[Bug 1811098] Please test proposed package

Corey Bryant corey.bryant at canonical.com
Mon Feb 11 16:04:15 UTC 2019 

Hello Edward, or anyone else affected,

Accepted ceilometer into queens-proposed. The package will build now and
be available in the Ubuntu Cloud Archive in a few hours, and then in the
-proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-queens-needed to verification-queens-done. If it does
not fix the bug for you, please add a comment stating that, and change
the tag to verification-queens-failed. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: cloud-archive/queens
       Status: Triaged => Fix Committed

** Tags added: verification-queens-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1811098

Title:
  [SRU] ceilometer writing snmp credentials to log file

Status in Ceilometer:
  In Progress
Status in Ubuntu Cloud Archive:
  Triaged
Status in Ubuntu Cloud Archive ocata series:
  Triaged
Status in Ubuntu Cloud Archive pike series:
  Triaged
Status in Ubuntu Cloud Archive queens series:
  Fix Committed
Status in Ubuntu Cloud Archive rocky series:
  Fix Committed
Status in Ubuntu Cloud Archive stein series:
  Triaged
Status in ceilometer package in Ubuntu:
  Fix Released
Status in ceilometer source package in Bionic:
  Fix Committed
Status in ceilometer source package in Cosmic:
  Fix Released
Status in ceilometer source package in Disco:
  Fix Released

Bug description:
  [Impact] 
  This SRU proposal is to patch the Ubuntu ceilometer package so that the ceilometer-agent switches printing the contents of polling.yaml from INFO to DEBUG. This is mostly an interim fix to make it easy to stop the presence of sensitive data in the ceilometer logfiles when DEBUG logging is not activated. Another bug will be raised to propose sanitising the data printed.

  [Test Case]
  * deploy Openstack Q/R/S with ceilometer
  * enable debug logging
  * check that /var/log/ceilometer/ceilometer-agent-central.log contains a line similar to:

  2019-01-09 11:40:50.641 25495 DEBUG ceilometer.agent [-] Config file:
  {'sources': [{'interval': 300, 'meters'...

  i.e. ensure that the log is printed using DEBUG (not INFO)

  [Regression Potential]
  Users with debug mode disabled will no longer see this line.

  ----

  The ceilometer-agent-central is always writing the contents of
  polling.yaml to its log file (and as INFO) [1]

  This presents a security risk if e.g. resources contain sensitive
  information like when specifying snmp targets with the url containing
  the username, password etc.

  There are a couple of ways we could solve this, namely; (1) don't log
  this info at all, (2) sanitise the contents prior to logging as DEBUG
  (3) switch to using config for the snmp credentials in a similar way
  to how the Triple0Discoverer does it [2] - this would only support
  having the same creds everywhere thought which may not be desirable.

  [1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70
  [2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list