From 952915f25e640a94181978dd37187304fc6fee29 Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Tue, 31 Mar 2015 11:17:00 -0500 Subject: [PATCH] Don't trace RHEL Registration scripts We don't want to trace the RHEL registration scripts because that is likely to log things like passwords and activation keys. To still allow for debugging failed runs, add sanitized logging of the arguments passed to the registration commands, since that is the part of the process where problems are most likely to manifest. Change-Id: I0f661e9c152f43b814fda61211bd56ba93e3b9dc --- .../pre-configure.d/06-rhel-registration | 15 ++++++++++++++- .../pre-install.d/00-rhel-registration | 19 ++++++++++++++++--- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration index 2211a28cd..79144eef6 100755 --- a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration +++ b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration @@ -1,6 +1,6 @@ #!/bin/bash -# dib-lint: disable=setu sete setpipefail dibdebugtrace +# dib-lint: disable=dibdebugtrace set -eu set -o pipefail @@ -109,21 +109,34 @@ if [ -n "${REG_TYPE:-}" ]; then opts="$opts --type=$REG_TYPE" fi +sanitized_opts=$(echo "$opts" | sed 's/--password \([^ ]*\)/--password ***/g') +sanitized_opts=$(echo "$sanitized_opts" | sed 's/--activationkey=\([^ ]*\)/--activationkey=***/g') + case "${REG_METHOD:-}" in portal) + echo "Registering with options: $sanitized_opts" subscription-manager register $opts if [ -z "${REG_AUTO_ATTACH:-}" ]; then + echo "Attaching with options: $attach_opts" subscription-manager attach $attach_opts fi + echo "Enabling repos: $repos" subscription-manager $repos ;; satellite) + # Save an unmodified copy of the repo list for logging + user_repos=$repos repos="$repos --enable ${satellite_repo}" + echo "Installing satellite dependencies" rpm -Uvh "$REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm" || true + echo "Registering with options: $sanitized_opts" subscription-manager register $opts + echo "Enabling repos: $user_repos" subscription-manager $repos + echo "Installing katello-agent" yum install -y katello-agent || true # needed for errata reporting to satellite6 katello-package-upload + echo "Disabling satellite repo because it is no longer needed" subscription-manager repos --disable ${satellite_repo} ;; disable) diff --git a/elements/rhel-common/pre-install.d/00-rhel-registration b/elements/rhel-common/pre-install.d/00-rhel-registration index a5ed2d513..305c3edf0 100755 --- a/elements/rhel-common/pre-install.d/00-rhel-registration +++ b/elements/rhel-common/pre-install.d/00-rhel-registration @@ -1,8 +1,9 @@ #!/bin/bash -if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then - set -x -fi +# This script deals quite a bit with passwords, which we don't ever want +# included in trace output +# dib-lint: disable=dibdebugtrace + set -eu set -o pipefail @@ -85,19 +86,31 @@ if [ -n "${REG_TYPE:-}" ]; then opts="$opts --type=$REG_TYPE" fi +sanitized_opts=$(echo "$opts" | sed 's/--password \([^ ]*\)/--password ***/g') +sanitized_opts=$(echo "$sanitized_opts" | sed 's/--activationkey=\([^ ]*\)/--activationkey=***/g') + case "${REG_METHOD:-}" in portal) + echo "Registering with options: $sanitized_opts" subscription-manager register $opts if [ -z "${REG_AUTO_ATTACH:-}" ]; then + echo "Attaching with options: $attach_opts" subscription-manager attach $attach_opts fi + echo "Enabling repos: $repos" subscription-manager $repos ;; satellite) + # Save an unmodified copy of the repo list for logging + user_repos=$repos repos="$repos --enable ${satellite_repo}" + echo "Installing satellite dependencies" rpm -Uvh "$REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm" || true + echo "Registering with options: $sanitized_opts" subscription-manager register $opts + echo "Enabling repos: $user_repos" subscription-manager $repos + echo "Disabling satellite repo because it is no longer needed" subscription-manager repos --disable ${satellite_repo} ;; disable)