From 73c77dfe41622d21b45032c705d713a2af7aaa54 Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Tue, 31 Mar 2015 11:17:00 -0500 Subject: [PATCH] Don't trace RHEL Registration scripts We don't want to trace the RHEL registration scripts because that is likely to log things like passwords and activation keys. To still allow for debugging failed runs, add sanitized logging of the arguments passed to the registration commands, since that is the part of the process where problems are most likely to manifest. Change-Id: I0f661e9c152f43b814fda61211bd56ba93e3b9dc --- .../pre-configure.d/06-rhel-registration | 15 ++++++++++++++- .../rhel-common/pre-install.d/00-rhel-registration | 19 ++++++++++++++++--- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration index 2211a28..79144ee 100755 --- a/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration +++ b/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration @@ -1,6 +1,6 @@ #!/bin/bash -# dib-lint: disable=setu sete setpipefail dibdebugtrace +# dib-lint: disable=dibdebugtrace set -eu set -o pipefail @@ -109,21 +109,34 @@ if [ -n "${REG_TYPE:-}" ]; then opts="$opts --type=$REG_TYPE" fi +sanitized_opts=$(echo "$opts" | sed 's/--password \([^ ]*\)/--password ***/g') +sanitized_opts=$(echo "$sanitized_opts" | sed 's/--activationkey=\([^ ]*\)/--activationkey=***/g') + case "${REG_METHOD:-}" in portal) + echo "Registering with options: $sanitized_opts" subscription-manager register $opts if [ -z "${REG_AUTO_ATTACH:-}" ]; then + echo "Attaching with options: $attach_opts" subscription-manager attach $attach_opts fi + echo "Enabling repos: $repos" subscription-manager $repos ;; satellite) + # Save an unmodified copy of the repo list for logging + user_repos=$repos repos="$repos --enable ${satellite_repo}" + echo "Installing satellite dependencies" rpm -Uvh "$REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm" || true + echo "Registering with options: $sanitized_opts" subscription-manager register $opts + echo "Enabling repos: $user_repos" subscription-manager $repos + echo "Installing katello-agent" yum install -y katello-agent || true # needed for errata reporting to satellite6 katello-package-upload + echo "Disabling satellite repo because it is no longer needed" subscription-manager repos --disable ${satellite_repo} ;; disable) diff --git a/elements/rhel-common/pre-install.d/00-rhel-registration b/elements/rhel-common/pre-install.d/00-rhel-registration index a5ed2d5..305c3ed 100755 --- a/elements/rhel-common/pre-install.d/00-rhel-registration +++ b/elements/rhel-common/pre-install.d/00-rhel-registration @@ -1,8 +1,9 @@ #!/bin/bash -if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then - set -x -fi +# This script deals quite a bit with passwords, which we don't ever want +# included in trace output +# dib-lint: disable=dibdebugtrace + set -eu set -o pipefail @@ -85,19 +86,31 @@ if [ -n "${REG_TYPE:-}" ]; then opts="$opts --type=$REG_TYPE" fi +sanitized_opts=$(echo "$opts" | sed 's/--password \([^ ]*\)/--password ***/g') +sanitized_opts=$(echo "$sanitized_opts" | sed 's/--activationkey=\([^ ]*\)/--activationkey=***/g') + case "${REG_METHOD:-}" in portal) + echo "Registering with options: $sanitized_opts" subscription-manager register $opts if [ -z "${REG_AUTO_ATTACH:-}" ]; then + echo "Attaching with options: $attach_opts" subscription-manager attach $attach_opts fi + echo "Enabling repos: $repos" subscription-manager $repos ;; satellite) + # Save an unmodified copy of the repo list for logging + user_repos=$repos repos="$repos --enable ${satellite_repo}" + echo "Installing satellite dependencies" rpm -Uvh "$REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm" || true + echo "Registering with options: $sanitized_opts" subscription-manager register $opts + echo "Enabling repos: $user_repos" subscription-manager $repos + echo "Disabling satellite repo because it is no longer needed" subscription-manager repos --disable ${satellite_repo} ;; disable)