cdc60aac81
- add barbican logs in syslog - support no reboot patching for barbican processes - get information about barbican in collect script Change-Id: I75557a2d35d3861c2dee3d0a5a0960bebc6d0e48 Story: 2003108 Task: 27700 Depends-On: I6b0b0c90456627bebde2b834b339bc968100b6f9 Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
125 lines
5.5 KiB
Bash
125 lines
5.5 KiB
Bash
#! /bin/bash
|
|
#
|
|
# Copyright (c) 2017 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
COLLECT_NAME_DIR=$1
|
|
EXTRA_DIR=$2
|
|
|
|
# Strip the passwords from assorted config files
|
|
for conffile in \
|
|
${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \
|
|
${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \
|
|
${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \
|
|
${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \
|
|
${COLLECT_NAME_DIR}/etc/fm/fm.conf \
|
|
${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \
|
|
${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \
|
|
${COLLECT_NAME_DIR}/etc/heat/heat.conf \
|
|
${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \
|
|
${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \
|
|
${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \
|
|
${COLLECT_NAME_DIR}/etc/murano/murano.conf \
|
|
${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \
|
|
${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \
|
|
${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \
|
|
${COLLECT_NAME_DIR}/etc/nova/nova.conf \
|
|
${COLLECT_NAME_DIR}/etc/nslcd.conf \
|
|
${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \
|
|
${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \
|
|
${COLLECT_NAME_DIR}/etc/panko/panko.conf \
|
|
${COLLECT_NAME_DIR}/etc/patching/patching.conf \
|
|
${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \
|
|
${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \
|
|
${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \
|
|
${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \
|
|
${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \
|
|
${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \
|
|
${COLLECT_NAME_DIR}/etc/mtc.ini
|
|
|
|
do
|
|
if [ ! -f $conffile ]; then
|
|
continue
|
|
fi
|
|
|
|
sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/;
|
|
s/^(auth_encryption_key) *=.*/\1 = xxxxxx/;
|
|
s/^(bindpw) .*/\1 xxxxxx/;
|
|
s/^(rootpw) .*/\1 xxxxxx/;
|
|
s/^(connection) *=.*/\1 = xxxxxx/;
|
|
s/^( *credentials) *=.*/\1 = xxxxxx/;
|
|
s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/;
|
|
s/^(password) *=.*/\1 = xxxxxx/;
|
|
s/^(rabbit_password) *=.*/\1 = xxxxxx/;
|
|
s/^(sql_connection) *=.*/\1 = xxxxxx/;
|
|
s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/;
|
|
s/^(transport_url) *=.*/\1 = xxxxxx/;
|
|
s/^(SECRET_KEY) *=.*/\1 = xxxxxx/;
|
|
s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/;
|
|
s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile
|
|
done
|
|
|
|
find ${COLLECT_NAME_DIR} -name server-cert.pem | xargs --no-run-if-empty rm -f
|
|
rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
|
|
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/.keyring/*/python_keyring/crypted_pass.cfg
|
|
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
|
|
|
|
# Mask user passwords in sysinv db dump
|
|
if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
|
|
sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
|
|
/COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/;
|
|
/COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/;
|
|
s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \
|
|
${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt
|
|
fi
|
|
|
|
# Mask passwords in host profiles
|
|
grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \
|
|
| xargs --no-run-if-empty perl -i -e '
|
|
$prev="";
|
|
while (<>)
|
|
{
|
|
if (/\"name\": \"password\"/)
|
|
{
|
|
$prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/;
|
|
}
|
|
print $prev;
|
|
$prev=$_;
|
|
}
|
|
print $prev;'
|
|
|
|
# Cleanup snmp
|
|
sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
|
|
sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
|
|
|
|
# Mask passwords in bash.log and history logs
|
|
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
|
|
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
|
|
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
|
|
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
|
|
${USER_HISTORY_FILES} \
|
|
${COLLECT_NAME_DIR}/var/extra/history.info \
|
|
${COLLECT_NAME_DIR}/var/log/bash.log \
|
|
${COLLECT_NAME_DIR}/var/log/auth.log \
|
|
${COLLECT_NAME_DIR}/var/log/ldapscripts.log
|
|
|
|
for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
|
|
${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
|
|
${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
|
|
do
|
|
zgrep -q 'snmp|password' $f || continue
|
|
gunzip $f
|
|
unzipped=${f%%.gz}
|
|
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
|
|
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
|
|
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
|
|
gzip $unzipped
|
|
done
|
|
|