Don't log OS_PASSWORD in auth.log
By default, all sudo commands are logged to auth.log with their full command line. Previously, Shipyard scripts called 'sudo docker' with -e OS_PASSWORD=foo, resulting in the password value appearing in auth.log in plaintext. This change adds -E to the sudo command to pass the user's environment through, and removes the value from -e OS_PASSWORD which tells Docker to use the environment value directly. This prevents the password value from being logged. Change-Id: Ifcf7f6525876144a609ff42be42da57a3f7f6f60
This commit is contained in:
parent
8d0b3f671f
commit
0ab1bf552d
|
@ -34,6 +34,11 @@ set -e
|
||||||
DIR="$(realpath $(dirname "${BASH_SOURCE}"))"
|
DIR="$(realpath $(dirname "${BASH_SOURCE}"))"
|
||||||
source "${DIR}/shipyard_docker_base_command.sh"
|
source "${DIR}/shipyard_docker_base_command.sh"
|
||||||
SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/home/shipyard/host"}
|
SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/home/shipyard/host"}
|
||||||
|
# set default value for OS_PASSWORD if it's not set
|
||||||
|
# this doesn't actually get exported to environment
|
||||||
|
# unless the script is sourced
|
||||||
|
export OS_PASSWORD=${OS_PASSWORD:-password}
|
||||||
|
|
||||||
# Execute Shipyard CLI
|
# Execute Shipyard CLI
|
||||||
#
|
#
|
||||||
# NOTE: We will mount the current directory so that any directories
|
# NOTE: We will mount the current directory so that any directories
|
||||||
|
|
|
@ -39,17 +39,21 @@ set -e
|
||||||
SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/target"}
|
SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/target"}
|
||||||
NAMESPACE="${NAMESPACE:-ucp}"
|
NAMESPACE="${NAMESPACE:-ucp}"
|
||||||
SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
|
SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
|
||||||
|
# set default value for OS_PASSWORD if it's not set
|
||||||
|
# this doesn't actually get exported to environment
|
||||||
|
# unless the script is sourced
|
||||||
|
export OS_PASSWORD=${OS_PASSWORD:-password}
|
||||||
|
|
||||||
# Define Base Docker Command
|
# Define Base Docker Command
|
||||||
base_docker_command=$(cat << EndOfCommand
|
base_docker_command=$(cat << EndOfCommand
|
||||||
sudo docker run -t --rm --net=host
|
sudo -E docker run -t --rm --net=host
|
||||||
-e http_proxy=${HTTP_PROXY}
|
-e http_proxy=${HTTP_PROXY}
|
||||||
-e https_proxy=${HTTPS_PROXY}
|
-e https_proxy=${HTTPS_PROXY}
|
||||||
-e no_proxy=${NO_PROXY:-127.0.0.1,localhost,.svc.cluster.local}
|
-e no_proxy=${NO_PROXY:-127.0.0.1,localhost,.svc.cluster.local}
|
||||||
-e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
|
-e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
|
||||||
-e OS_USERNAME=${OS_USERNAME:-shipyard}
|
-e OS_USERNAME=${OS_USERNAME:-shipyard}
|
||||||
-e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
|
-e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
|
||||||
-e OS_PASSWORD=${OS_PASSWORD:-password}
|
-e OS_PASSWORD
|
||||||
-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
|
-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
|
||||||
-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
|
-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
|
||||||
EndOfCommand
|
EndOfCommand
|
||||||
|
|
|
@ -23,14 +23,14 @@ SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
|
||||||
|
|
||||||
# Define Base Docker Command
|
# Define Base Docker Command
|
||||||
base_docker_command=$(cat << EndOfCommand
|
base_docker_command=$(cat << EndOfCommand
|
||||||
sudo docker run -t --rm --net=host
|
sudo -E docker run -t --rm --net=host
|
||||||
-e http_proxy=${HTTP_PROXY}
|
-e http_proxy=${HTTP_PROXY}
|
||||||
-e https_proxy=${HTTPS_PROXY}
|
-e https_proxy=${HTTPS_PROXY}
|
||||||
-e no_proxy=${NO_PROXY}
|
-e no_proxy=${NO_PROXY}
|
||||||
-e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
|
-e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
|
||||||
-e OS_USERNAME=${OS_USERNAME:-shipyard}
|
-e OS_USERNAME=${OS_USERNAME:-shipyard}
|
||||||
-e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
|
-e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
|
||||||
-e OS_PASSWORD=${OS_PASSWORD:-password}
|
-e OS_PASSWORD
|
||||||
-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
|
-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
|
||||||
-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
|
-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
|
||||||
EndOfCommand
|
EndOfCommand
|
||||||
|
|
Loading…
Reference in New Issue