| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Allows test cases to set their own timeout for sos command executions,
rather than applying a 300 second timeout to all test cases. 300 seconds
remains the default, however.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
| |
Also catch exceptions for malformed map files when trying to load them
into the parsers.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Just making the code more robustness, it could be dangerous to
set pred = None and then potentially call log_skipped_cmd that
expects "pred" of SoSPredicate type.
Currently such a call flow can not happen, but it is worth to
make the code more robust for potential future changes.
Resolves: #2601
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
| |
Like we did in #969 for `dnf`, fix a potential issue where we would
generate a traceback in the plugin when `yum history` is empty.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
| |
Updates the image used for CentOS Stream 8 testing to the latest release
for that distro.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Changes which collection the `date` root symlink points to. It will now
reference the `timedatectl` command run via the `systemd` plugin, as it
provides more complete and accurate information.
Closes: #2559
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
| |
Use designate-manage to grab the current pools from designate, in
case they differ from the pools stored in /etc
Signed-off-by: Michael Chapman <woppin@gmail.com>
|
| |
|
|
| |
Signed-off-by: Osher De Paz <osherdepaz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
- /etc/ansible/facts.d/rhui_*.fact must be collected by
rhui plugin to let some file to be obfuscated there
- obfuscate also cookies values that can grant login access
Resolves: #2593
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rhui-manager commands timeout when not being logged in, which
should be reacted by adding proper cmd timeout.
Adding the env.variable ensures potentially unaswered "RHUI Username:"
is also printed/colected.
Further, prevent collecting any *.key file from the whole /etc/pki/rhui
dir.
Related: #2593
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
- deal with /etc/pulp/settings.py as a one-line string
- parse dbname from it as well
- dont collect any *.key file from whole /etc/pki/pulp dir
Related: #2593
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
| |
Add option to apply glob.glob to forbidden path recursively.
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
|
| |
Collect "pip list installed" for all versions of pip.
Resolves: #2592
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the addition of the `cleaner_tests/` and `collect_tests/` subdirs,
update the CirrusCI config to include these directories, while still
avoiding the `product_tests/` directory for the "base" stageone and
stagetwo tasks.
Additionally, install python3-pexpect for the stagetwo tests. Currently,
this is only utilized to test the use of the placeholder component for
`collect`. However, in the future we'll be doing actual `collect` tests
which would require this to be installed anyways.
Resolves: #2573
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
| |
Moves the report_with_mask tests to be under the cleaner_tests/
directory. No changes are actually being made to the tests, this is an
organization change.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the past, there have been otherwise trivial typos and the like that
have caused `--help` output to be unreliable. In the case of "help
options" such as `--list-plugins` this also includes potentially
unavailable detailed information about whatever is being listed.
These tests are sanity checks to ensure that changes aren't regressing
this behavior and that the informational output options, and `--help`
directly, continue to provide the right output.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Moves several aspects of test setup and design from `BaseSoSReportTest`
into the lower-level `BaseSoSTest`, so that adding new test classes that
are not report-centric will be easier going forward. Where needed,
overrides in `BaseSoSReportTest` have been added.
In general, this means that sos command construction, execution, tmpdir
management, and the methods for mocking and other pre-execution tasks
are now in `BaseSoSTest` and the additions in `BaseSoSReportTest` are
now centered around handling a generated archive.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
| |
Updates the README to include information on the Matrix and IRC rooms
used by SoS.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add a new/revoked plugin for RHUI (newly based on python3 and pulp-3).
Edditionally, collect /etc/pki/pulp certificates except for RSA keys.
Resolves: #2590
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since --build does not produce a tarball, we cannot encrypt any
collections. However, the encryption options are set in the global
option group so we cannot add a report-only option to that mutex group.
Instead, print a warning informing the user of this limitation.
