Bug 1030906 - 500 error is seen when change password for jenkins admin user.
500 error is seen when change password for jenkins admin user.
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers (Show other bugs)
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Brenton Leanhardt
libra bugs
Depends On: 1031145
Blocks: 1035113
  Show dependency treegraph
Reported: 2013-11-15 05:46 EST by Johnny Liu
Modified: 2015-11-23 09:25 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1031145 1035113 (view as bug list)
Last Closed: 2015-11-23 09:25:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
stack trace (6.12 KB, text/plain)
2013-11-15 12:14 EST, Brenton Leanhardt
no flags Details

  None (edit)
Description Johnny Liu 2013-11-15 05:46:38 EST
Description of problem:
When changing password for admin suer of jenkins app, 500 error is seen.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Create a jenkins app
2.Following the output of step 1 to change password by accessing https://jenkins-jialiu.ose-1114.com.cn/me/configure

Actual results:
When click "save" button, 500 error is shown.

Expected results:
Change password for Jenkins admin should succeed.

Additional info:
This issue does not occurs with online devenv.
Comment 2 Brenton Leanhardt 2013-11-15 12:13:25 EST
I tracked this down to x86_64 vs i686 JVM.  That is the _only_ jenkins difference between Online and OSE 2.0 beta right now.  Unfortunately, it's pretty complicated to have both versions installed side by side since yum tries to prevent it.  Here's what I did:

On a devenv:

* Find the i686 deps that need to be installed
repoquery --requires --installed --resolve java-1.7.0-openjdk

On an OSE 2.0 beta machine:

* use yumdownloader to download all the packages manually
* rpm ivh all the deps
* rpm -Uvh --force to install the jvm packages alongside the x86_64 version
* "alternatives --config java" to switch between
* "/etc/alternatives/jre/bin/java -version" to sanity check since that's what jenkins uses
* restart jenkins

When I run with the 32 bit JVM changing the password works.  With 64 bit I see the stack trace.  The most interesting parts of the strace trace are:

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
	at sun.security.pkcs11.wrapper.PKCS11.C_DecryptUpdate(Native Method)
	at sun.security.pkcs11.P11Cipher.implDoFinal(P11Cipher.java:795)
	... 75 more

I'll attach the full trace.
Comment 3 Brenton Leanhardt 2013-11-15 12:14:28 EST
Created attachment 824637 [details]
stack trace
Comment 4 Luke Meyer 2014-01-30 07:56:51 EST
Upstream is fixed... can this perhaps make it into 2.0.3?
Comment 5 Brenton Leanhardt 2014-01-30 08:23:03 EST
I'm pretty sure upstream fixed it by hacking /usr/lib/jvm/jre-1.7.0-openjdk/lib/security/java.security in the devenv tooling and puppet (for Online).  It still exists in Origin.

The best we could do now is a kbase article.  That's a good idea for 2.0.3.
Comment 6 Miciah Dashiel Butler Masters 2015-09-23 15:46:55 EDT
According to bug 1031145 comment 3, the problem was the line in /usr/lib/jvm/jre-1.7.0-openjdk/lib/security/java.security that enabled sun.security.pkcs11.SunPKCS11, and the fix was to comment out that line.  When I check today, I see that that line is commented out in the java.security file that the java-1.7.0-openjdk package ships.  Therefore I believe that the problem has been fixed upstream.

QE, would you please check whether the error still occurs?

Note for engineering: If the problem is fixed upstream, we can remove the related workarounds in Puppet and devenv.
Comment 7 Johnny Liu 2015-09-23 22:26:51 EDT
Verified this bug with 2.2/2015-09-23.1, and PASS.

After password change, everything is working well, no 500 error is seen.
Comment 8 Brenton Leanhardt 2015-11-23 09:25:46 EST
This fix is available in OpenShift Enterprise 3.1.

Note You need to log in before you can comment on or make changes to this bug.