CP-44440: Collect config and logs in bugreport

.github/workflows/alpine-python2.yml

@@ -45,3 +45,5 @@ jobs:
         run: bash -x tests/integration/sar-file-collection.test.sh
       - name: Test creating a tarball for /etc/systemd
         run: bash -x tests/integration/xenserver-config-systemd.sh
+      - name: Test collecting SNMP files and hiding sensitive strings
+        run: bash -x tests/integration/snmp-hide-password-test.sh

tests/integration/dom0-template/etc/snmp/snmp.xs.conf

@@ -0,0 +1,27 @@
+[common]
+enabled=yes
+debug_log=yes
+
+[snmpd]
+v2c=yes
+v3=yes
+
+[snmpd_v2c]
+community=snmpv2cpublic
+
+[snmpd_v3]
+security_name=test123
+authentication_passphrase=********
+authentication_protocol=SHA
+privacy_passphrase=********
+privacy_protocol=AES
+
+engine_id=0x80001f88800fceda7f01824c6500000000
+
+[snmpd_v3_internal]
+name_key="test123"
+security_name_key="test123"
+authentication_key=0xsnmpv3authenticationkey
+authentication_protocol_oid=.1.3.6.1.6.3.10.1.1.3
+privacy_key=0xsnmpv3privacykey
+privacy_protocol_oid=.1.3.6.1.6.3.10.1.2.4

tests/integration/dom0-template/etc/snmp/snmpd.xs.conf

@@ -0,0 +1,68 @@
+###############################################################################
+# Access Control
+###############################################################################
+
+# As shipped, the snmpd demon will only respond to queries on the
+# system mib group until this file is replaced or modified for
+# security purposes.
+
+####
+# First, map the community name "public" into a "security name"
+
+#<user> sec.name       source        community
+rouser test123 authPriv
+com2sec notConfigUser default snmpv2community
+
+####
+# Second, map the security name into a group name:
+
+#<group> groupName     securityModel securityName
+group group2 usm test123
+group group1 v2c notConfigUser
+
+####
+# Third, create a view for us to let the group have rights to:
+
+#	name          incl/excl  subtree         mask(optional)
+view	systemview    included   .1
+view	systemview    included   system
+view	systemview    included   interfaces
+view	systemview    included   at
+view	systemview    included   ip
+view	systemview    included   icmp
+view	systemview    included   tcp
+view	systemview    included   udp
+view    systemview    included   snmp
+view    systemview    included   xenserver
+
+####
+# XenServer control domain does not support IPv6.
+#
+view	systemview    excluded   ipv6InterfaceTableLastChange
+view	systemview    excluded   icmpStatsInErrors.ipv6
+view	systemview    excluded   icmpStatsInMsgs.ipv6
+view	systemview    excluded   icmpStatsOutErrors.ipv6
+view	systemview    excluded   icmpStatsOutMsgs.ipv6
+view	systemview    excluded   icmpMsgStatsInPkts.ipv6
+view	systemview    excluded   icmpMsgStatsOutPkts.ipv6
+
+####
+# Finally, grant the group read-only access to the systemview view.
+
+#<access> group          context sec.model sec.level prefix read       write  notif
+access group2 "" any priv exact systemview none none
+access group1 "" any noauth exact systemview none none
+
+###############################################################################
+# Extension of dynamically loadable object
+
+#<module> moduleName  soPath
+dlmod     xenserver   /usr/lib64/xs_snmp_agent.so
+
+###############################################################################
+# System contact information
+#
+
+syslocation Unknown
+syscontact Root <root@localhost>
+

tests/integration/dom0-template/etc/sysconfig/snmpd

@@ -0,0 +1,4 @@
+# snmpd command line options
+# '-f' is implicitly added by snmpd systemd unit file
+# OPTIONS="-LS0-6d"
+OPTIONS="-c /etc/snmp/snmpd.xs.conf -m +XENSERVER-MIB -Dxenserver -LS0-7d"

tests/integration/dom0-template/var/lib/net-snmp/snmpd.conf

@@ -0,0 +1,55 @@
+#
+# net-snmp (or ucd-snmp) persistent data file.
+#
+############################################################################
+# STOP STOP STOP STOP STOP STOP STOP STOP STOP 
+#
+#          **** DO NOT EDIT THIS FILE ****
+#
+# STOP STOP STOP STOP STOP STOP STOP STOP STOP 
+############################################################################
+#
+# DO NOT STORE CONFIGURATION ENTRIES HERE.
+# Please save normal configuration tokens for snmpd in /etc/snmp/snmpd.conf.
+# Only "createUser" tokens should be placed here by snmpd administrators.
+# (Did I mention: do not edit this file?)
+#
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+usmUser 1 3 0x80001f88800fceda7f01824c6500000000 "test123" "test123" NULL .1.3.6.1.6.3.10.1.1.3 0xsnmpv3authenticationkey .1.3.6.1.6.3.10.1.2.4 0xsnmpv3privacykey ""
+##############################################################
+#
+# ifXTable persistent data
+#
+ifXTable .1 14:0 18:0x $
+ifXTable .2 14:0 18:0x $
+ifXTable .3 14:0 18:0x $
+ifXTable .4 14:0 18:0x $
+ifXTable .5 14:0 18:0x $
+ifXTable .6 14:0 18:0x $
+##############################################################
+
+
+setserialno 1853241089
+##############################################################
+#
+# snmpNotifyFilterTable persistent data
+#
+##############################################################
+
+
+engineBoots 3
+oldEngineID 0x80001f88800fceda7f01824c6500000000

tests/integration/snmp-hide-password-test.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# This test is expected to be run as root in a container(docker, podman, toolbox, apptainer, (s)chroot):
+# It is currently started from .github/workflows/alpine-python2.yml
+# Precondition: python with all dependencies from requirements.txt is installed
+# WARNING: This is running as user root in the container it runs in!
+#
+# A quick way to run it is:
+# act -W .github/workflows/alpine-python2.yml
+#
+# exit on any error
+set -o errexit
+set -o pipefail
+if [[ -n "$TRACE" ]]; then set -o xtrace; fi
+set -o nounset
+: ${PYTHON:=python2}
+
+# Prepare test container: Mock the files used by this test
+cp -a tests/integration/dom0-template/* /
+
+# Enter a clean test environment
+SRCDIR=$PWD
+rm -rf   .tmp/tests/snmp
+mkdir -p .tmp/tests/snmp
+cd       .tmp/tests/snmp
+export PYTHONPATH=~-/tests/mocks
+
+# Check that mocking xen.lowlevel.xc works for this test
+$PYTHON -c "from xen.lowlevel.xc import Error, xc;xc().domain_getinfo()"
+
+# Run xen-bugtool --entries=xenserver-config to capture the SNMP files
+export XENRT_BUGTOOL_BASENAME=zip
+$PYTHON ~-/xen-bugtool -y --entries=xenserver-config --output=zip
+unzip -o -d. /var/opt/xen/bug-report/zip.zip
+
+cd $XENRT_BUGTOOL_BASENAME
+
+# Check filename entries in inventory.xml (in case a tool expects them):
+grep -q \
+    -e "filename=\"$XENRT_BUGTOOL_BASENAME/snmp_xs_conf.out\"" \
+    -e "filename=\"$XENRT_BUGTOOL_BASENAME/snmpd_xs_conf.out\"" \
+    -e "filename=\"$XENRT_BUGTOOL_BASENAME/snmpd_conf.out\"" \
+    -e "filename=\"$XENRT_BUGTOOL_BASENAME/etc/sysconfig/snmpd\"" \
+    inventory.xml
+
+# Check that snmp_xs_conf.out should not contain community or keys
+snmp_xs_conf_filter_str=$(grep 'snmpv2cpublic\|0xsnmpv3authenticationkey\|0xsnmpv3privacykey' /code/status-report/.tmp/tests/snmp/tar/snmp_xs_conf.out || true)
+if [ "$snmp_xs_conf_filter_str" != "" ]; then
+  exit 5
+fi
+
+# Check that snmpd_xs_conf.out should not contain community
+snmpd_xs_conf_filter_str=$(grep snmpv2cpublic /code/status-report/.tmp/tests/snmp/tar/snmpd_xs_conf.out || true)
+if [ "$snmpd_xs_conf_filter_str" != "" ]; then
+  exit 5
+fi
+
+# Check that snmpd.conf.out should not contain keys
+snmpd_conf_filter_str=$(grep '0xsnmpv3authenticationkey\|0xsnmpv3privacykey' /code/status-report/.tmp/tests/snmp/tar/snmpd_conf.out || true)
+if [ "$snmpd_conf_filter_str" != "" ]; then
+  exit 5
+fi

