New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignition Logs Configuration to journalctl #725
Comments
Thanks for the report! There's a couple of ways to handle this:
I'm leaning towards #1 to keep things simple. Regardless of whether we choose 1 or 2, we should still log the full, unedited config in the case of failure. In those cases the OS will never reach the real root and thus will not be able to flush the runtime journal cache to disk. There's still the possibility of leaking secrets from the console, but on most clouds if you have access to the console you have access to the userdata and other sensitive bits anyway. Finally if we wanted to add the ability to log the full console for debugging we could add a field to the Thoughts on 1 vs 2 and logging in case of failure only? |
We'd discussed this in Quentin-M/etcd-cloud-operator#31. The reason for the PR was that We have scenarios where people have userdata and not S3 access. Logging on failure sounds good to me. I like (1) as an approach since it is easier to implement as well. Aside: It would also be nice to log the fetched configuration URL (as long as it is not data-uri), since we are losing the easiest way to debug issues with ignition now. |
Hmm. Thinking about this more we may need to sanitize Ignition's warning/info/deprecation messages as well. but that's significantly trickier. When Ignition encounters an error it logs the line and column as well as the offending config snippet (with some context). This snippet is from the raw config data, from before unmarshalling. If there is a non-fatal error at or around a secret then Ignition will log the snippet to the journal possibly containing the secret. This is much trickier to fix since we still want that logic to print the literal string that was typed for tools like Edit: now addressed in the linked PR. I'm just clearing them before logging |
Apologies for the late comment. I think I'd prefer option 2; hashes of configs aren't great UX, and may not be super-helpful if the config is dynamically generated. It also avoids the logging distinction between success and failure. (I suppose we could do both, for cases where the user wants to verify that the correct file contents are being written.) |
I don't see a big problem with the logging distinction between success/failure. It's pretty common to have problems dump extra info when they fail. I agree it's not ideal with automatically generated configs, but with the url being logged as well I think that's mostly mitigated. Doing both is probably be the right path, but I'm not sure if logging the structure is worth it right now. |
One random idea I had is the idea of a |
That would double the size of the config if you wanted to log the config, yes? It'd also only be useful for spec |
Bug
Ignition logs all parsed and fetched configuration to journalctl. This is a security risk for organizations which send all journalctl output to a central log storage. At the very least, using ignition_file for secure configurations (keys/secrets) must be warned against in the documentation.
Operating System Version
CoreOS-stable-1967.5.0-hvm
Ignition Version
0.28.0
Environment
AWS/ap-south-1/c5.large ec2 instance
Expected Behavior
Ignition should not log complete configuration to journalctl.
Actual Behavior
Ignition logs complete configuration to journalctl.
The simple
journalctl --identifier=ignition --all
command mentioned in the documentation gives the following 2 traces:ignition/internal/providers/util/config.go
Line 25 in 3c7dbd3
ignition/internal/exec/engine.go
Line 264 in aad24ad
They show up as the following:
While both are marked as Debug, the default configuration on latest CoreOS (CoreOS-stable-1967.5.0-hvm (ami-09642e32f99945765)) seems to be logging this.
The text was updated successfully, but these errors were encountered: