[libvirt] [jenkins-ci PATCH] lcitool: Don't encrypt password manually

Martin Kletzander mkletzan at redhat.com
Wed Sep 5 09:39:59 UTC 2018 

On Tue, Sep 04, 2018 at 01:53:45PM +0200, Andrea Bolognani wrote:
>On Tue, 2018-09-04 at 10:49 +0200, Martin Kletzander wrote:
>
>s/manually/ourselves/ in the subject.
>
>[...]
>>      def get_root_password_file(self):
>> -        root_pass_file = self._get_config_file("root-password")
>> -        root_hash_file = self._get_config_file(".root-password.hash")
>> -
>> -        try:
>> -            with open(root_pass_file, "r") as infile:
>> -                root_pass = infile.readline().strip()
>> -        except Exception:
>> -            raise Error(
>> -                "Missing or invalid root password file ({})".format(
>> -                    root_pass_file,
>> -                )
>> -            )
>> -
>> -        # The hash will be different every time we run, but that doesn't
>> -        # matter - it will still validate the correct root password
>> -        root_hash = crypt.crypt(root_pass, Util.mksalt())
>> -
>> -        try:
>> -            with open(root_hash_file, "w") as infile:
>> -                infile.write("{}\n".format(root_hash))
>> -        except Exception:
>> -            raise Error(
>> -                "Can't write hashed root password file ({})".format(
>> -                    root_hash_file,
>> -                )
>> -            )
>> -
>> -        return root_hash_file
>> +        return self._get_config_file("root-password")
>
>This is a really nice improvement overall, but we can't quite get
>rid of the entire function: we still need to try and open the file,
>or at least stat() it, like we do in get_vault_password_file(), so
>that we can error out early instead of having Ansible bail out on
>us really late in the game.
>

So what you had in mind is something like the following squashed in?

diff --git i/guests/lcitool w/guests/lcitool
index 609c73c43dbc..2ac98ea69030 100755
--- i/guests/lcitool
+++ w/guests/lcitool
@@ -151,7 +151,22 @@ class Config:
         return vault_pass_file

     def get_root_password_file(self):
-        return self._get_config_file("root-password")
+        root_pass_file = None
+
+        root_pass_file = self._get_config_file("root-password")
+
+        try:
+            with open(root_pass_file, "r") as infile:
+                if not infile.readline().strip():
+                    raise ValueError
+        except Exception:
+            raise Error(
+                "Missing or invalid root password file ({})".format(
+                    root_pass_file,
+                )
+            )
+
+        return root_pass_file


 class Inventory:
--

Or we could have the check in ansible itself, but that would be a bigger change
and the codebase is not prepared for that.

TLTTIRN,
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180905/0ebcf47a/attachment-0001.sig>

More information about the libvir-list mailing list