openstack/puppet-nova
Code Issues Proposed changes

Dont log output when setting virsh secret

Browse Source 
If the command failes we will leak the secret
into log files and output.

Change-Id: I91271f3cb8de7a9b5c20fdb7b249931d88c5c1b1
This commit is contained in:
Tobias Urdin
2023-06-05 09:42:00 +02:00
parent 0e6e17b171
commit 1a3eebcf12
2 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
manifests/compute/rbd.pp
View File

@@ -154,9 +154,10 @@ class nova::compute::rbd (
$libvirt_key = "$(ceph auth get-key ${rbd_keyring})" $libvirt_key = "$(ceph auth get-key ${rbd_keyring})"
} }
exec { 'set-secret-value virsh': exec { 'set-secret-value virsh':
command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}", command => "/usr/bin/virsh secret-set-value --secret ${libvirt_rbd_secret_uuid} --base64 ${libvirt_key}",
unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}", unless => "/usr/bin/virsh secret-get-value ${libvirt_rbd_secret_uuid} | grep ${libvirt_key}",
require => Exec['get-or-set virsh secret'], logoutput => false,
require => Exec['get-or-set virsh secret'],
} }
} else { } else {
nova_config { nova_config {

9
spec/classes/nova_compute_rbd_spec.rb
View File

@@ -98,7 +98,8 @@ describe 'nova::compute::rbd' do
:require => 'File[/etc/nova/secret.xml]', :require => 'File[/etc/nova/secret.xml]',
) )
is_expected.to contain_exec('set-secret-value virsh').with( is_expected.to contain_exec('set-secret-value virsh').with(
:command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)" :command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
:logoutput => false,
) )
end end
end end
@@ -113,7 +114,8 @@ describe 'nova::compute::rbd' do
it 'set libvirt secret key from passed key' do it 'set libvirt secret key from passed key' do
is_expected.to contain_exec('set-secret-value virsh').with( is_expected.to contain_exec('set-secret-value virsh').with(
:command => "/usr/bin/virsh secret-set-value --secret #{params[:libvirt_rbd_secret_uuid]} --base64 #{params[:libvirt_rbd_secret_key]}" :command => "/usr/bin/virsh secret-set-value --secret #{params[:libvirt_rbd_secret_uuid]} --base64 #{params[:libvirt_rbd_secret_key]}",
:logoutput => false,
) )
end end
end end
@@ -152,7 +154,8 @@ describe 'nova::compute::rbd' do
:require => 'File[/etc/nova/secret.xml]', :require => 'File[/etc/nova/secret.xml]',
) )
is_expected.to contain_exec('set-secret-value virsh').with( is_expected.to contain_exec('set-secret-value virsh').with(
:command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)" :command => "/usr/bin/virsh secret-set-value --secret UUID --base64 $(ceph auth get-key client.rbd_test)",
:logoutput => false,
) )
end end
end end