Bug 2003204
| Summary: | Jenkins all new container images (openshift4/ose-jenkins) not supporting '-e JENKINS_PASSWORD=password' ENV which was working for old container images | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Mayur Deore <mdeore> | ||||
| Component: | Jenkins | Assignee: | Akram Ben Aissi <abenaiss> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Jitendar Singh <jitsingh> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 4.8 | CC: | adam.kaplan, akram, aos-bugs, cdaley, jitsingh, jkaur, pbhattac, spandura | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.10.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-03-10 16:09:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Hi Mayur, 4 months ago, we upgrade the Jenkins image to an earlier version of Jenkins that deprecated the use of acegi and thus changed the password obfuscation algorithm. I can that what you are seeing is probably a side effect of it. https://github.com/openshift/jenkins/commit/2fed2dd020564bcbadbd74687214daa9b923f18e Can you try bcrypting the admin password before passing it as an environment variable? Hi Akram, Thanks for the update. If possible can you please share the steps that I can use and share with Cu too if get accepted for bcrypting? Also, Is there any way to fix this? Because README.md is still showing that we can use 'JENKINS_PASSWORD' ENV to set passwords for 'admin' for the default admin password. https://github.com/openshift/jenkins#environment-variables @jkaur and Mayur ; I have reproduced the issue last week and started to work on it https://github.com/openshift/jenkins/pull/1334/files Right now, it seems that the default password is not saved when setting the JENKINS_PASSWORD env var, the bcyrpt comparison was failing. A first issue was related to unfound jar during first startup compared to subsequent startups. We are still investigating it and will update the bz. Hello Akram, Corey, Thank you for your update. Please do keep the work progress updated on BZ for reference. I will share the current updates with the customer. Thanks, Mayur Hi Mayur, I have been actively working on this issue for the last 2 days. The good news is that we have a proper fix for it now. The PR is just pending approval. After doing more tests, I have also seen that the support of the OPENSHIFT_ENABLE_OAUTH variable was certainly broken, but the environment so I also fixed it in another PR. I may merge the 2 PRs together. I will be working in having an automated e2e test for it between today and tomorrow as this is a pre-requisite for the PR merge, and I will do the requirements for the release. https://github.com/openshift/jenkins/pull/1334 https://github.com/openshift/jenkins/pull/1345 Akram Hi Akram, I am glad that we get the fix for this. Thank you so much for actively working on this. I really appreciate the time and effort you put into this. Thanks, Mayur VERIFIED able to login to jenkins console ============= jitsingh@fedora ~ oc new-project jenkins-test Now using project "jenkins-test" on server "https://api.app-svc-4.10-011001.devcluster.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname jitsingh@fedora ~ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins@sha256:5326101b01e013f94b2f5cd9aa88cd949f8114329eebcc150aaf40f3d535b1a6 Flag --docker-image has been deprecated, Deprecated flag use --image --> Found container image 64f6876 (3 weeks old) from registry.redhat.io for "registry.redhat.io/openshift4/ose-jenkins@sha256:5326101b01e013f94b2f5cd9aa88cd949f8114329eebcc150aaf40f3d535b1a6" Jenkins 2 --------- Jenkins is a continuous integration server Tags: jenkins, jenkins2, ci * An image stream tag will be created as "ose-jenkins:latest" that will track this image --> Creating resources ... imagestream.image.openshift.io "ose-jenkins" created deployment.apps "ose-jenkins" created service "ose-jenkins" created --> Success Application is not exposed. You can expose services to the outside world by executing one or more of the commands below: 'oc expose service/ose-jenkins' Run 'oc status' to view your app. jitsingh@fedora ~ oc expose service/ose-jenkins route.route.openshift.io/ose-jenkins exposed jitsingh@fedora ~ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD ose-jenkins ose-jenkins-jenkins-test.apps.app-svc-4.10-011001.devcluster.openshift.com ose-jenkins 8080-tcp None jitsingh@fedora ~ oc get pods -w NAME READY STATUS RESTARTS AGE ose-jenkins-59cd8f67fc-8hnhz 1/1 Running 0 38s ^C% ✘ jitsingh@fedora ~ oc rsh ose-jenkins-59cd8f67fc-8hnhz sh-4.4$ env | grep JENKINS_PASSWORD JENKINS_PASSWORD=password sh-4.4$ exit exit ============================================ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |
Created attachment 1822163 [details] Error on console Description of problem: In the following command, ENV Variable is getting passed to the container but on the console, it was showing an invalid username and password for 'user: admin', 'password: password'. ~~~ $ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.6.0-202108202025.p0.git.57c7cb1.assembly.stream OR $ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.8.0-202108312109.p0.git.8f554e2.assembly.stream OR $ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.6.0-202108112026.p0.git.57c7cb1 ~~~ ~~~ [quicklab@upi-0 ~]$ oc rsh pod/ose-jenkins-9dc76b9f6-88xxh sh-4.4$ env | grep JENKINS_PASSWORD JENKINS_PASSWORD=password ~~~ This same method was working fine for old images in which it was accepting 'username: admin' and 'password: password'. One example is listed below. ~~~ $ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.6.0-202104151601.p0 ~~~ Version-Release number of selected component (if applicable): - v4.6.0-202108202025.p0.git.57c7cb1.assembly.stream (latest, Published 2 days ago) - v4.8.0-202108312109.p0.git.8f554e2.assembly.stream - v4.6.0-202108112026.p0.git.57c7cb1 How reproducible: We can run this image using `oc new-app` command and exposing the service URL then try to log in on console using `username:admin`, `password:password` Steps to Reproduce: 1. $ oc new-app -e JENKINS_PASSWORD=password --docker-image=registry.redhat.io/openshift4/ose-jenkins:v4.8.0-202108312109.p0.git.8f554e2.assembly.stream 2. $ oc expose service/ose-jenkins 3. $ oc get route 5. Open that URL in the browser, and Try login with 'username: admin' and 'password: password' Actual results: We will get 'Invalid username or password' on the console with 'username: admin' and 'password: password' Expected results: We should get a dashboard of jenkins. Additional info: - ENV Variable 'JENKINS_PASSWORD' is used to set password for Jenkins 'admin' user. - Facing the same issue with other passwords also like 'admin123#'.