diff --git a/SOURCES/sos-bz1785813-foreman-proxy_password_scrub.patch b/SOURCES/sos-bz1785813-foreman-proxy_password_scrub.patch
new file mode 100644
index 0000000..7efac20
--- /dev/null
+++ b/SOURCES/sos-bz1785813-foreman-proxy_password_scrub.patch
@@ -0,0 +1,33 @@
+From fb201fb80f27bdcc69d532ebcc3ff2ae2356edc7 Mon Sep 17 00:00:00 2001
+From: Jan Jansky <jjansky@redhat.com>
+Date: Mon, 4 Jan 2021 10:53:14 +0100
+Subject: [PATCH] [foreman] scrub rhsm proxy_password in installer logs
+
+Scrub potential RHSM proxy_password = <secret> in installer logs.
+
+Related: #2144
+Resolves: #2354
+
+Signed-off-by: Jan Jansky <jjansky@redhat.com>
+Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
+---
+ sos/plugins/foreman.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sos/plugins/foreman.py b/sos/plugins/foreman.py
+index 16d8c7f..ff79b81 100644
+--- a/sos/plugins/foreman.py
++++ b/sos/plugins/foreman.py
+@@ -266,7 +266,8 @@ class Foreman(Plugin):
+
+ def postproc(self):
+ satreg = r"((foreman.*)?(\"::(foreman(.*?)|katello).*)?((::(.*)::.*" \
+- r"(passw|cred|token|secret|key).*(\")?:)|(storepass )))(.*)"
++ r"(passw|cred|token|secret|key).*(\")?:)|(storepass )" \
++ r"|(password =)))(.*)"
+ self.do_path_regex_sub(
+ "/var/log/foreman-installer/sat*",
+ satreg,
+--
+1.8.3.1
+
diff --git a/SOURCES/sos-bz1886784-filesys_never_collect_panfs.patch b/SOURCES/sos-bz1886784-filesys_never_collect_panfs.patch
new file mode 100644
index 0000000..ae14785
--- /dev/null
+++ b/SOURCES/sos-bz1886784-filesys_never_collect_panfs.patch
@@ -0,0 +1,32 @@
+From c7ddd5debec6a4cc2d215cfd8bb0786769ae6712 Mon Sep 17 00:00:00 2001
+From: Jan Jansky <jjansky@redhat.com>
+Date: Fri, 12 Mar 2021 16:42:13 +0100
+Subject: [PATCH] [filesys] never collect content of /proc/fs/panfs
+
+Backport #2262 to legacy-3.9.
+
+Related: #2262
+Resolves: #2447
+
+Signed-off-by: Jan Jansky <jjansky@redhat.com>
+Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
+---
+ sos/plugins/filesys.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sos/plugins/filesys.py b/sos/plugins/filesys.py
+index cba662a..138ba15 100644
+--- a/sos/plugins/filesys.py
++++ b/sos/plugins/filesys.py
+@@ -42,6 +42,8 @@ class Filesys(Plugin, DebianPlugin, UbuntuPlugin):
+ "lslocks"
+ ])
+
++ self.add_forbidden_path('/proc/fs/panfs')
++
+ if self.get_option('lsof'):
+ self.add_cmd_output("lsof -b +M -n -l -P", root_symlink="lsof")
+
+--
+1.8.3.1
+
diff --git a/SOURCES/sos-bz1892692-openstack_ceilometer_backend_url.patch b/SOURCES/sos-bz1892692-openstack_ceilometer_backend_url.patch
new file mode 100644
index 0000000..8826130
--- /dev/null
+++ b/SOURCES/sos-bz1892692-openstack_ceilometer_backend_url.patch
@@ -0,0 +1,36 @@
+From 73524dc167179039e89a5af65f0c10c2b4fa4192 Mon Sep 17 00:00:00 2001
+From: Jan Jansky <jjansky@redhat.com>
+Date: Fri, 12 Mar 2021 17:40:03 +0100
+Subject: [PATCH] [openstack_ceilometer] Add backend_url to protected keys
+
+Backport #2298 to legacy-3.9.
