anthony.wen/cds-ai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Scrub tracked secrets and switch ATVM docs to local credential references

Browse Source 
- remove hardcoded credentials, tokens, registration codes, and similar secret values from tracked ATVM and CDS MCP docs
- replace those values with references to /home/aw/code/cds/.env.credentials.local and the corresponding environment variable names
- update current operator guides to instruct sourcing .env.credentials.local before credential-dependent setup and automation workflows
- update the ATVM setup scripts to consume ATVM_TARGET_PASSWORD from the environment instead of hardcoding the Ubuntu root SSH password
- scrub the remaining tracked artifact log entry that still included the old CMC registration code
- keep the local-only credential inventory in .env.credentials.local while leaving that file untracked
This commit is contained in:
anthony.wen
2026-03-24 17:32:44 -04:00
parent 4c07863f6c
commit 86b1a0e4a9
13 changed files with 111 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
atvm/docs/automation/guide.md
View File

@@ -12,12 +12,12 @@ Run ATVM CMC automation tests on the designated automation VM without unintended
## ATVM Cypress Automation Controller Client
- Hostname: `atvm-cypres-vm-1`
- IP: `192.168.3.190`
- Credentials: `root / atvmcdsi2012`
- Credentials: source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_CONTROLLER_USER` plus `ATVM_CONTROLLER_PASSWORD`
## ATVM Target Host Default
- Treat `192.168.3.191` as the default ATVM target host reference.
- For SSH to `192.168.3.191`, ignore host key mismatch by default with `-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`.
- For SSH to `192.168.3.191`, use default credentials `root / cdsi2012` unless the operator explicitly overrides them.
- For SSH to `192.168.3.191`, source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless the operator explicitly overrides them.
## Operating Constraints
- Run only scripts/commands explicitly requested.

11
atvm/docs/setup/guide.md
View File

@@ -12,7 +12,7 @@ Do not put dated run examples here.
The setup flow performs a controlled bootstrap across supported Linux distributions:
1. Validate target host identity using expected IP + expected hostname before any configuration.
2. Fix repositories (especially CD/DVD media repo entries).
3. On Ubuntu, configure root SSH password-login workflow (`root/cdsi2012`) for follow-on root operations.
3. On Ubuntu, configure root SSH password-login workflow using `ATVM_TARGET_PASSWORD` for follow-on root operations.
4. On Oracle Linux, set default boot kernel to non-UEK when available.
5. Disable unattended auto-upgrades on Ubuntu.
6. Remove specific storage-related packages and install base tooling.
@@ -27,10 +27,10 @@ The setup flow performs a controlled bootstrap across supported Linux distributi
- Shell safety flags: `set -euo pipefail`
- Logging: colorized console + plain text log file
- Entry point: `main "$@"`
- Default operator assumption for setup access: `root / cdsi2012` unless explicitly overridden.
- Default operator assumption for setup access: source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless explicitly overridden.
- When the operator refers to `192.168.3.191`, treat it as the default ATVM target host.
- For SSH to `192.168.3.191`, ignore host key mismatch by default with `-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`.
- For SSH to `192.168.3.191`, use `root / cdsi2012` unless the operator explicitly provides different credentials.
- For SSH to `192.168.3.191`, source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless the operator explicitly provides different credentials.
## Mandatory Identity Gate
Setup must not start unless operator explicitly provides both values:
@@ -76,7 +76,7 @@ Rules:
### Ubuntu Root SSH Workflow
- Ubuntu only.
- Set root password `cdsi2012`, unlock root account.
- Require `ATVM_TARGET_PASSWORD` in the environment, then set the root password to that value and unlock the root account.
- Write `/etc/ssh/sshd_config.d/99-atvm-root-login.conf` enabling root + password auth.
- Validate config and restart SSH service.
@@ -135,6 +135,7 @@ Required post-run validation:
## Preferred Execution Commands
Direct client execution:
```bash
source /home/aw/code/cds/.env.credentials.local
sudo bash /home/cirrususer/atvm-setup-script.sh \
--expected-ip <current-client-ip> \
--expected-hostname <exact-hostname>
@@ -142,12 +143,14 @@ sudo bash /home/cirrususer/atvm-setup-script.sh \
Controller run + collect:
```bash
source /home/aw/code/cds/.env.credentials.local
EXPECTED_IP_ARG=<current-client-ip> EXPECTED_HOSTNAME_ARG=<exact-hostname> \
/home/aw/code/cds/atvm/scripts/run-atvm-setup-and-collect-log.sh
```
Controller collect-only after client run:
```bash
source /home/aw/code/cds/.env.credentials.local
/home/aw/code/cds/atvm/scripts/run-atvm-setup-and-collect-log.sh --collect-after-complete
```

2
atvm/docs/setup/run-learnings.md
View File

@@ -12,7 +12,7 @@ This file stores run-specific examples only when a run produced a new learning r
- Final static IP: `192.168.3.191`
- Hostname: `atvm-codextest-vm-1`
- Learning:
- Root SSH password workflow (`root/cdsi2012`) and log copy/hash verification path are valid end-to-end.
- Root SSH password workflow backed by `ATVM_TARGET_PASSWORD` and the log copy/hash verification path are valid end-to-end.
- Wrapper must enforce identity arguments for run-and-collect mode.
- Action for future runs:
- Require `EXPECTED_IP_ARG` and `EXPECTED_HOSTNAME_ARG` for wrapper run-and-collect.