Bug 1291630 - [devexp_public_640] Cannot create resource(s) in openshift via jenkins
Summary: [devexp_public_640] Cannot create resource(s) in openshift via jenkins
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Image
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Gabe Montero
QA Contact: Wang Haoran
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-15 10:49 UTC by wewang
Modified: 2016-05-12 17:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 17:15:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
cancel deploy config (28.46 KB, image/png)
2015-12-16 07:48 UTC, wewang
no flags Details
cancel deploy output log (61.13 KB, image/png)
2015-12-16 07:49 UTC, wewang
no flags Details

Description wewang 2015-12-15 10:49:43 UTC
Version-Release number of selected component (if applicable):
openshift/jenkins-1-rhel7  27fca1f9ef45

How reproducible:
always

Description of problem:
Cannot Create resource(s) in openshift via jenkins 

Steps to Reproduce:
1. Setup jenkins refer to :https://github.com/openshift/origin/blob/master/examples/jenkins/README.md
2. Create a new project 
    $oc new-project wewang
3. 
   $ oc policy add-role-to-user admin system:serviceaccount:wewang:default -n wewang
4. Login jenkins browser

5. Go to jenkins job page
   click "new item" -->write item name -->select "Freestyle project"-->ok, then create a new job: testplugin

6.  select job "testplugin" to Configure ,
    a. add "Create resource(s) in openshift" build step and configure below
       The JSON or YAML that defines the OpenShift resource(s) to create    : paste https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json context here 
       The name of the project to create the resources in: wewang


7. build the job and check Output Console
   Started by user Jenkins Admin
   Building in workspace /var/lib/jenkins/jobs/testplugin/workspace

    BUILD STEP:  OpenShiftImageTagger in perform on namespace wewang

 OpenShiftCreator BUILD STEP EXIT:  HTTP client exception
Build step 'Create resource(s) in OpenShift' marked build as failure
Finished: FAILURE

Actual results:
7.  OpenShiftCreator BUILD STEP EXIT:  HTTP client exception

Expected results:
Build should success, background will execute oc create

Comment 1 Gabe Montero 2015-12-15 16:17:25 UTC
I was able to create the openshift resources from https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json using the jenkins image openshift/jenkins-1-rhel7  27fca1f9ef45 deployed in openshift, using a "create resources in openshift" build step, with no errors.  

I then verified from the command line using oc that the pods were there:

gmontero ~/bin $ oc get pods 
NAME              READY     STATUS    RESTARTS   AGE
hello-openshift   1/1       Running   0          25s
jenkins-1-fbbzw   1/1       Running   0          3m
gmontero ~/bin $ 

I'm guessing from the HTTP client exception that there is some sort of permission issue when you are trying it.

Let's see if we can confirm.  Please re-run your test with verbose logging for the "create resources in openshift" build step and then provide the entire console output here in this defect and we can review.

Comment 2 wewang 2015-12-16 06:15:55 UTC
1. When I Add the edit role to the default service account in the wewang project:
oc policy add-role-to-user edit system:serviceaccount:test:default -n wewang
,it can create resources
# oc get pods
NAME              READY     STATUS    RESTARTS   AGE
hello-openshift   1/1       Running   0          45s

2. The reason maybe you create resources in test project which includes jenkins,

3. if next time I create a new openshift resources in new project, I should do like "oc policy add-role-to-user admin system:serviceaccount:test:default -n wewang" manually, do you thinks it's better to do in background or manually?

thank for your always quick feedback:>

Comment 3 wewang 2015-12-16 07:46:55 UTC
Hi, Gabe Montero, I met other issues,when "Cancel deployments in Openshift",output error:

ERROR: Build step failed with exception
java.lang.ClassCastException: com.openshift.internal.restclient.model.List cannot be cast to com.openshift.restclient.model.IDeploymentConfig
	at com.openshift.jenkins.plugins.pipeline.OpenShiftDeployCanceller.coreLogic(OpenShiftDeployCanceller.java:208)
	at com.openshift.jenkins.plugins.pipeline.OpenShiftDeployCanceller.perform(OpenShiftDeployCanceller.java:256)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:761)
	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:721)
	at hudson.model.Build$BuildExecution.cleanUp(Build.java:193)
	at hudson.model.Run.execute(Run.java:1788)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:374)
Build step 'Cancel deployments in OpenShift' marked build as failure
Finished: SUCCESS


