Skip to content

Commit 9f123c0

Browse files
liuh-80liuh-80
authored
[generate_dump] remove secrets from dump files (#1886)
Remove secrets from dump files. What I did Add bash functions to remove secrets from dump files. How I did it For tacacs key, radius key, snmp community srring, use sed command with regex to remove user secrets from dump files. For certs, update tar command exclude list to remove those certs from dump file. How to verify it Run 'show techsupport' command and check secrets removed from dump files. Previous command output (if the output of a command-line utility has changed) New command output (if the output of a command-line utility has changed)
1 parent 3a8ab73 commit 9f123c0

File tree

1 file changed

+91
-8
lines changed

1 file changed

+91
-8
lines changed

scripts/generate_dump

Lines changed: 91 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,6 @@ SAVE_STDERR=true
4242
RETURN_CODE=0
4343
DEBUG_DUMP=false
4444

45-
4645
handle_signal()
4746
{
4847
echo "Generate Dump received interrupt" >&2
@@ -155,6 +154,7 @@ save_bcmcmd_all_ns() {
155154
# cmd: The command to run. Make sure that arguments with spaces have quotes
156155
# filename: the filename to save the output as in $BASE/dump
157156
# do_gzip: (OPTIONAL) true or false. Should the output be gzipped
157+
# cleanup_method: (OPTIONAL) the cleanup method to procress dump file after it generated.
158158
# Returns:
159159
# None
160160
###############################################################################
@@ -168,6 +168,7 @@ save_cmd() {
168168
local do_gzip=${3:-false}
169169
local tarpath="${BASE}/dump/$filename"
170170
local timeout_cmd="timeout --foreground ${TIMEOUT_MIN}m"
171+
local cleanup_method=${4:-dummy_cleanup_method}
171172
local redirect='&>'
172173
local redirect_eval='2>&1'
173174
if [ ! -d $LOGDIR ]; then
@@ -187,7 +188,9 @@ save_cmd() {
187188
if $do_gzip; then
188189
tarpath="${tarpath}.gz"
189190
filepath="${filepath}.gz"
190-
local cmds="$cmd $redirect_eval | gzip -c > '${filepath}'"
191+
# cleanup_method will run in a sub-shell, need declare it first
192+
local cleanup_method_declration=$(declare -f $cleanup_method)
193+
local cmds="$cleanup_method_declration; $cmd $redirect_eval | $cleanup_method | gzip -c > '${filepath}'"
191194
if $NOOP; then
192195
echo "${timeout_cmd} bash -c \"${cmds}\""
193196
else
@@ -199,22 +202,36 @@ save_cmd() {
199202
fi
200203
else
201204
if $NOOP; then
202-
echo "${timeout_cmd} $cmd $redirect '$filepath'"
205+
echo "${timeout_cmd} $cmd | $cleanup_method $redirect '$filepath'"
203206
else
204207
RC=0
205-
eval "${timeout_cmd} $cmd" "$redirect" "$filepath" || RC=$?
208+
eval "${timeout_cmd} $cmd | $cleanup_method" "$redirect" "$filepath" || RC=$?
206209
if [ $RC -ne 0 ]; then
207210
echo "Command: $cmd timedout after ${TIMEOUT_MIN} minutes."
208211
fi
209212
fi
210213
fi
214+
211215
($TAR $V -rhf $TARFILE -C $DUMPDIR "$tarpath" \
212216
|| abort "${ERROR_TAR_FAILED}" "tar append operation failed. Aborting to prevent data loss.") \
213217
&& $RM $V -rf "$filepath"
214218
end_t=$(date +%s%3N)
215219
echo "[ save_cmd:$cmd ] : $(($end_t-$start_t)) msec" >> $TECHSUPPORT_TIME_INFO
216220
}
217221

222+
###############################################################################
223+
# Dummy cleanup method.
224+
# Globals:
225+
# None
226+
# Arguments:
227+
# None
228+
# Returns:
229+
# None
230+
###############################################################################
231+
dummy_cleanup_method() {
232+
cat
233+
}
234+
218235
###############################################################################
219236
# Runs a given command in all namesapces in case of multi ASIC platform, in
220237
# default (host) namespace in single ASIC platform
@@ -224,22 +241,24 @@ save_cmd() {
224241
# cmd: The command to run. Make sure that arguments with spaces have quotes
225242
# filename: the filename to save the output as in $BASE/dump
226243
# do_gzip: (OPTIONAL) true or false. Should the output be gzipped
244+
# cleanup_method: (OPTIONAL) the cleanup method to procress dump file after it generated.
227245
# Returns:
228246
# None
229247
###############################################################################
230248
save_cmd_all_ns() {
231249
trap 'handle_error $? $LINENO' ERR
232250
local do_zip=${3:-false}
251+
local cleanup_method=${4:-dummy_cleanup_method}
233252

234253
# host or default namespace
235-
save_cmd "$1" "$2" "$do_zip"
254+
save_cmd "$1" "$2" "$do_zip" $cleanup_method
236255

