SOURCE}"))"
source "${DIR}/shipyard_docker_base_command.sh"
SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/home/shipyard/host"}
# set default value for OS_PASSWORD if it's not set
# this doesn't actually get exported to environment
# unless the script is sourced
export OS_PASSWORD=${OS_PASSWORD:-password}
# Execute Shipyard CLI
#
# NOTE: We will mount the current directory so that any directories

8
tools/shipyard.sh

@ -39,17 +39,21 @@ set -e
SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/target"}
NAMESPACE="${NAMESPACE:-ucp}"
SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
# set default value for OS_PASSWORD if it's not set
# this doesn't actually get exported to environment
# unless the script is sourced
export OS_PASSWORD=${OS_PASSWORD:-password}
# Define Base Docker Command
base_docker_command=$(cat << EndOfCommand
sudo docker run -t --rm --net=host
sudo -E docker run -t --rm --net=host
-e http_proxy=${HTTP_PROXY}
-e https_proxy=${HTTPS_PROXY}
-e no_proxy=${NO_PROXY:-127.0.0.1,localhost,.svc.cluster.local}
-e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
-e OS_USERNAME=${OS_USERNAME:-shipyard}
-e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
-e OS_PASSWORD=${OS_PASSWORD:-password}
-e OS_PASSWORD
-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
EndOfCommand

4
tools/shipyard_docker_base_command.sh

@ -23,14 +23,14 @@ SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
# Define Base Docker Command
base_docker_command=$(cat << EndOfCommand
sudo docker run -t --rm --net=host
sudo -E docker run -t --rm --net=host
-e http_proxy=${HTTP_PROXY}
-e https_proxy=${HTTPS_PROXY}
-e no_proxy=${NO_PROXY}
-e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
-e OS_USERNAME=${OS_USERNAME:-shipyard}
-e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
-e OS_PASSWORD=${OS_PASSWORD:-password}
-e OS_PASSWORD
-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
EndOfCommand

Loading…
Cancel
Save