+
+Related: #2298
+Resolves: #2448
+
+Signed-off-by: Jan Jansky <jjansky@redhat.com>
+Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
+---
+ sos/plugins/openstack_ceilometer.py | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sos/plugins/openstack_ceilometer.py b/sos/plugins/openstack_ceilometer.py
+index c2f1450..a808778 100644
+--- a/sos/plugins/openstack_ceilometer.py
++++ b/sos/plugins/openstack_ceilometer.py
+@@ -50,10 +50,9 @@ class OpenStackCeilometer(Plugin):
+ "admin_password", "connection_password", "host_password",
+ "memcache_secret_key", "os_password", "password", "qpid_password",
+ "rabbit_password", "readonly_user_password", "secret_key",
+- "ssl_key_password", "telemetry_secret", "metering_secret",
+- "transport_url"
++ "ssl_key_password", "telemetry_secret", "metering_secret"
+ ]
+- connection_keys = ["connection"]
++ connection_keys = ["connection", "backend_url", "transport_url"]
+
+ self.apply_regex_sub(
+ r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys),
+--
+1.8.3.1
+
diff --git a/SOURCES/sos-bz1903144-pacemaker_fix_scrubbing_password.patch b/SOURCES/sos-bz1903144-pacemaker_fix_scrubbing_password.patch
new file mode 100644
index 0000000..ef56863
--- /dev/null
+++ b/SOURCES/sos-bz1903144-pacemaker_fix_scrubbing_password.patch
@@ -0,0 +1,41 @@
+From ad79fd5d28feaf05adddb746ef892a32a56ccfa9 Mon Sep 17 00:00:00 2001
+From: Jan Jansky <jjansky@redhat.com>
+Date: Fri, 12 Mar 2021 16:23:51 +0100
+Subject: [PATCH] [pacemaker] Fix scrubbing when password contains an equal
+ sign
+
+Backport #2109 to legacy-3.9.
+
+Related: #2109
+Resolves: #2446
+
+Signed-off-by: Jan Jansky <jjansky@redhat.com>
+Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
+---
+ sos/plugins/pacemaker.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sos/plugins/pacemaker.py b/sos/plugins/pacemaker.py
+index 940389e..f47c66a 100644
+--- a/sos/plugins/pacemaker.py
++++ b/sos/plugins/pacemaker.py
+@@ -55,14 +55,14 @@ class Pacemaker(Plugin):
+ def postproc_crm_shell(self):
+ self.do_cmd_output_sub(
+ "crm configure show",
+- r"passw(\S*)=\S+",
++ r"passw([^\s=]*)=\S+",
+ r"passw\1=********"
+ )
+
+ def postproc_pcs(self):
+ self.do_cmd_output_sub(
+ "pcs config",
+- r"passw(\S*)=\S+",
++ r"passw([^\s=]*)=\S+",
+ r"passw\1=********"
+ )
+
+--
+1.8.3.1
+
diff --git a/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch
new file mode 100644
index 0000000..78e9564
--- /dev/null
+++ b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch
@@ -0,0 +1,34 @@
+From ea9be29ef1635e317477c4bce3187671f414f76e Mon Sep 17 00:00:00 2001
+From: Jan Jansky <jjansky@redhat.com>
+Date: Mon, 1 Mar 2021 13:24:44 +0100
+Subject: [PATCH] [foreman] call psql with --no-password to avoid waiting on
+ input
+
+Backport #2422 to legacy-3.9.