Closes: #2568
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fixes an issue where checksums may have gotten into the list of archives
to be cleaned, which would cause further issues later. Additionally,
prevents nested sosreports from top-level archives (such as from
`collect`) from being removed for being a binary file when that
top-level archive gets obfuscated.
|
| |
|
|
|
|
|
|
| |
The 'core' user is a common default user on containerized hosts, and
obfuscation of it is not advantageous, much like the default 'ubuntu'
user for that distribution.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds explicit setting of primary/node sos options for the `openshift`
plugin within the cluster, rather than relying on default configurations
and best practices to avoid duplicate collections.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit updates the hostname parser and associated map to be able to
better detect and obfuscate FQDN substrings within file content and file
names, particularly when the regex patterns failed to match a hostname
that is formatted with '_' characters rather than '.' characters.
The `get()` method has been updated to alow preserve characters and
certain extensions that are not part of the FQDN, but are brought in by
the regex pattern due to the fact that we need to use word boundary
indicators within the pattern.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commits adds a step to `obfuscate_report()` that explicitly walks
through all directories in the archive, and obfuscates the directory
names if necessary.
Since this uses `obfuscate_string()` for the directory names, a
`skip_keys` list has been added to maps to allow parsers/maps to
specify matched keys (such as short names for the hostname parser) that
should not be considered when obfuscating directory names (e.g. 'www').
Closes: #2465
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When matching strings in parsers to do obfuscation, we should be using
the most precise matches found first, rather than matching in the order
a match is hit. This ensures that we correctly obfuscate an entire
string, rather than potentially only partial substring(s) that exist
within the entire match.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Improves handling of symlink obfuscation by only performing the
obfuscaiton on the ultimate target of any symlinks encountered. Now,
when a symlink is encountered, clean will obfuscate the link name and
re-write it in the archive, pointing to the (potentially obfuscated)
target name.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit overhauls the function of `finalize_sos_cmd()` in several
ways.
First, assign the sos report plugin related options directly to private
copies of those values for each node, so that the shared cluster profile
does not clober options between nodes.
Second, provide a default Lock mechanism for clusters that need to
perform some node-comparison logic when assigning options based on node
role.
Finally, finalize the sos command for each node _prior_ to the call to
`SoSNode.sosreport()` so that we can be sure that clusters are able to
appropriately compare and assign sos options across nodes before some
nodes have already started and/or finished their own sos report
collections.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates `run_command()` to support passing new environment variables to
the command being run, for that command alone. This parameter takes a
dict, and if set we will first copy the existing set of env vars on the
node and then update that set of variables using the passed dict.
Additionally, `execute_sos_command()` will now try to pass a new
`sos_env_vars` dict (default empty) so that clusters may set environment
variables specifically for the sos command being run, without having to
modify the actual sos command being executed.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Like we now do for primary nodes, add the ability to individually set
node options via a new `set_node_options()` method for when blanket
setting options across all nodes via the options class attrs is not
sufficient.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
| |
While using Github merging we don't need to track Resolves to
close PRs anymore. If existing (and not the PR currently on)
it still makes sense to use Resolves though.
Signed-off-by: Bryan Quigley <code@bryanquigley.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a `containers` enablement trigger for plugins that currently check
for specifically named containers as part of their `setup()`
collections.
This is primarily the openstack plugins checking for their respective
component api's to be running in a container. In these cases the name
pattern used in the `container_exists()` checks are used for the
enablement trigger as well.
Resolves: #2561
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds an enablement trigger tuple, `containers`, that allows for enabling
a plugin based on the presence of a _running_ container matching a given
name or regex. Note that this is only functional for the default runtime
discovered by a policy during initialization.
Resolves: #2561
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the "top-level" `ThreadPoolExecutor` used for threading plugin
execution, increase readability and reliability by wrapping it in a
`with` context manager, so that the pool's cleanup is run in all
situations explicitly.
This is a continuation of #2294, bringing it up to date with the current
state of the project and iterating over the plugin list as a discreet
unit rather than individual plugins.
Closes: #2294
Resolves: #2578
Co-authored-by: Erik Bernoth <ebernoth@redhat.com>
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates the `vmware` plugin for more current collections based on the
use of the `open-vm-tools` package which is the current recommendation
from VMware to use instead of the legacy VMWare-Tools package.
