Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7340

Passwords exposed in skopeo commands

XMLWordPrintable

    • False
    • None
    • False
    • Quay Enterprise
      1. Install skopeo on a host.
      2. Launch a mirror process from an external repository.
      3. Run ps |grep -i skopeo on the host to see the running processes.
    • Important

      When mirroring an external repository to quay, skopeo processes are generated to copy the information. By doing a ps on the host where that command is being executed you can see the user and password being used in plain text. 

      1001 39351 38470 10 13:23 ? 00:00:00 /usr/bin/skopeo copy --all --remove-signatures --src-tls-verify=False --dest-tls-verify=True --dest-creds manrique+robotmirror:TGKB32T8C58VHR4SVAS44Q8WS249RXSWJSW1634ZXM5XQQJMXIPQ5HTDGJTPT5FC --src-creds mangarci:xxxxxxx docker://quay.io/openshift-release-dev/ocp-release:4.1.20 docker://ip-10-0-1-73.eu-west-1.compute.internal/manrique/ocp4-mirror:4.1.20

            Unassigned Unassigned
            rhn-support-mangarci Manrique García
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: