From cbuissar at redhat.com Thu May 3 15:32:45 2012 From: cbuissar at redhat.com (Cedric Buissart) Date: Thu, 03 May 2012 11:32:45 -0400 (EDT) Subject: [sos-devel] [PATCH] New plugin : RHSM In-Reply-To: Message-ID: Hi, RHSM, the certificate based entitlement used in recent RHEL (default registration method in 6.2 and 5.8 afaik) should have its plugin. Below is a quick small patch that retrieves some basic info : * configuration (the proxy password is ***'ed) * log * additional info about the machine's ID and addon subscriptions. * plugin is currently enabled by default. Let me know if we should override `checkenabled` Cheers, Cedric ----------------------- diff --git a/sos/plugins/rhsm.py b/sos/plugins/rhsm.py new file mode 100755 index 0000000..1896fb5 --- /dev/null +++ b/sos/plugins/rhsm.py @@ -0,0 +1,34 @@ +### This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +from sos.plugins import Plugin, RedHatPlugin + +class rhsm(Plugin, RedHatPlugin): + '''RHSM is the new certificate based Red Hat subscription management''' + + def setup(self): + # Copy the RHSM configuration file + # XXX : let's not get the PEM files + self.addCopySpec("/etc/rhsm/rhsm.conf") + + # Copy the RHSM Logs + self.addCopySpec("/var/log/rhsm/") + + # Gathering generic data about identity and add-on consumption + self.collectExtOutput("/usr/sbin/subscription-manager identity") + self.collectExtOutput("/usr/sbin/subscription-manager list --installed --consumed") + + def postproc(self): + self.doRegexSub("/etc/rhsm/rhsm.conf", r"(\s*proxy_password\s*=\s*)\S+", r"\1%s" %('***')) + From bmr at redhat.com Thu May 3 15:48:06 2012 From: bmr at redhat.com (Bryn M. Reeves) Date: Thu, 03 May 2012 16:48:06 +0100 Subject: [sos-devel] [PATCH] New plugin : RHSM In-Reply-To: References: Message-ID: <4FA2A8B6.6020904@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/03/2012 04:32 PM, Cedric Buissart wrote: > RHSM, the certificate based entitlement used in recent RHEL > (default registration method in 6.2 and 5.8 afaik) should have its > plugin. > > Below is a quick small patch that retrieves some basic info : * > configuration (the proxy password is ***'ed) * log * additional > info about the machine's ID and addon subscriptions. * plugin is > currently enabled by default. Let me know if we should override > `checkenabled` Hi Cedric, We have some changes in sos-2.2 for RHSM - check out the patches and changelog entries for bugs bz678665, bz714293, and bz750607. These changes are not all forward ported to master at the moment (partly because we put some of this into the general plugin and we wanted to include it in the general plugin reorganisation we've been discussing). There's a few comments on missing pieces in-line but I think this would make a good basis for the upstream version of this module, thanks! > +class rhsm(Plugin, RedHatPlugin): + '''RHSM is the new > certificate based Red Hat subscription management''' Probably want a checkenabled here if this is going into a new module (triggered by a package name match or file check). > + def setup(self): + # Copy the RHSM configuration file + > # XXX : let's not get the PEM files + > self.addCopySpec("/etc/rhsm/rhsm.conf") Why not scoop up the whole of /etc/rhsm? I'm not sure what other files may exist there today but this was what the folks from RHSM I talked to wanted. We also need to collect the entitlement certificates from /etc/pki but we must *not* collect the private keys. Something like: + self.addCopySpec("/etc/pki/product/*.pem") + self.addCopySpec("/etc/pki/consumer/cert.pem") + self.addCopySpec("/etc/pki/entitlement/*.pem") + self.addForbiddenPath("/etc/pki/entitlement/key.pem") + self.addForbiddenPath("/etc/pki/entitlement/*-key.pem") > + # Gathering generic data about identity and add-on > consumption + > self.collectExtOutput("/usr/sbin/subscription-manager identity") + > self.collectExtOutput("/usr/sbin/subscription-manager list > --installed --consumed") I think this is strictly speaking redundant if we collect the certs however if it's cheap, easy and reliable I can see it being a "nice to have" for human viewers. > + def postproc(self): + > self.doRegexSub("/etc/rhsm/rhsm.conf", > r"(\s*proxy_password\s*=\s*)\S+", r"\1%s" %('***')) Good catch. We weren't told about any passwords to filter from these paths. I think we should ask for a signoff that this is all that's required here. Regards, Bryn. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+iqLYACgkQ6YSQoMYUY97KgwCgg5QOJB33ZxNccYcXtlJrpn34 tW0AoI8ghm7QkWd/Wb2m3QUowCHh2sJd =BKDA -----END PGP SIGNATURE-----