Command collections are expanded and updated to use
`vmware-toolbox-cmd`.
Closes: #2580
Resolves: #2582
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As we did with `report` in #2523, update `clean` to use the built-in
compression capability of TarFile to re-compress unpacked archives.
Resolves: #2576
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The command also prints content of /etc/pulp/settings.py
where we need to also obfuscate the SECRET_KEY and PASSWORD values.
Resolves: #2583
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Binary files generally speaking cannot be obfuscated, and as such we
should remove them from archives being obfuscated by default so that
sensitive data is not mistakenly included in an obfuscated archive.
This commits adds a new `--keep-binary-files` option that if used will
keep any encountered binary files in the final archive. The default
option of `false` will ensure that encountered binary files are removed.
The number of removed binary files per archive is reported when
obfuscation is completed for that archive.
Closes: #2478
Resolves: #2524
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Unify capitalisation of name and synopsis.
Add references to sos.conf to SEE ALSO of all binaries.
Resolves: #2581
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds automatic collection of journals for any service defined in a
plugin's `services` tuple, if that service exists on the system.
Updates several plugins to define a `services` tuple in place of
manually calling `add_journal()` (and as a bonus, removing redundant
`add_service_status()` calls that are already performed based on the
tuple).
Additionally, add an appropriate tag to each `add_journal` call for
easier collection lookup in the manifest.
Resolves: #2579
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
| |
This captures the persistent and runtime configuration of usbguard.
Resolves: #2577
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes an issue where empty lines would be stripped from files that have
other obfuscations in them. Those empty lines may be important for file
structure and/or readability, so we should instead simply not pass empty
lines to the parsers rather than skipping them wholesale in the flow of
writing obfuscations to a temp file before replacing the source file
with a potentially changed temp file.
Resolves: #2562
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit begins the deprecation of the use of `master` in favor of
`primary`. For this initial step, `sos collect` will deprecate the
`--master` option and print a notice whenever it is used. This option is
being replaced by `--primary` with aliases `--manager` and
`--controller`.
This deprecation will last through 4.2, with `--master` being removed in
4.3.
Additionally, the `exec_master_cmd()` method for cluster profiles has
been similarly deprecated in favor of `exec_primary_cmd()`, with a
deprecation note logged whenever a cluster profile uses the former
method.
The internal assignment of the `SoSNode` object as `master` remains
for now, as this initial step is to deprecate the user-visible bits. By
full removal of `--master` in 4.3, these internal assignments should all
be changed to `primary` as well.
Related: #2329
Resolves: #2555
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
| |
Updates the testing matrix for F34, dropping F32.
Resolves: #2574
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have reports that sssd logs are not
collected, when we investigated
we found associate wants to collect
sssd related logs also when only
sssd-common package is installed.
We got this confirmed by sbr-idm.
Resolves: #2571
Signed-off-by: Jan Jansky <jjansky@redhat.com>
|
| |
|
|
|
|
|
|
| |
This patch captures information from loop devices
via 'losetup -a' and the content of
/sys/block/loopN/loop/ directory.
Signed-off-by: Jose Castillo <jcastillo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds two test cases for using `--encrypt-pass`; one with just the bare
option and another in conjunction with `--clean` to ensure both can be
used in the same execution.
Resolves: #2566
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Removes the previous OCP cluster profile and replaces it with an updated
one for OCP4 which is entirely separated from the kubernetes profile.
Resolves: #2544
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes an issue where the sos inspection commands were not properly
marked as needing to be run as root (either directly or via sudo) for
containerized hosts, which would lead to incorrect sos command
formatting.
Mark those commands, and the final container removal command, as
explicitly needing root permissions.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If the master node is determined to not have sos installed, that is not
necessarily a fatal error for scenarios where the 'master' node is only
being used to enumerate node lists and is not actually part of the
cluster. This can happen when a user is using a bastion node to
enumerate and connect to the cluster environment, or if the local host
is being used to enumerate nodes via cluster client tooling.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
|