+
+Resolves: #2429
+Closes: #2421
+
+Signed-off-by: Jan Jansky <jjansky@redhat.com>
+Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
+---
+ sos/plugins/foreman.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sos/plugins/foreman.py b/sos/plugins/foreman.py
+index ff79b81..84fb4b0 100644
+--- a/sos/plugins/foreman.py
++++ b/sos/plugins/foreman.py
+@@ -261,7 +261,8 @@ class Foreman(Plugin):
+ a large amount of quoting in sos logs referencing the command being run
+ """
+ csvformat = "-A -F , -X" if csv else ""
+- _dbcmd = "psql -h %s -p 5432 -U foreman -d foreman %s -c %s"
++ _dbcmd = "psql --no-password -h %s -p 5432 -U foreman -d foreman %s \
++ -c %s"
+ return _dbcmd % (self.dbhost, csvformat, quote(query))
+
+ def postproc(self):
+--
+1.8.3.1
+
diff --git a/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch
new file mode 100644
index 0000000..6b2190d
--- /dev/null
+++ b/SOURCES/sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch
@@ -0,0 +1,31 @@
+From f04fc149a051e7519b9fe375f47e4d4bae79833c Mon Sep 17 00:00:00 2001
+From: Jan Jansky <jjansky@redhat.com>
+Date: Mon, 1 Mar 2021 13:22:16 +0100
+Subject: [PATCH] [candlepin] call psql with --no-password to avoid waiting on
+ input
+
+Backport #2422 to legacy-3.9.
+
+Signed-off-by: Jan Jansky <jjansky@redhat.com>
+Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
+---
+ sos/plugins/candlepin.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sos/plugins/candlepin.py b/sos/plugins/candlepin.py
+index 243b5f5..e51c646 100644
+--- a/sos/plugins/candlepin.py
++++ b/sos/plugins/candlepin.py
+@@ -92,7 +92,8 @@ class Candlepin(Plugin, RedHatPlugin):
+ a large amount of quoting in sos logs referencing the command being run
+ """
+ csvformat = "-A -F , -X" if csv else ""
+- _dbcmd = "psql -h %s -p 5432 -U candlepin -d candlepin %s -c %s"
++ _dbcmd = "psql --no-password -h %s -p 5432 -U candlepin \
++ -d candlepin %s -c %s"
+ return _dbcmd % (self.dbhost, csvformat, quote(query))
+
+ def postproc(self):
+--
+1.8.3.1
+
diff --git a/SOURCES/sos-centos-branding.patch b/SOURCES/sos-centos-branding.patch
deleted file mode 100644
index 52b7c6d..0000000
--- a/SOURCES/sos-centos-branding.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-diff -uNrp sos-3.9.orig/sos/policies/redhat.py sos-3.9/sos/policies/redhat.py
---- sos-3.9.orig/sos/policies/redhat.py 2020-03-24 15:33:13.000000000 +0000
-+++ sos-3.9/sos/policies/redhat.py 2020-10-03 12:48:32.088747085 +0000
-@@ -89,7 +89,7 @@ class RedHatPolicy(LinuxPolicy):
- def check(cls):
- """This method checks to see if we are running on Red Hat. It must be
- overriden by concrete subclasses to return True when running on a
-- Fedora, RHEL or other Red Hat distribution or False otherwise."""
-+ Fedora, CentOS, RHEL or other Red Hat distribution or False otherwise."""
- return False
-
- def check_usrmove(self, pkgs):
-@@ -187,29 +187,29 @@ _opts_all_logs_verify = SoSOptions(all_l
- _cb_profiles = ['boot', 'storage', 'system']
- _cb_plugopts = ['boot.all-images=on', 'rpm.rpmva=on', 'rpm.rpmdb=on']
-
--RHEL_RELEASE_STR = "Red Hat Enterprise Linux"
-+RHEL_RELEASE_STR = "CentOS Linux"
-
- RHV = "rhv"
--RHV_DESC = "Red Hat Virtualization"
-+RHV_DESC = "Virtualization"
-
- RHEL = "rhel"
- RHEL_DESC = RHEL_RELEASE_STR
-
- RHOSP = "rhosp"
--RHOSP_DESC = "Red Hat OpenStack Platform"
-+RHOSP_DESC = "OpenStack Platform"
-
- RHOCP = "ocp"
--RHOCP_DESC = "OpenShift Container Platform by Red Hat"
-+RHOCP_DESC = "OpenShift Container Platform"
- RHOSP_OPTS = SoSOptions(plugopts=[
- 'process.lsof=off',
- 'networking.ethtool_namespaces=False',
- 'networking.namespaces=200'])
-
- RH_CFME = "cfme"
--RH_CFME_DESC = "Red Hat CloudForms"
-+RH_CFME_DESC = "CloudForms"
-
- RH_SATELLITE = "satellite"
--RH_SATELLITE_DESC = "Red Hat Satellite"
-+RH_SATELLITE_DESC = "Satellite"
- SAT_OPTS = SoSOptions(verify=True, plugopts=['apache.log=on'])
-
- CB = "cantboot"
-@@ -257,8 +257,8 @@ RH_FTP_HOST = "ftp://dropbox.redhat.com"
-
- class RHELPolicy(RedHatPolicy):
- distro = RHEL_RELEASE_STR
-- vendor = "Red Hat"
-- vendor_url = "https://access.redhat.com/support/"
-+ vendor = "CentOS"
-+ vendor_url = "https://wiki.centos.org/support"
- msg = _("""\
- This command will collect diagnostic and configuration \
- information from this %(distro)s system and installed \
-@@ -280,7 +280,7 @@ support representative.
- def check(cls):
- """Test to see if the running host is a RHEL installation.
-
-- Checks for the presence of the "Red Hat Enterprise Linux"
-+ Checks for the presence of the "CentOS Linux"
- release string at the beginning of the NAME field in the
- `/etc/os-release` file and returns ``True`` if it is
- found, and ``False`` otherwise.
-@@ -334,7 +334,7 @@ support representative.
-
- def get_upload_url_string(self):
- if self.get_upload_url().startswith(RH_API_HOST):
-- return "Red Hat Customer Portal"
-+ return "Customer Portal"
- return self.upload_url or RH_FTP_HOST
-
- def get_upload_user(self):
-@@ -389,7 +389,7 @@ class CentOsPolicy(RHELPolicy):
-
- ATOMIC = "atomic"
- ATOMIC_RELEASE_STR = "Atomic"
--ATOMIC_DESC = "Red Hat Enterprise Linux Atomic Host"
-+ATOMIC_DESC = "Atomic Host"
-
- atomic_presets = {
- ATOMIC: PresetDefaults(name=ATOMIC, desc=ATOMIC_DESC, note=NOTE_TIME,
-@@ -398,7 +398,7 @@ atomic_presets = {
-
-
- class RedHatAtomicPolicy(RHELPolicy):
-- distro = "Red Hat Atomic Host"
-+ distro = "Atomic Host"
- msg = _("""\
- This command will collect diagnostic and configuration \
- information from this %(distro)s system.
-@@ -435,7 +435,7 @@ support representative.
-
-
- class RedHatCoreOSPolicy(RHELPolicy):
-- distro = "Red Hat CoreOS"
-+ distro = "CoreOS"
- msg = _("""\
- This command will collect diagnostic and configuration \
- information from this %(distro)s system.
-@@ -456,7 +456,7 @@ support representative.
- host_release = os.environ[ENV_HOST_SYSROOT] + cls._redhat_release
- try:
- for line in open(host_release, 'r').read().splitlines():
-- coreos |= 'Red Hat CoreOS' in line
-+ coreos |= 'CoreOS' in line
- except IOError:
- pass
- return coreos
-diff -uNrp sos-3.9.orig/sos/policies/redhat.py sos-3.9/sos/policies/redhat.py
---- sos-3.9.orig/sos/policies/redhat.py 2021-02-02 15:39:49.180326048 +0000
-+++ sos-3.9/sos/policies/redhat.py 2021-02-02 15:44:02.907874181 +0000
-@@ -31,9 +31,9 @@ except NameError:
-
-
- class RedHatPolicy(LinuxPolicy):
-- distro = "Red Hat"
-- vendor = "Red Hat"
-- vendor_url = "https://www.redhat.com/"
-+ distro = "CentOS"
-+ vendor = "CentOS"
-+ vendor_url = "https://www.centos.org/"
- _redhat_release = '/etc/redhat-release'
- _tmp_dir = "/var/tmp"
- _rpmq_cmd = 'rpm -qa --queryformat "%{NAME}|%{VERSION}|%{RELEASE}\\n"'
-@@ -87,9 +87,9 @@ class RedHatPolicy(LinuxPolicy):
-
- @classmethod
- def check(cls):
-- """This method checks to see if we are running on Red Hat. It must be
-+ """This method checks to see if we are running on CentOS Linux. It must be
- overriden by concrete subclasses to return True when running on a
-- Fedora, CentOS, RHEL or other Red Hat distribution or False otherwise."""
-+ Fedora, CentOS, RHEL or other CentOS distribution or False otherwise."""
- return False
-
- def check_usrmove(self, pkgs):
-@@ -309,7 +309,7 @@ support representative.
- return
- if self.case_id:
- self.upload_user = input(_(
-- "Enter your Red Hat Customer Portal username (empty to use "
-+ "Enter your Customer Portal username (empty to use "
- "public dropbox): ")
- )
- if not self.upload_user:
diff --git a/SPECS/sos.spec b/SPECS/sos.spec
index 91a1b9f..ddd3f79 100644
--- a/SPECS/sos.spec
+++ b/SPECS/sos.spec
@@ -2,7 +2,7 @@
Summary: A set of tools to gather troubleshooting information from a system
Name: sos
Version: 3.9
-Release: 5%{?dist}.2
+Release: 5%{?dist}.4
Group: Applications/System
Source0: https://github.com/sosreport/sos/archive/%{version}.tar.gz
License: GPLv2+
@@ -38,7 +38,12 @@ Patch15: sos-bz1871207-audit_collect_etc_audisp.patch
Patch16: sos-bz1886432-policy_fix_failure_conditions_with_upload.patch
Patch17: sos-bz1897903-postgresql_collect_rh-postgresql12.patch
Patch18: sos-bz1917074-networking_ethtool-e_conditionally_only.patch
-Patch19: sos-centos-branding.patch
+Patch19: sos-bz1785813-foreman-proxy_password_scrub.patch
+Patch20: sos-bz1932772-candlepin-foreman_psql_with_--no-password_1.patch
+Patch21: sos-bz1932772-candlepin-foreman_psql_with_--no-password_2.patch
+Patch22: sos-bz1903144-pacemaker_fix_scrubbing_password.patch
+Patch23: sos-bz1886784-filesys_never_collect_panfs.patch
+Patch24: sos-bz1892692-openstack_ceilometer_backend_url.patch
%description
Sos is a set of tools that gathers information about system
@@ -68,6 +73,11 @@ support technicians and developers.
%patch17 -p1
%patch18 -p1
%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
%build
make
@@ -91,8 +101,21 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %{_sysconfdir}/sos.conf
%changelog
-* Tue Feb 02 2021 CentOS Sources <bugs@centos.org> - 3.9-5.el7.centos.2
-- Roll in CentOS Branding
+* Thu Mar 18 2021 Jan Jansky <jjansky@redhat.com> = 3.9-5.4
+- [candlepin/foreman] psql with --no-password
+ Resolves: bz1932772
+- [pacemaker] password scrub fix
+ Resolves: bz1903144
+- [filesys] never collect panfs
+ Resolves: bz1886784
+- [openstack_ceilometer] backend_url protected
+ Resolves: bz1892692
+
+* Tue Mar 09 2021 Jan Jansky <jjansky@redhat.com> = 3.9-5.3
+- [candlepin/foreman] psql with --no-password
+ Resolves: bz1932772
+- [foreman] proxy_password scrub in installer logs
+ Resolves: bz1785813
* Thu Jan 21 2021 Jan Jansky <jjansky@redhat.com> = 3.9-5.2
- [networking] 'ethtool -e <device>' conditionally only