Not logging jenv data
Ian Booth
ian.booth at canonical.com
Thu May 29 01:23:14 UTC 2014
+1 on not killing the jenv logging - we just need to sanitise out the secrets.
On 29/05/14 11:18, Andrew Wilkins wrote:
> On Thu, May 29, 2014 at 4:25 AM, Nate Finch <nate.finch at canonical.com>wrote:
>
>> Today I learned CI isn't running with --debug because they don't want to
>> expose sensitive data in their jenv... which gets logged when you run with
>> --debug. However, it also means that we don't get all our really useful
>> debug log messages when something breaks in CI.
>>
>> I made a fix for this (deleting the line that logs the jenv). Please let
>> me know if there's any reason we shouldn't do this. Logging people's
>> passwords/secrets is generally a big security no-no anyway, so I hope it
>> won't be controversial.
>>
>
> I'm +1 on not logging secrets, but I think not logging the .jenv at all
> will come back to bite us when we're debugging. It'd be better just to
> sanitise the output by using the EnvironProvider.SecretAttrs method.
>
> Also, we log the bootstrap script, and that contains the full bootstrap
> config. That needs to be sanitised (or suppressed) as well.
>
>
>> https://codereview.appspot.com/98580048
>>
>> -Nate
>>
>> --
>> Juju-dev mailing list
>> Juju-dev at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>>
>>
>
>
>
More information about the Juju-dev
mailing list