Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26620

SWARM - swarm client should read password from file

      The swarm client currently supports a -password command line arg, which works great, except that when you use it, the password is leaked in the process table (i.e. when any user on the linux machine runs "ps -AF").

      Instead, the swarm client should support a -pwfile argument where the password is read from the user supplied filename (which can be secured via the filesystem).

          [JENKINS-26620] SWARM - swarm client should read password from file

          It's possible to inject the password through an environment variable. Then you could place the password in a file sourced before starting the swarm process.

          Peter Jönsson added a comment - It's possible to inject the password through an environment variable. Then you could place the password in a file sourced before starting the swarm process.

          The environment variable is useful, but then the password is leaked in Jenkins when someone views the System Information for a node and can see it in plain text on the Enivronment Variables list.

          Loading from a creds file would prevent this.

          Maxfield Stewart added a comment - The environment variable is useful, but then the password is leaked in Jenkins when someone views the System Information for a node and can see it in plain text on the Enivronment Variables list. Loading from a creds file would prevent this.

          True, will look into this.

          Peter Jönsson added a comment - True, will look into this.

          True, will look into this.

          Peter Jönsson added a comment - True, will look into this.

          Also came across this issue, where we saw the password printed in the env var printout for each job. I had changed from the -password option to -passwordEnvVariable because when upgrading from v1.16 to v2.0, the -password option interprets a leading '@' in the password as a file reference.

          So the bad news is that with v2.0, you can't directly pass in some passwords, but if the -password value starts with @, it's treated as a file. I couldn't find any documentation on this, but perhaps I missed it.

          This issue should be resolved as Fixed.

          Brandon Heller added a comment - Also came across this issue, where we saw the password printed in the env var printout for each job. I had changed from the -password option to -passwordEnvVariable because when upgrading from v1.16 to v2.0, the -password option interprets a leading '@' in the password as a file reference. So the bad news is that with v2.0, you can't directly pass in some passwords, but if the -password value starts with @, it's treated as a file. I couldn't find any documentation on this, but perhaps I missed it. This issue should be resolved as Fixed.

          Kalyan Koduru added a comment -

          This issue is not yet resolved. I updated to swarm plugin 2.1 and could still see that password is leaked into "ps" command.

          Kalyan Koduru added a comment - This issue is not yet resolved. I updated to swarm plugin 2.1 and could still see that password is leaked into "ps" command.

          kalyankix , not even with the "@"-trick mentioned above?

          Peter Jönsson added a comment - kalyankix , not even with the "@"-trick mentioned above?

          Kalyan Koduru added a comment -

          my bad. I think it's working after switching to passwordEnvVariable.

          Kalyan Koduru added a comment - my bad. I think it's working after switching to passwordEnvVariable.

            mindjiver Peter Jönsson
            jnewblanc Jason Newblanc
            Votes:
            4 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: