@@ -271,6 +271,97 @@ save_command() {
271271 log_verbose " Saved: $filename "
272272}
273273
274+ sanitize_docker_inspect () {
275+ # Sanitize docker inspect JSON output by removing environment variable values
276+ # Input: JSON from docker inspect (via stdin)
277+ # Output: Sanitized JSON with env var values replaced with "[REDACTED]"
278+ local temp_file
279+ temp_file=$( mktemp)
280+ local sanitized_file=" ${temp_file} .sanitized"
281+
282+ # Read stdin into temp file
283+ if ! cat > " $temp_file " 2> /dev/null || [[ ! -s " $temp_file " ; then
284+ rm -f " $temp_file "
285+ return 1
286+ fi
287+
288+ # Try using jq first (most reliable for JSON manipulation)
289+ if command_exists jq; then
290+ # Handle both array and single object responses from docker inspect
291+ # Walk through the JSON and sanitize all Env arrays
292+ if jq -c ' if type == "array" then
293+ map(walk(if type == "object" and has("Env") then
294+ .Env = (.Env | if type == "array" then
295+ map(if type == "string" and contains("=") then
296+ (split("=")[0] + "=[REDACTED]")
297+ else . end)
298+ else . end)
299+ else . end))
300+ else
301+ walk(if type == "object" and has("Env") then
302+ .Env = (.Env | if type == "array" then
303+ map(if type == "string" and contains("=") then
304+ (split("=")[0] + "=[REDACTED]")
305+ else . end)
306+ else . end)
307+ else . end)
308+ end' " $temp_file " 2> /dev/null > " $sanitized_file " ; then
309+ # Verify output is non-empty and looks like JSON
310+ if [[ -s " $sanitized_file " && grep -qE ' [\[\{]' " $sanitized_file " 2> /dev/null; then
311+ cat " $sanitized_file "
312+ rm -f " $sanitized_file " " $temp_file "
313+ return 0
314+ fi
315+ rm -f " $sanitized_file "
316+ fi
317+ fi
318+
319+ # Fallback: Use sed for pattern-based sanitization
320+ # Match patterns like: "KEY=VALUE" within JSON strings
321+ # This regex: "KEY=anything" becomes "KEY=[REDACTED]"
322+ if sed -E ' s/"([A-Za-z_][A-Za-z0-9_]*)=([^"]*)"/"\1=[REDACTED]"/g' " $temp_file " 2> /dev/null > " $sanitized_file " ; then
323+ # Verify the output is still valid JSON-like (has braces/brackets)
324+ if [[ -s " $sanitized_file " && grep -qE ' [\[\{]' " $sanitized_file " 2> /dev/null; then
325+ cat " $sanitized_file "
326+ rm -f " $sanitized_file " " $temp_file "
327+ return 0
328+ fi
329+ rm -f " $sanitized_file "
330+ fi
331+
332+ # Last resort: Use perl for more reliable pattern matching (if available)
333+ if command_exists perl; then
334+ if perl -pe ' s/"([A-Za-z_][A-Za-z0-9_]*)=([^"]*)"/"$1=[REDACTED]"/g' " $temp_file " 2> /dev/null > " $sanitized_file " ; then
335+ if [[ -s " $sanitized_file " && grep -qE ' [\[\{]' " $sanitized_file " 2> /dev/null; then
336+ cat " $sanitized_file "
337+ rm -f " $sanitized_file " " $temp_file "
338+ return 0
339+ fi
340+ rm -f " $sanitized_file "
341+ fi
342+ fi
343+
344+ # If all sanitization methods fail, use simple sed as absolute fallback
345+ # This is a best-effort attempt that may not catch all cases
346+ if sed ' s/=[^",]*"/=[REDACTED]"/g' " $temp_file " 2> /dev/null > " $sanitized_file " ; then
347+ if [[ -s " $sanitized_file " ; then
348+ # Prepend warning comment (outside JSON) if possible
349+ # For JSON arrays/objects, we can't easily add comments, so we'll just return it
350+ cat " $sanitized_file "
351+ rm -f " $sanitized_file " " $temp_file "
352+ # Return 1 to indicate fallback was used (caller can log warning if needed)
353+ return 1
354+ fi
355+ fi
356+
357+ # Absolute last resort: return original with minimal sanitization attempt
358+ # Log to stderr so it doesn't pollute the JSON output
359+ echo " # WARNING: Environment variable sanitization may be incomplete. Some sensitive data may remain." >&2
360+ cat " $temp_file "
361+ rm -f " $temp_file "
362+ return 1
363+ }
364+
274365# -------------------------------------------------------------------------------
275366# Early Detection Functions
276367# -------------------------------------------------------------------------------
@@ -1049,9 +1140,29 @@ collect_docker_info() {
10491140
10501141 log_info " → ${container_name} (${container_image} )"
10511142
1052- # Container inspect
1053- save_command " docker/vllm_logs/${container_name} _inspect.json" " root"
1054- docker inspect " $container_id "
1143+ # Container inspect (with environment variable sanitization)
1144+ local inspect_output sanitized_output sanitize_status
1145+ inspect_output=$( run_cmd " root" " $container_id " 2>&1 )
1146+ if [[ -n " $inspect_output " ; then
1147+ # Sanitize the output
1148+ sanitized_output=$( echo " $inspect_output " | sanitize_docker_inspect 2>&1 )
1149+ sanitize_status=$?
1150+
1151+ {
1152+ echo " # Command: docker inspect $container_id "
1153+ echo " # Timestamp: $( date -Iseconds) "
1154+ echo " # Requires root: root"
1155+ if [[ $sanitize_status -eq 0 ]]; then
1156+ echo " # Note: Environment variable values have been sanitized"
1157+ else
1158+ echo " # WARNING: Environment variable sanitization may be incomplete"
1159+ echo " # Consider installing 'jq' for reliable JSON sanitization"
1160+ fi
1161+ echo " ---"
1162+ echo " $sanitized_output "
1163+ } > " ${WORK_DIR} /docker/vllm_logs/${container_name} _inspect.json" 2>&1
1164+ log_verbose " Saved: docker/vllm_logs/${container_name} _inspect.json (sanitized)"
1165+ fi
10551166
10561167 # Container logs (last 10000 lines to avoid massive files)
10571168 save_command " docker/vllm_logs/${container_name} _logs.txt" " root"
@@ -1349,10 +1460,6 @@ collect_package_info() {
13491460collect_additional_info () {
13501461 print_section " Additional System Information"
13511462
1352- print_subsection " Environment"
1353- save_command " system/environment.txt" " noroot"
1354- log_info " Environment variables"
1355-
13561463 print_subsection " Loaded Kernel Modules"
13571464 save_command " system/lsmod.txt" " noroot"
13581465 log_info " Kernel modules"
0 commit comments