diff options
| -rw-r--r-- | sos/plugins/docker.py | 17 | ||||
| -rw-r--r-- | sos/plugins/podman.py | 16 |
2 files changed, 33 insertions, 0 deletions
diff --git a/sos/plugins/docker.py b/sos/plugins/docker.py index 69ac997e..3cce15ed 100644 --- a/sos/plugins/docker.py +++ b/sos/plugins/docker.py @@ -88,6 +88,23 @@ class Docker(Plugin): if self.get_option('logs'): self.add_cmd_output("docker logs -t %s" % container) + def postproc(self): + # Attempts to match key=value pairs inside container inspect output + # for potentially sensitive items like env vars that contain passwords. + # Typically, these will be seen in env elements or similar, and look + # like this: + # "Env": [ + # "mypassword=supersecret", + # "container=oci" + # ], + # This will mask values when the variable name looks like it may be + # something worth obfuscating. + + env_regexp = r'(?P<var>(pass|key|secret|PASS|KEY|SECRET).*?)=' \ + '(?P<value>.*?)"' + self.do_cmd_output_sub('*inspect*', env_regexp, + r'\g<var>=********"') + class RedHatDocker(Docker, RedHatPlugin): diff --git a/sos/plugins/podman.py b/sos/plugins/podman.py index 72e22558..cdf60043 100644 --- a/sos/plugins/podman.py +++ b/sos/plugins/podman.py @@ -74,5 +74,21 @@ class Podman(Plugin, RedHatPlugin, UbuntuPlugin): if self.get_option('logs'): self.add_cmd_output("podman logs -t %s" % container) + def postproc(self): + # Attempts to match key=value pairs inside container inspect output + # for potentially sensitive items like env vars that contain passwords. + # Typically, these will be seen in env elements or similar, and look + # like this: + # "Env": [ + # "mypassword=supersecret", + # "container=oci" + # ], + # This will mask values when the variable name looks like it may be + # something worth obfuscating. + + env_regexp = r'(?P<var>(pass|key|secret|PASS|KEY|SECRET).*?)=' \ + '(?P<value>.*?)"' + self.do_cmd_output_sub('*inspect*', env_regexp, + r'\g<var>=********"') # vim: set et ts=4 sw=4 : |