237256
if [[ ( "$NUM_ASICS" > 1 ) ]] ; then
238257
for (( i=0; i<$NUM_ASICS; i++ ))
239258
do
240259
local cmd="sonic-netns-exec asic$i $1"
241260
local file="$2.$i"
242-
save_cmd "$cmd" "$file" "$do_zip"
261+
save_cmd "$cmd" "$file" "$do_zip" $cleanup_method
243262
done
244263
fi
245264
}
@@ -591,7 +610,8 @@ save_redis_info() {
591610
save_redis "APPL_DB"
592611
save_redis "ASIC_DB"
593612
save_redis "COUNTERS_DB"
594-
save_redis "CONFIG_DB"
613+
# There are secrets in CONFIG_DB need to be cleanup.
614+
save_redis "CONFIG_DB" "CONFIG_DB" remove_secret_from_config_db_dump
595615
save_redis "FLEX_COUNTER_DB"
596616
save_redis "STATE_DB"
597617
}
@@ -637,18 +657,20 @@ save_proc() {
637657
# Arguments:
638658
# DB name: DB name
639659
# Filename: Destination filename, if not given then filename would be DB name
660+
# cleanup_method: (OPTIONAL) the cleanup method to procress dump file after it generated.
640661
# Returns:
641662
# None
642663
###############################################################################
643664
save_redis() {
665+
local cleanup_method=${3:-dummy_cleanup_method}
644666
trap 'handle_error $? $LINENO' ERR
645667
local db_name=$1
646668
if [ $# -ge 2 ] && [ -n "$2" ]; then
647669
local dest_file_name=$2
648670
else
649671
local dest_file_name="$db_name"
650672
fi
651-
save_cmd_all_ns "sonic-db-dump -n '$db_name' -y" "$dest_file_name.json"
673+
save_cmd_all_ns "sonic-db-dump -n '$db_name' -y" "$dest_file_name.json" false $cleanup_method
652674
}
653675

654676
###############################################################################
@@ -1259,6 +1281,9 @@ main() {
12591281
rm $rm_list
12601282
fi
12611283

1284+
# Remove secret from /etc files before tar
1285+
remove_secret_from_etc_files $TARDIR
1286+
12621287
start_t=$(date +%s%3N)
12631288
($TAR $V --warning=no-file-removed -rhf $TARFILE -C $DUMPDIR --mode=+rw \
12641289
--exclude="etc/alternatives" \
@@ -1271,6 +1296,13 @@ main() {
12711296
--exclude="*snmpd.conf*" \
12721297
--exclude="/etc/mlnx" \
12731298
--exclude="/etc/mft" \
1299+
--exclude="*/etc/sonic/*.cer" \
1300+
--exclude="*/etc/sonic/*.crt" \
1301+
--exclude="*/etc/sonic/*.pem" \
1302+
--exclude="*/etc/sonic/*.key" \
1303+
--exclude="*/etc/ssl/*.pem" \
1304+
--exclude="*/etc/ssl/certs/*" \
1305+
--exclude="*/etc/ssl/private/*" \
12741306
$BASE/etc \
12751307
|| abort "${ERROR_TAR_FAILED}" "Tar append operation failed. Aborting for safety.") \
12761308
&& $RM $V -rf $TARDIR
@@ -1310,6 +1342,57 @@ main() {
13101342
exit $RETURN_CODE
13111343
}
13121344

1345+
###############################################################################
1346+
# Remove secret from pipeline inout and output result to pipeline.
1347+
# Globals:
1348+
# None
1349+
# Arguments:
1350+
# None
1351+
# Returns:
1352+
# None
1353+
###############################################################################
1354+
remove_secret_from_config_db_dump() {
1355+
# Remove tacacs & radius passkey and snmp community from config DB
1356+
sed -E 's/\"passkey\"\s*:\s*\"([^\"]*)\"/\"passkey\":\"****\"/g; /SNMP_COMMUNITY/,/\s{2,4}\},/d'
1357+
}
1358+
1359+
###############################################################################
1360+
# Remove secret from dump files.
1361+
# Globals:
1362+
# Arguments:
1363+
# dumppath: the dump file path.
1364+
# Returns:
1365+
# None
1366+
###############################################################################
1367+
remove_secret_from_etc_files() {
1368+
local dumppath=$1
1369+
echo "Remove secret from etc files."
1370+
# Remove tacacs passkey from tacplus_nss.conf
1371+
local secret_regex='s/(secret=)([^,|\S]*)(.*)/\1****\3/g'
1372+
sed -i -E $secret_regex $dumppath/etc/tacplus_nss.conf
1373+
1374+
# Remove radius passkey from radius_nss.conf
1375+
sed -i -E $secret_regex $dumppath/etc/radius_nss.conf
1376+
1377+
# Remove tacacs passkey from common-auth-sonic
1378+
sed -i -E 's/(secret=)(\S*)/\1****/g' $dumppath/etc/pam.d/common-auth-sonic
1379+
1380+
# Remove tacacs passkey from pam_radius_auth.conf
1381+
sed -i -E 's/^([^#]\S*\s*)(\S*)/\1****/g' $dumppath/etc/pam_radius_auth.conf
1382+
1383+
# Remove radius passkey from per-server conf file /etc/pam_radius_auth.d/{ip}_{port}.conf
1384+
for filename in $dumppath/etc/pam_radius_auth.d/*.conf; do
1385+
sed -i -E 's/^([^#]\S*\s*)(\S*)/\1****/g' $filename
1386+
done
1387+
1388+
# Remove snmp community string from snmp.yml
1389+
sed -i -E 's/(\s*snmp_\S*community\s*:\s*)(\S*)/\1****/g' $dumppath/etc/sonic/snmp.yml
1390+
1391+
# Remove secret from /etc/sonic/config_db.json
1392+
cat $dumppath/etc/sonic/config_db.json | remove_secret_from_config_db_dump > $dumppath/etc/sonic/config_db.json.temp
1393+
mv $dumppath/etc/sonic/config_db.json.temp $dumppath/etc/sonic/config_db.json
1394+
}
1395+
13131396
###############################################################################
13141397
# Terminates generate_dump early just in case we have issues.
13151398
# Globals:

0 commit comments

Comments
 (0)