tests/integration/xenserver-config-systemd.sh

@@ -27,7 +27,7 @@ export PYTHONPATH=~-/tests/mocks
 # Check that mocking xen.lowlevel.xc works for this test
 $PYTHON -c "from xen.lowlevel.xc import Error, xc;xc().domain_getinfo()"
 
-# Run xen-bugtool --entries=xenserver-logs to capture the dummy SAR files
+# Run xen-bugtool --entries=xenserver-config to capture the dummy SAR files
 # and run the mocked sar command:
 tar_basename=tar
 export XENRT_BUGTOOL_BASENAME=$tar_basename

xen-bugtool

@@ -220,6 +220,7 @@ NRPE_DIR = '/etc/nrpe.d'
 XEN_BUGTOOL_LOG = 'xen-bugtool.log'
 CRON_DIRS = '/etc/cron*'
 CRON_SPOOL = '/var/spool/cron'
+SYSCONFIG_SNMPD = '/etc/sysconfig/snmpd'
 
 #
 # External programs
@@ -1067,6 +1068,10 @@ exclude those logs from the archive.
                     'vgscan-log']])
     tree_output(CAP_XENSERVER_INSTALL, INSTALLED_REPOS_DIR)
     tree_output(CAP_XENSERVER_INSTALL, UPDATE_APPLIED_DIR)
+    func_output(CAP_XENSERVER_CONFIG, 'snmp_xs_conf', filter_snmp_xs_conf)
+    func_output(CAP_XENSERVER_CONFIG, 'snmpd_xs_conf', filter_snmpd_xs_conf)
+    func_output(CAP_XENSERVER_CONFIG, 'snmpd_conf', filter_snmpd_conf)
+    file_output(CAP_XENSERVER_CONFIG, [SYSCONFIG_SNMPD])
 
     try:
         load_plugins()
@@ -1516,6 +1521,31 @@ def multipathd_topology(cap):
 
     return stdout
 
+def filter_snmp_xs_conf(_):
+    """Filter /etc/snmp/snmp.xs.conf with keys and community removed"""
+    try:
+        with open("/etc/snmp/snmp.xs.conf", "r") as file:
+            return re.sub(r"((community|\w_key)\s*=\s*)\S+", r"\1REMOVED", file.read())
+    except Exception as e:
+        return "Failed to filter /etc/snmp/snmp.xs.conf %s" % str(e)
+
+def filter_snmpd_xs_conf(_):
+    """Filter /etc/snmp/snmpd.xs.conf with the com2sec community removed"""
+    try:
+        with open("/etc/snmp/snmpd.xs.conf", "r") as file:
+            return re.sub(r"(com2sec(\s+\S+){2}\s+)\S+", r"\1REMOVED", file.read())
+    except Exception as e:
+        return "Failed to filter /etc/snmp/snmpd.xs.conf %s" % str(e)
+
+def filter_snmpd_conf(_):
+    """Filter /var/lib/net-snmp/snmpd.conf with the usmUser fields authKey and privKey removed"""
+    try:
+        with open("/var/lib/net-snmp/snmpd.conf", "r") as file:
+            pattern = r"(usmUser(\s+\S+){7}\s+)\S+(\s+\S+\s+)\S+(\s+\S+)"
+            return re.sub(pattern, r"\1REMOVED\3REMOVED\4", file.read())
+    except Exception as e:
+        return "Failed to filter /var/lib/net-snmp/snmpd.conf %s" % str(e)
+
 def dp_list():
     output = StringIO.StringIO()
     procs = [ProcOutput([OVS_DPCTL, 'dump-dps'], caps[CAP_NETWORK_STATUS][MAX_TIME], output)]