Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26620

SWARM - swarm client should read password from file

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The swarm client currently supports a -password command line arg, which works great, except that when you use it, the password is leaked in the process table (i.e. when any user on the linux machine runs "ps -AF").

      Instead, the swarm client should support a -pwfile argument where the password is read from the user supplied filename (which can be secured via the filesystem).

        Attachments

          Activity

          Hide
          mindjiver Peter Jönsson added a comment -

          It's possible to inject the password through an environment variable. Then you could place the password in a file sourced before starting the swarm process.

          Show
          mindjiver Peter Jönsson added a comment - It's possible to inject the password through an environment variable. Then you could place the password in a file sourced before starting the swarm process.
          Hide
          maxfields2000 Maxfield Stewart added a comment -

          The environment variable is useful, but then the password is leaked in Jenkins when someone views the System Information for a node and can see it in plain text on the Enivronment Variables list.

          Loading from a creds file would prevent this.

          Show
          maxfields2000 Maxfield Stewart added a comment - The environment variable is useful, but then the password is leaked in Jenkins when someone views the System Information for a node and can see it in plain text on the Enivronment Variables list. Loading from a creds file would prevent this.
          Hide
          mindjiver Peter Jönsson added a comment -

          True, will look into this.

          Show
          mindjiver Peter Jönsson added a comment - True, will look into this.
          Hide
          mindjiver Peter Jönsson added a comment -

          True, will look into this.

          Show
          mindjiver Peter Jönsson added a comment - True, will look into this.
          Hide
          brandonheller Brandon Heller added a comment -

          Also came across this issue, where we saw the password printed in the env var printout for each job. I had changed from the -password option to -passwordEnvVariable because when upgrading from v1.16 to v2.0, the -password option interprets a leading '@' in the password as a file reference.

          So the bad news is that with v2.0, you can't directly pass in some passwords, but if the -password value starts with @, it's treated as a file. I couldn't find any documentation on this, but perhaps I missed it.

          This issue should be resolved as Fixed.

          Show
          brandonheller Brandon Heller added a comment - Also came across this issue, where we saw the password printed in the env var printout for each job. I had changed from the -password option to -passwordEnvVariable because when upgrading from v1.16 to v2.0, the -password option interprets a leading '@' in the password as a file reference. So the bad news is that with v2.0, you can't directly pass in some passwords, but if the -password value starts with @, it's treated as a file. I couldn't find any documentation on this, but perhaps I missed it. This issue should be resolved as Fixed.
          Hide
          kalyankix Kalyan Koduru added a comment -

          This issue is not yet resolved. I updated to swarm plugin 2.1 and could still see that password is leaked into "ps" command.

          Show
          kalyankix Kalyan Koduru added a comment - This issue is not yet resolved. I updated to swarm plugin 2.1 and could still see that password is leaked into "ps" command.
          Hide
          mindjiver Peter Jönsson added a comment -

          Kalyan Koduru , not even with the "@"-trick mentioned above?

          Show
          mindjiver Peter Jönsson added a comment - Kalyan Koduru , not even with the "@"-trick mentioned above?
          Hide
          kalyankix Kalyan Koduru added a comment -

          my bad. I think it's working after switching to passwordEnvVariable.

          Show
          kalyankix Kalyan Koduru added a comment - my bad. I think it's working after switching to passwordEnvVariable.

            People

            • Assignee:
              mindjiver Peter Jönsson
              Reporter:
              jnewblanc Jason Newblanc
            • Votes:
              4 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: