-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
strip-private: T6355: rework the strip-private filter #3475
Conversation
53f4c7c
to
5fb05f7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configuration commands
I can not call it to filter the configuration commands.
cpo@LR1.wue3# run show configuration commands | strip-private
Traceback (most recent call last):
File "/usr/libexec/vyos/strip-private.py", line 156, in <module>
stripped_config = strip_private(config_source)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/strip-private.py", line 115, in strip_private
ct = vyos.configtree.ConfigTree(config_source)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 155, in __init__
raise ValueError("Failed to parse config: {0}".format(msg))
ValueError: Failed to parse config: Syntax error on line 1, character 16: Invalid syntax.
VRF
I also do not see any path handling VRFs, but it should support also filtering the VRF defined configuration.
Example:
set protocols bgp neighbor 4.5.6.7 address-family ipv4-unicast
set protocols bgp neighbor 4.5.6.7 password 'baz'
set protocols bgp neighbor 4.5.6.7 remote-as '555'
set protocols bgp system-as '200'
set vrf name red protocols bgp neighbor 1.2.3.4 address-family ipv4-unicast
set vrf name red protocols bgp neighbor 1.2.3.4 password 'foobar123'
set vrf name red protocols bgp neighbor 1.2.3.4 remote-as '400'
set vrf name red protocols bgp system-as '200'
set vrf name red table '10000'
Result:
cpo@LR1.wue3# show | strip-private
...
protocols {
bgp {
neighbor 4.5.6.7 {
address-family {
ipv4-unicast
}
password "<PASSWORD REDACTED>"
remote-as "555"
}
system-as "200"
}
}
But for the VRF context I get:
vrf {
name red {
protocols {
bgp {
neighbor 1.2.3.4 {
address-family {
ipv4-unicast
}
password "foobar123"
remote-as "400"
}
system-as "200"
}
}
table "10000"
}
}
5fb05f7
to
7feadb1
Compare
to only remove passwords and use an explicit list of secret paths
7feadb1
to
8c1df7e
Compare
This used to work in 1.4.0-epa2 and also 1.3 It yet not masks the OSPF key
|
We cannot implement a proper version until we figure out a way to pass the config path to the filter, and there seems to be no way to see if the config is at the top level or not. The situation in question is like The concept of secret nodes in the reference tree will make it all radically simpler, but only when we figure out UI for givine parameters to |
The original
| strip-private
has two issues:xx.xx.10.20
makes it impossible to make any sense of what's going on. The script has options to only strip specific things, but they were never exposed in the CLI.In the future, "secret" will be a property of the node in the config tree and "strip private" will be a feature of the config rendered. But for now we can at least:
Change Summary
Types of changes
Component(s) name
strip-private filter.
Proposed changes
How to test
My test config:
Smoketest result
Checklist: