diff --git a/SOURCES/sos-bz1785813-foreman-proxy_password_scrub.patch b/SOURCES/sos-bz1785813-foreman-proxy_password_scrub.patch new file mode 100644 index 0000000..7efac20 --- /dev/null +++ b/SOURCES/sos-bz1785813-foreman-proxy_password_scrub.patch @@ -0,0 +1,33 @@ +From fb201fb80f27bdcc69d532ebcc3ff2ae2356edc7 Mon Sep 17 00:00:00 2001 +From: Jan Jansky +Date: Mon, 4 Jan 2021 10:53:14 +0100 +Subject: [PATCH] [foreman] scrub rhsm proxy_password in installer logs + +Scrub potential RHSM proxy_password = in installer logs. + +Related: #2144 +Resolves: #2354 + +Signed-off-by: Jan Jansky +Signed-off-by: Jake Hunsaker +--- + sos/plugins/foreman.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sos/plugins/foreman.py b/sos/plugins/foreman.py +index 16d8c7f..ff79b81 100644 +--- a/sos/plugins/foreman.py ++++ b/sos/plugins/foreman.py +@@ -266,7 +266,8 @@ class Foreman(Plugin): + + def postproc(self): + satreg = r"((foreman.*)?(\"::(foreman(.*?)|katello).*)?((::(.*)::.*" \ +- r"(passw|cred|token|secret|key).*(\")?:)|(storepass )))(.*)" ++ r"(passw|cred|token|secret|key).*(\")?:)|(storepass )" \ ++ r"|(password =)))(.*)" + self.do_path_regex_sub( + "/var/log/foreman-installer/sat*", + satreg, +-- +1.8.3.1 + diff --git a/SOURCES/sos-bz1886784-filesys_never_collect_panfs.patch b/SOURCES/sos-bz1886784-filesys_never_collect_panfs.patch new file mode 100644 index 0000000..ae14785 --- /dev/null +++ b/SOURCES/sos-bz1886784-filesys_never_collect_panfs.patch @@ -0,0 +1,32 @@ +From c7ddd5debec6a4cc2d215cfd8bb0786769ae6712 Mon Sep 17 00:00:00 2001 +From: Jan Jansky +Date: Fri, 12 Mar 2021 16:42:13 +0100 +Subject: [PATCH] [filesys] never collect content of /proc/fs/panfs + +Backport #2262 to legacy-3.9. + +Related: #2262 +Resolves: #2447 + +Signed-off-by: Jan Jansky +Signed-off-by: Jake Hunsaker +--- + sos/plugins/filesys.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sos/plugins/filesys.py b/sos/plugins/filesys.py +index cba662a..138ba15 100644 +--- a/sos/plugins/filesys.py ++++ b/sos/plugins/filesys.py +@@ -42,6 +42,8 @@ class Filesys(Plugin, DebianPlugin, UbuntuPlugin): + "lslocks" + ]) + ++ self.add_forbidden_path('/proc/fs/panfs') ++ + if self.get_option('lsof'): + self.add_cmd_output("lsof -b +M -n -l -P", root_symlink="lsof") + +-- +1.8.3.1 + diff --git a/SOURCES/sos-bz1892692-openstack_ceilometer_backend_url.patch b/SOURCES/sos-bz1892692-openstack_ceilometer_backend_url.patch new file mode 100644 index 0000000..8826130 --- /dev/null +++ b/SOURCES/sos-bz1892692-openstack_ceilometer_backend_url.patch @@ -0,0 +1,36 @@ +From 73524dc167179039e89a5af65f0c10c2b4fa4192 Mon Sep 17 00:00:00 2001 +From: Jan Jansky +Date: Fri, 12 Mar 2021 17:40:03 +0100 +Subject: [PATCH] [openstack_ceilometer] Add backend_url to protected keys + +Backport #2298 to legacy-3.9. + +Related: #2298 +Resolves: #2448 + +Signed-off-by: Jan Jansky +Signed-off-by: Jake Hunsaker +--- + sos/plugins/openstack_ceilometer.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sos/plugins/openstack_ceilometer.py b/sos/plugins/openstack_ceilometer.py +index c2f1450..a808778 100644 +--- a/sos/plugins/openstack_ceilometer.py ++++ b/sos/plugins/openstack_ceilometer.py +@@ -50,10 +50,9 @@ class OpenStackCeilometer(Plugin): + "admin_password", "connection_password", "host_password", + "memcache_secret_key", "os_password", "password", "qpid_password", + "rabbit_password", "readonly_user_password", "secret_key", +- "ssl_key_password", "telemetry_secret", "metering_secret", +- "transport_url" ++ "ssl_key_password", "telemetry_secret", "metering_secret" + ] +- connection_keys = ["connection"] ++ connection_keys = ["connection", "backend_url", "transport_url"] + + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), +-- +1.8.3.1 + diff --git a/SOURCES/sos-bz1903144-pacemaker_fix_scrubbing_password.patch b/SOURCES/sos-bz1903144-pacemaker_fix_scrubbing_password.patch new file mode 100644 index 0000000..ef56863 --- /dev/null +++ b/SOURCES/sos-bz1903144-pacemaker_fix_scrubbing_password.patch @@ -0,0 +1,41 @@ +From ad79fd5d28feaf05adddb746ef892a32a56ccfa9 Mon Sep 17 00:00:00 2001 +From: Jan Jansky +Date: Fri, 12 Mar 2021 16:23:51 +0100 +Subject: [PATCH] [pacemaker] Fix scrubbing when password contains an equal + sign + +Backport #2109 to legacy-3.9. + +Related: #2109 +Resolves: #2446 + +Signed-off-by: Jan Jansky +Signed-off-by: Jake Hunsaker +--- + sos/plugins/pacemaker.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sos/plugins/pacemaker.py b/sos/plugins/pacemaker.py +index 940389e..f47c66a 100644 +--- a/sos/plugins/pacemaker.py ++++ b/sos/plugins/pacemaker.py +@@ -55,14 +55,14 @@ class Pacemaker(Plugin): + def postproc_crm_shell(self): + self.do_cmd_output_sub( + "crm configure show", +- r"passw(\S*)=\S+", ++ r"passw([^\s=]*)=\S+", + r"passw\1=********" + ) + + def postproc_pcs(self): + self.do_cmd_output_sub( + "pcs config", +- r"passw(\S*)=\S+", ++ r"passw([^\s=]*)=\S+", + r"passw\1=********" + ) + +-- +1.8.3.1 + diff --git a/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch new file mode 100644 index 0000000..78e9564 --- /dev/null +++ b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch @@ -0,0 +1,34 @@ +From ea9be29ef1635e317477c4bce3187671f414f76e Mon Sep 17 00:00:00 2001 +From: Jan Jansky +Date: Mon, 1 Mar 2021 13:24:44 +0100 +Subject: [PATCH] [foreman] call psql with --no-password to avoid waiting on + input + +Backport #2422 to legacy-3.9. + +Resolves: #2429 +Closes: #2421 + +Signed-off-by: Jan Jansky +Signed-off-by: Jake Hunsaker +--- + sos/plugins/foreman.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sos/plugins/foreman.py b/sos/plugins/foreman.py +index ff79b81..84fb4b0 100644 +--- a/sos/plugins/foreman.py ++++ b/sos/plugins/foreman.py +@@ -261,7 +261,8 @@ class Foreman(Plugin): + a large amount of quoting in sos logs referencing the command being run + """ + csvformat = "-A -F , -X" if csv else "" +- _dbcmd = "psql -h %s -p 5432 -U foreman -d foreman %s -c %s" ++ _dbcmd = "psql --no-password -h %s -p 5432 -U foreman -d foreman %s \ ++ -c %s" + return _dbcmd % (self.dbhost, csvformat, quote(query)) + + def postproc(self): +-- +1.8.3.1 + diff --git a/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch new file mode 100644 index 0000000..6b2190d --- /dev/null +++ b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch @@ -0,0 +1,31 @@ +From f04fc149a051e7519b9fe375f47e4d4bae79833c Mon Sep 17 00:00:00 2001 +From: Jan Jansky +Date: Mon, 1 Mar 2021 13:22:16 +0100 +Subject: [PATCH] [candlepin] call psql with --no-password to avoid waiting on + input + +Backport #2422 to legacy-3.9. + +Signed-off-by: Jan Jansky +Signed-off-by: Jake Hunsaker +--- + sos/plugins/candlepin.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sos/plugins/candlepin.py b/sos/plugins/candlepin.py +index 243b5f5..e51c646 100644 +--- a/sos/plugins/candlepin.py ++++ b/sos/plugins/candlepin.py +@@ -92,7 +92,8 @@ class Candlepin(Plugin, RedHatPlugin): + a large amount of quoting in sos logs referencing the command being run + """ + csvformat = "-A -F , -X" if csv else "" +- _dbcmd = "psql -h %s -p 5432 -U candlepin -d candlepin %s -c %s" ++ _dbcmd = "psql --no-password -h %s -p 5432 -U candlepin \ ++ -d candlepin %s -c %s" + return _dbcmd % (self.dbhost, csvformat, quote(query)) + + def postproc(self): +-- +1.8.3.1 + diff --git a/SOURCES/sos-centos-branding.patch b/SOURCES/sos-centos-branding.patch deleted file mode 100644 index 52b7c6d..0000000 --- a/SOURCES/sos-centos-branding.patch +++ /dev/null @@ -1,150 +0,0 @@ -diff -uNrp sos-3.9.orig/sos/policies/redhat.py sos-3.9/sos/policies/redhat.py ---- sos-3.9.orig/sos/policies/redhat.py 2020-03-24 15:33:13.000000000 +0000 -+++ sos-3.9/sos/policies/redhat.py 2020-10-03 12:48:32.088747085 +0000 -@@ -89,7 +89,7 @@ class RedHatPolicy(LinuxPolicy): - def check(cls): - """This method checks to see if we are running on Red Hat. It must be - overriden by concrete subclasses to return True when running on a -- Fedora, RHEL or other Red Hat distribution or False otherwise.""" -+ Fedora, CentOS, RHEL or other Red Hat distribution or False otherwise.""" - return False - - def check_usrmove(self, pkgs): -@@ -187,29 +187,29 @@ _opts_all_logs_verify = SoSOptions(all_l - _cb_profiles = ['boot', 'storage', 'system'] - _cb_plugopts = ['boot.all-images=on', 'rpm.rpmva=on', 'rpm.rpmdb=on'] - --RHEL_RELEASE_STR = "Red Hat Enterprise Linux" -+RHEL_RELEASE_STR = "CentOS Linux" - - RHV = "rhv" --RHV_DESC = "Red Hat Virtualization" -+RHV_DESC = "Virtualization" - - RHEL = "rhel" - RHEL_DESC = RHEL_RELEASE_STR - - RHOSP = "rhosp" --RHOSP_DESC = "Red Hat OpenStack Platform" -+RHOSP_DESC = "OpenStack Platform" - - RHOCP = "ocp" --RHOCP_DESC = "OpenShift Container Platform by Red Hat" -+RHOCP_DESC = "OpenShift Container Platform" - RHOSP_OPTS = SoSOptions(plugopts=[ - 'process.lsof=off', - 'networking.ethtool_namespaces=False', - 'networking.namespaces=200']) - - RH_CFME = "cfme" --RH_CFME_DESC = "Red Hat CloudForms" -+RH_CFME_DESC = "CloudForms" - - RH_SATELLITE = "satellite" --RH_SATELLITE_DESC = "Red Hat Satellite" -+RH_SATELLITE_DESC = "Satellite" - SAT_OPTS = SoSOptions(verify=True, plugopts=['apache.log=on']) - - CB = "cantboot" -@@ -257,8 +257,8 @@ RH_FTP_HOST = "ftp://dropbox.redhat.com" - - class RHELPolicy(RedHatPolicy): - distro = RHEL_RELEASE_STR -- vendor = "Red Hat" -- vendor_url = "https://access.redhat.com/support/" -+ vendor = "CentOS" -+ vendor_url = "https://wiki.centos.org/support" - msg = _("""\ - This command will collect diagnostic and configuration \ - information from this %(distro)s system and installed \ -@@ -280,7 +280,7 @@ support representative. - def check(cls): - """Test to see if the running host is a RHEL installation. - -- Checks for the presence of the "Red Hat Enterprise Linux" -+ Checks for the presence of the "CentOS Linux" - release string at the beginning of the NAME field in the - `/etc/os-release` file and returns ``True`` if it is - found, and ``False`` otherwise. -@@ -334,7 +334,7 @@ support representative. - - def get_upload_url_string(self): - if self.get_upload_url().startswith(RH_API_HOST): -- return "Red Hat Customer Portal" -+ return "Customer Portal" - return self.upload_url or RH_FTP_HOST - - def get_upload_user(self): -@@ -389,7 +389,7 @@ class CentOsPolicy(RHELPolicy): - - ATOMIC = "atomic" - ATOMIC_RELEASE_STR = "Atomic" --ATOMIC_DESC = "Red Hat Enterprise Linux Atomic Host" -+ATOMIC_DESC = "Atomic Host" - - atomic_presets = { - ATOMIC: PresetDefaults(name=ATOMIC, desc=ATOMIC_DESC, note=NOTE_TIME, -@@ -398,7 +398,7 @@ atomic_presets = { - - - class RedHatAtomicPolicy(RHELPolicy): -- distro = "Red Hat Atomic Host" -+ distro = "Atomic Host" - msg = _("""\ - This command will collect diagnostic and configuration \ - information from this %(distro)s system. -@@ -435,7 +435,7 @@ support representative. - - - class RedHatCoreOSPolicy(RHELPolicy): -- distro = "Red Hat CoreOS" -+ distro = "CoreOS" - msg = _("""\ - This command will collect diagnostic and configuration \ - information from this %(distro)s system. -@@ -456,7 +456,7 @@ support representative. - host_release = os.environ[ENV_HOST_SYSROOT] + cls._redhat_release - try: - for line in open(host_release, 'r').read().splitlines(): -- coreos |= 'Red Hat CoreOS' in line -+ coreos |= 'CoreOS' in line - except IOError: - pass - return coreos -diff -uNrp sos-3.9.orig/sos/policies/redhat.py sos-3.9/sos/policies/redhat.py ---- sos-3.9.orig/sos/policies/redhat.py 2021-02-02 15:39:49.180326048 +0000 -+++ sos-3.9/sos/policies/redhat.py 2021-02-02 15:44:02.907874181 +0000 -@@ -31,9 +31,9 @@ except NameError: - - - class RedHatPolicy(LinuxPolicy): -- distro = "Red Hat" -- vendor = "Red Hat" -- vendor_url = "https://www.redhat.com/" -+ distro = "CentOS" -+ vendor = "CentOS" -+ vendor_url = "https://www.centos.org/" - _redhat_release = '/etc/redhat-release' - _tmp_dir = "/var/tmp" - _rpmq_cmd = 'rpm -qa --queryformat "%{NAME}|%{VERSION}|%{RELEASE}\\n"' -@@ -87,9 +87,9 @@ class RedHatPolicy(LinuxPolicy): - - @classmethod - def check(cls): -- """This method checks to see if we are running on Red Hat. It must be -+ """This method checks to see if we are running on CentOS Linux. It must be - overriden by concrete subclasses to return True when running on a -- Fedora, CentOS, RHEL or other Red Hat distribution or False otherwise.""" -+ Fedora, CentOS, RHEL or other CentOS distribution or False otherwise.""" - return False - - def check_usrmove(self, pkgs): -@@ -309,7 +309,7 @@ support representative. - return - if self.case_id: - self.upload_user = input(_( -- "Enter your Red Hat Customer Portal username (empty to use " -+ "Enter your Customer Portal username (empty to use " - "public dropbox): ") - ) - if not self.upload_user: diff --git a/SPECS/sos.spec b/SPECS/sos.spec index 91a1b9f..ddd3f79 100644 --- a/SPECS/sos.spec +++ b/SPECS/sos.spec @@ -2,7 +2,7 @@ Summary: A set of tools to gather troubleshooting information from a system Name: sos Version: 3.9 -Release: 5%{?dist}.2 +Release: 5%{?dist}.4 Group: Applications/System Source0: https://github.com/sosreport/sos/archive/%{version}.tar.gz License: GPLv2+ @@ -38,7 +38,12 @@ Patch15: sos-bz1871207-audit_collect_etc_audisp.patch Patch16: sos-bz1886432-policy_fix_failure_conditions_with_upload.patch Patch17: sos-bz1897903-postgresql_collect_rh-postgresql12.patch Patch18: sos-bz1917074-networking_ethtool-e_conditionally_only.patch -Patch19: sos-centos-branding.patch +Patch19: sos-bz1785813-foreman-proxy_password_scrub.patch +Patch20: sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch +Patch21: sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch +Patch22: sos-bz1903144-pacemaker_fix_scrubbing_password.patch +Patch23: sos-bz1886784-filesys_never_collect_panfs.patch +Patch24: sos-bz1892692-openstack_ceilometer_backend_url.patch %description Sos is a set of tools that gathers information about system @@ -68,6 +73,11 @@ support technicians and developers. %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 %build make @@ -91,8 +101,21 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sos.conf %changelog -* Tue Feb 02 2021 CentOS Sources - 3.9-5.el7.centos.2 -- Roll in CentOS Branding +* Thu Mar 18 2021 Jan Jansky = 3.9-5.4 +- [candlepin/foreman] psql with --no-password + Resolves: bz1932772 +- [pacemaker] password scrub fix + Resolves: bz1903144 +- [filesys] never collect panfs + Resolves: bz1886784 +- [openstack_ceilometer] backend_url protected + Resolves: bz1892692 + +* Tue Mar 09 2021 Jan Jansky = 3.9-5.3 +- [candlepin/foreman] psql with --no-password + Resolves: bz1932772 +- [foreman] proxy_password scrub in installer logs + Resolves: bz1785813 * Thu Jan 21 2021 Jan Jansky = 3.9-5.2 - [networking] 'ethtool -e ' conditionally only