Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

start: Use RunPrivate for checking pull secret for microshift #3858

Merged
merged 1 commit into from
Oct 5, 2023
Merged

start: Use RunPrivate for checking pull secret for microshift #3858

merged 1 commit into from
Oct 5, 2023

Conversation

praveenkumar
Copy link
Member

As part of 211e9dd, I used RunPrivileged which end up exposing pull secret to debug logs. With this PR we are going to use RunPrivate to make sure we hide the pull secret info.

Fixes: Issue #3857

@openshift-ci openshift-ci bot requested review from evidolob and gbraad October 4, 2023 06:35
cfergeau
cfergeau reviewed Oct 4, 2023
View reviewed changes
Copy link
Contributor

@cfergeau cfergeau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me if the file is user-readable (do we want that?)

pkg/crc/machine/start.go Outdated
@@ -1068,7 +1068,7 @@ func startMicroshift(ctx context.Context, sshRunner *crcssh.Runner, ocConfig oc.
}

func ensurePullSecretPresentInVM(sshRunner *crcssh.Runner, pullSec cluster.PullSecretLoader) error {
if pullSecret, _, err := sshRunner.RunPrivileged("Checking if pull secret already present in the VM", "cat", "/etc/crio/openshift-pull-secret"); err == nil {
if pullSecret, _, err := sshRunner.RunPrivate("Checking if pull secret already present in the VM", "cat", "/etc/crio/openshift-pull-secret"); err == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file can be read by a regular user, no need for sudo?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah it does need sudo, updated.

cfergeau
cfergeau reviewed Oct 4, 2023
View reviewed changes
Copy link
Contributor

@cfergeau cfergeau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit log could explain why we need sudo, especially after the 1st iteration and the review comments.
openshift-pull-secret is created with return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0600)

@praveenkumar
start: Use RunPrivate for checking pull secret for microshift
742f276 
As part of 211e9dd, I used `RunPrivileged` which end up exposing pull
secret to debug logs. With this PR we are going to use `RunPrivate` to
make sure we hide the pull secret info. `RunPrivate` is used with `sudo`
command because normal user doesn't have read permission to
`/etc/crio/openshift-pull-secret` file.
@praveenkumar
Copy link
Member Author

The commit log could explain why we need sudo, especially after the 1st iteration and the review comments. openshift-pull-secret is created with return sshRunner.CopyDataPrivileged([]byte(content), "/etc/crio/openshift-pull-secret", 0600)

@cfergeau Done

@openshift-ci openshift-ci bot added the lgtm label Oct 4, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 4, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cfergeau

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Oct 4, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 4, 2023

@praveenkumar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/integration-crc 742f276 link true /test integration-crc
ci/prow/e2e-crc 742f276 link true /test e2e-crc

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@praveenkumar praveenkumar merged commit ad0f49c into crc-org:main Oct 5, 2023
@adrianriobo adrianriobo mentioned this pull request Oct 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfergeau cfergeau cfergeau approved these changes

@evidolob evidolob Awaiting requested review from evidolob

@gbraad gbraad Awaiting requested review from gbraad

Assignees

@cfergeau cfergeau

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@praveenkumar @cfergeau