Red Hat Bugzilla – Bug 1030906
500 error is seen when change password for jenkins admin user.
Last modified: 2015-11-23 09:25:46 EST
Description of problem:
When changing password for admin suer of jenkins app, 500 error is seen.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Create a jenkins app
2.Following the output of step 1 to change password by accessing https://jenkins-jialiu.ose-1114.com.cn/me/configure
When click "save" button, 500 error is shown.
Change password for Jenkins admin should succeed.
This issue does not occurs with online devenv.
I tracked this down to x86_64 vs i686 JVM. That is the _only_ jenkins difference between Online and OSE 2.0 beta right now. Unfortunately, it's pretty complicated to have both versions installed side by side since yum tries to prevent it. Here's what I did:
On a devenv:
* Find the i686 deps that need to be installed
repoquery --requires --installed --resolve java-1.7.0-openjdk
On an OSE 2.0 beta machine:
* use yumdownloader to download all the packages manually
* rpm ivh all the deps
* rpm -Uvh --force to install the jvm packages alongside the x86_64 version
* "alternatives --config java" to switch between
* "/etc/alternatives/jre/bin/java -version" to sanity check since that's what jenkins uses
* restart jenkins
When I run with the 32 bit JVM changing the password works. With 64 bit I see the stack trace. The most interesting parts of the strace trace are:
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
at sun.security.pkcs11.wrapper.PKCS11.C_DecryptUpdate(Native Method)
... 75 more
I'll attach the full trace.
Created attachment 824637 [details]
Upstream is fixed... can this perhaps make it into 2.0.3?
I'm pretty sure upstream fixed it by hacking /usr/lib/jvm/jre-1.7.0-openjdk/lib/security/java.security in the devenv tooling and puppet (for Online). It still exists in Origin.
The best we could do now is a kbase article. That's a good idea for 2.0.3.
According to bug 1031145 comment 3, the problem was the line in /usr/lib/jvm/jre-1.7.0-openjdk/lib/security/java.security that enabled sun.security.pkcs11.SunPKCS11, and the fix was to comment out that line. When I check today, I see that that line is commented out in the java.security file that the java-1.7.0-openjdk package ships. Therefore I believe that the problem has been fixed upstream.
QE, would you please check whether the error still occurs?
Note for engineering: If the problem is fixed upstream, we can remove the related workarounds in Puppet and devenv.
Verified this bug with 2.2/2015-09-23.1, and PASS.
After password change, everything is working well, no 500 error is seen.
This fix is available in OpenShift Enterprise 3.1.