[generate_dump] remove secrets from dump files #1886
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
azp /run |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
need to back port this to 202012, 202006, 201911 |
qiluo-msft
reviewed
Oct 22, 2021
scripts/generate_dump
Outdated
| @@ -180,6 +181,13 @@ save_cmd() { | |||
| redirect_eval="" | |||
| fi | |||
|
|
|||
| # Cleanup metthod need do post procress on dump file. | |||
qiluo-msft
reviewed
Oct 22, 2021
scripts/generate_dump
Outdated
| echo "Remove secret from '$filepath' files." | ||
|
|
||
| # Remove tacacs & radius passkey from config DB | ||
| sed -i -E 's/\"passkey\"\s*:\s*\"([^\"]*)\"/\"passkey\":\"\"/g' $filepath |
qiluo-msft
reviewed
Oct 22, 2021
scripts/generate_dump
Outdated
| echo "Remove secret from etc files." | ||
| # Remove tacacs passkey from tacplus_nss.conf | ||
| local secret_regex='s/(secret=)([^,|\S]*)(.*)/\1***\3/g' | ||
| sed -i -E $secret_regex $TARDIR/etc/tacplus_nss.conf |
qiluo-msft
reviewed
Oct 22, 2021
| @@ -155,6 +154,7 @@ save_bcmcmd_all_ns() { | |||
| # cmd: The command to run. Make sure that arguments with spaces have quotes | |||
| # filename: the filename to save the output as in $BASE/dump | |||
| # do_gzip: (OPTIONAL) true or false. Should the output be gzipped | |||
| # cleanup_method: (OPTIONAL) the cleanup method to procress dump file after it generated. | |||
There was a problem hiding this comment.
Currently when do_gzip=true, dump output been redirect to gzip command with pipeline.
However, sed can work with pipeline, so I will investigate if we can invoke cleanup method in pipeline.
There was a problem hiding this comment.
Fixed, UT failed because azure pipeline issue.
|
There is no 202006 branch. Is it a typo or do you really want creating that branch and backport? In reply to: 949225407 |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
qiluo-msft
approved these changes
Oct 27, 2021
|
Could you add some test cases in sonic-mgmt? I see some files in tests/show_techsupport/ |
|
This commit could not be cleanly cherry-picked to 202012. Please submit another PR. |
liuh-80
added a commit
to liuh-80/sonic-utilities
that referenced
this pull request
Nov 22, 2021
…to 202012
#### What I did
Add bash functions to remove secrets from dump files.
#### How I did it
For tacacs key, radius key, snmp community srring, use sed command with regex to remove user secrets from dump files.
For certs, update tar command exclude list to remove those certs from dump file.
#### How to verify it
Run 'show techsupport' command and check secrets removed from dump files.
#### Previous command output (if the output of a command-line utility has changed)
#### New command output (if the output of a command-line utility has changed)
liuh-80
added a commit
that referenced
this pull request
Nov 22, 2021
…12 (#1938) #### What I did Add bash functions to remove secrets from dump files. #### How I did it For tacacs key, radius key, snmp community srring, use sed command with regex to remove user secrets from dump files. For certs, update tar command exclude list to remove those certs from dump file. #### How to verify it Run 'show techsupport' command and check secrets removed from dump files. #### Previous command output (if the output of a command-line utility has changed) #### New command output (if the output of a command-line utility has changed)
3 tasks
liuh-80
added a commit
to liuh-80/sonic-utilities
that referenced
this pull request
Dec 6, 2021
Remove secrets from dump files.
What I did
Add bash functions to remove secrets from dump files.
How I did it
For tacacs key, radius key, snmp community srring, use sed command with regex to remove user secrets from dump files.
For certs, update tar command exclude list to remove those certs from dump file.
How to verify it
Run 'show techsupport' command and check secrets removed from dump files.
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)
# Conflicts:
# scripts/generate_dump
This was referenced Dec 6, 2021
abdosi
pushed a commit
that referenced
this pull request
Dec 9, 2021
Backport [generate_dump] remove secrets from dump files #1886 to 201911 What I did Add bash functions to remove secrets from dump files. How I did it For tacacs key, radius key, snmp community srring, use sed command with regex to remove user secrets from dump files. For certs, update tar command exclude list to remove those certs from dump file. How to verify it Run 'show techsupport' command and check secrets removed from dump files.
stepanblyschak
pushed a commit
to stepanblyschak/sonic-utilities
that referenced
this pull request
Apr 18, 2022
* c3691d3 [202012][pfcwd] Convert polling interval from ms to us in LUA scripts (sonic-net#1909) * 549c804 Mux state order change (sonic-net#1902) * 6b0b2c4 Update acl type check logic (sonic-net#1886) Signed-off-by: Volodymyr Samotiy <volodymyrs@nvidia.com>
stepanblyschak
pushed a commit
to stepanblyschak/sonic-utilities
that referenced
this pull request
Apr 18, 2022
Submodule update for sonic-utilities with following change: ec9e5ee Backport [generate_dump] remove secrets from dump files sonic-net#1886 to 202012 (sonic-net#1938) ce3b856 [fdbshow]: Handle FDB cleanup gracefully. (sonic-net#1926) 1437bf2 [202012] Add DHCPv6 Relay counter and ipv6 helper CLI (sonic-net#1917)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Remove secrets from dump files.
What I did
How I did it
How to verify it
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)