Skip to content

cloudstack-usage logs private keys #10646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jgotteswinter opened this issue Apr 1, 2025 · 7 comments · Fixed by #10649
Closed

cloudstack-usage logs private keys #10646

jgotteswinter opened this issue Apr 1, 2025 · 7 comments · Fixed by #10649
Labels
component:logging Severity:BLOCKER
Milestone
4.19.3

Comments

@jgotteswinter
Copy link

jgotteswinter commented Apr 1, 2025
edited
Loading

problem

We just finished upgrading 4.19.1.3 to 4.19.2.0. While checking the logs after the upgrade, we saw that the usage server logs contain several private keys which seem to be generated on startup.

versions

4.19.2.0, KVM, Ubuntu 24.04
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Apr 1, 2025

Thanks for opening your first issue here! Be sure to follow the issue template!

@weizhouapache
Copy link
Member

@jgotteswinter
Can you give an example ?

@jgotteswinter
Copy link
Author

jgotteswinter commented Apr 1, 2025
edited
Loading

sure, i can find the same on an older installation which is still on 4.19.1.3

2025-04-01 07:30:17,946 INFO  [cloud.utils.LogUtils] (main:null) (logid:) log4j configuration found at /etc/cloudstack/usage/log4j-cloud.xml
2025-04-01 07:30:18,907 DEBUG [utils.crypt.EncryptionSecretKeyChecker] (main:null) (logid:) Encryption Type: file
2025-04-01 07:30:18,921 DEBUG [utils.crypt.CloudStackEncryptor] (main:null) (logid:) Calling to initialize for class com.cloud.utils.crypt.EncryptionSecretKeyChecker
2025-04-01 07:30:19,044 DEBUG [utils.crypt.CloudStackEncryptor] (main:null) (logid:) Initialized with all possible encryptors
2025-04-01 07:30:19,056 DEBUG [utils.crypt.CloudStackEncryptor] (main:null) (logid:) CloudStack will encrypt and decrypt values using encryptor : AeadBase64Encryptor for class EncryptionSecretKeyChecker
...
...
025-04-01 07:30:25,020 DEBUG [utils.db.DbProperties] (main:null) (logid:) DB properties were already loaded
2025-04-01 07:30:25,020 DEBUG [utils.crypt.CloudStackEncryptor] (main:null) (logid:) Calling to initialize for class com.cloud.utils.crypt.DBEncryptionUtil
2025-04-01 07:30:25,021 DEBUG [utils.crypt.CloudStackEncryptor] (main:null) (logid:) Initialized with encryptor : AeadBase64Encryptor
2025-04-01 07:30:25,021 DEBUG [utils.crypt.DBEncryptionUtil] (main:null) (logid:) initialized
2025-04-01 07:30:25,029 INFO  [cloud.usage.UsageManagerImpl] (main:null) (logid:) configs = {ca.framework.cert.signature.algorithm=SHA256withRSA, ca.framework.background.task.delay=3600, restart.retry.interval=600, allow.additional.vm.configuration.list.xenserver=, mandate.user.2fa=false, outofbandmanagement.ipmitool.retries=1, user.password.encoders.exclude=MD5,LDAP,PLAINTEXT, tungsten.plugin.enable=false,....
...
...
router.stats.interval=300, ca.plugin.root.ca.certificate=-----BEGIN CERTIFICATE-----
MIIFDTCCAvWgAwIBAgIJAN6cWV1i16CgMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
...
...
...
-----END CERTIFICATE-----
storpool.volumes.stats.interval=3600, backup.plugin.networker.url=https://localhost:9090/nwrestapi/v3, outofbandmanagement.action.timeout=60, consoleproxy.session.max=50, expunge.workers=1, secstorage.ssl.cert.domain=, kvm.ssh.to.agent=true,
...
...
... saml2.redirect.url=xxxx-xxx.net/client, ssh.privatekey=-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----

@weizhouapache
Copy link
Member

Thanks @jgotteswinter

Apprently we do not need to log it

cloudstack/usage/src/main/java/com/cloud/usage/UsageManagerImpl.java

Line 234 in 2dfe6a6

logger.info("configs = " + configs);

cc @DaanHoogland

@DaanHoogland
Copy link
Contributor

@weizhouapache are you suggesting

  1. not logging at all or
  2. lowerthe log level (to trace for instance) or
  3. filtering the config to not include the privicy sensitive fields?

@weizhouapache
Copy link
Member

@weizhouapache are you suggesting

  1. not logging at all or
  2. lowerthe log level (to trace for instance) or
  3. filtering the config to not include the privicy sensitive fields?

@DaanHoogland
1/2 are fine with me

@Pearl1594 Pearl1594 added this to the 4.19.3 milestone Apr 3, 2025
@DaanHoogland DaanHoogland mentioned this issue Apr 3, 2025
Merged
14 tasks
@DaanHoogland DaanHoogland linked a pull request Apr 3, 2025 that will close this issue
Usage server: remove logging of prameters including secret keys #10649
Merged
14 tasks
@DaanHoogland DaanHoogland moved this to ready for Review in Apache CloudStack BugFest - Issues Apr 8, 2025
@DaanHoogland DaanHoogland moved this from ready for Review to ready for Testing in Apache CloudStack BugFest - Issues Apr 8, 2025
@weizhouapache
Copy link
Member

fixed by #10649

@github-project-automation github-project-automation bot moved this from ready for Testing to Done in Apache CloudStack BugFest - Issues Apr 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:logging Severity:BLOCKER
Projects
Apache CloudStack BugFest - Issues
Status: Done
Milestone
4.19.3
4 participants
@DaanHoogland @Pearl1594 @weizhouapache @jgotteswinter