[sos-devel] [PATCH] New plugin : RHSM

Bryn M. Reeves bmr at redhat.com
Thu May 3 15:48:06 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2012 04:32 PM, Cedric Buissart wrote:
> RHSM, the certificate based entitlement used in recent RHEL
> (default registration method in 6.2 and 5.8 afaik) should have its
> plugin.
> 
> Below is a quick small patch that retrieves some basic info : *
> configuration (the proxy password is ***'ed) * log * additional
> info about the machine's ID and addon subscriptions. * plugin is
> currently enabled by default. Let me know if we should override
> `checkenabled`

Hi Cedric,

We have some changes in sos-2.2 for RHSM - check out the patches and
changelog entries for bugs bz678665, bz714293, and bz750607.

These changes are not all forward ported to master at the moment
(partly because we put some of this into the general plugin and we
wanted to include it in the general plugin reorganisation we've been
discussing).

There's a few comments on missing pieces in-line but I think this
would make a good basis for the upstream version of this module, thanks!

> +class rhsm(Plugin, RedHatPlugin): +    '''RHSM is the new
> certificate based Red Hat subscription management'''

Probably want a checkenabled here if this is going into a new module
(triggered by a package name match or file check).

> +    def setup(self): +       # Copy the RHSM configuration file +
> # XXX : let's not get the PEM files +
> self.addCopySpec("/etc/rhsm/rhsm.conf")

Why not scoop up the whole of /etc/rhsm? I'm not sure what other files
may exist there today but this was what the folks from RHSM I talked
to wanted.

We also need to collect the entitlement certificates from /etc/pki but
we must *not* collect the private keys. Something like:

+               self.addCopySpec("/etc/pki/product/*.pem")
+               self.addCopySpec("/etc/pki/consumer/cert.pem")
+               self.addCopySpec("/etc/pki/entitlement/*.pem")
+               self.addForbiddenPath("/etc/pki/entitlement/key.pem")
+               self.addForbiddenPath("/etc/pki/entitlement/*-key.pem")

> +       # Gathering generic data about identity and add-on
> consumption +
> self.collectExtOutput("/usr/sbin/subscription-manager identity") +
> self.collectExtOutput("/usr/sbin/subscription-manager list
> --installed --consumed")

I think this is strictly speaking redundant if we collect the certs
however if it's cheap, easy and reliable I can see it being a "nice to
have" for human viewers.

> +    def postproc(self): +
> self.doRegexSub("/etc/rhsm/rhsm.conf",
> r"(\s*proxy_password\s*=\s*)\S+", r"\1%s" %('***'))

Good catch. We weren't told about any passwords to filter from these
paths. I think we should ask for a signoff that this is all that's
required here.

Regards,
Bryn.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+iqLYACgkQ6YSQoMYUY97KgwCgg5QOJB33ZxNccYcXtlJrpn34
tW0AoI8ghm7QkWd/Wb2m3QUowCHh2sJd
=BKDA
-----END PGP SIGNATURE-----

More information about the sos-devel mailing list