Steps to Reproduce:
1. Create project 
$ oc new-project wewang1

$ oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json

2. $ oc policy add-role-to-user edit system:serviceaccount:test:default -n wewang1

3. Create a new job:job1 in jenkins and configure  attachments "canceldeploy.png"

4. $ oc deploy frontend  --latest

5. build job:job1

6.output attachments "canceldeployoutput.png"
   
7. new pod and rc can be created

Comment 4 wewang 2015-12-16 07:48:15 UTC
Created attachment 1106302 [details]
cancel deploy config

Comment 5 wewang 2015-12-16 07:49:02 UTC
Created attachment 1106303 [details]
cancel deploy output log

Comment 6 wewang 2015-12-16 08:51:02 UTC
(In reply to wewang from comment #2)
> 1. When I Add the edit role to the default service account in the wewang
> project:
> oc policy add-role-to-user edit system:serviceaccount:test:default -n wewang
> ,it can create resources
> # oc get pods
> NAME              READY     STATUS    RESTARTS   AGE
> hello-openshift   1/1       Running   0          45s
> 
> 2. The reason maybe you create resources in test project which includes
> jenkins,
> 
> 3. if next time I create a new openshift resources in new project, I should
> do like "oc policy add-role-to-user admin system:serviceaccount:test:default
> -n wewang" manually, do you thinks it's better to do in background or
> manually?
> 
> thank for your always quick feedback:>

sorry item 3: should be oc policy add-role-to-user edit system:serviceaccount:test:default -n wewang

Comment 7 wewang 2015-12-16 09:12:37 UTC
sorry ,issues in comment #3 has been reported to a different bug:1292021

Comment 8 Gabe Montero 2015-12-16 15:32:13 UTC
Just a port-mortem comment on this verified defect, if I parse your comment #2 correctly I think you are right.

the "test" in "system:serviceaccount:test:default" from my experience (and some perusal of the doc at https://docs.openshift.org/latest/admin_guide/service_accounts.html) is in fact a project name.

So in your example you allowed service accounts in the "test" project edit capability in the wewang project...whether this allowed the plugin in the jenkins container depends on whether the jenkins deployment was launched in the test project or not.

Comment 9 wewang 2016-01-18 09:42:03 UTC
@Gabe Montero, when I test ose and origin ,error appears when creating resource(s) in openshift, but  pod is running

openshift/jenkins-1-rhel7 a1405352dba5

steps:
1. Create jenkins
 $ oc new-project test
 $oc policy add-role-to-user admin system:serviceaccount:test:default -n test 
 $oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/jenkins-ephemeral-template.json 
2. create job 
$ oc new-project test1
$ oc policy add-role-to-user edit system:serviceaccount:test:default -n test1 
3. create a job and configure
   a. The JSON or YAML that defines the OpenShift resource(s) to create : paste https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json context here
4. Check the console out page
 
Started by user Jenkins Admin
Building in workspace /var/lib/jenkins/jobs/testplugin/workspace
java.lang.IllegalAccessException: Class com.openshift.jenkins.plugins.pipeline.OpenShiftBaseStep can not access a member of class com.openshift.jenkins.plugins.pipeline.OpenShiftCreator with modifiers "private static final"
	at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:102)
	at java.lang.reflect.AccessibleObject.slowCheckMemberAccess(AccessibleObject.java:296)
	at java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:288)
	at java.lang.reflect.Field.get(Field.java:390)
	at com.openshift.jenkins.plugins.pipeline.OpenShiftBaseStep.setFields(OpenShiftBaseStep.java:49)
	at com.openshift.jenkins.plugins.pipeline.OpenShiftBaseStep.inspectBuildEnvAndOverrideFields(OpenShiftBaseStep.java:76)
	at com.openshift.jenkins.plugins.pipeline.OpenShiftBaseStep.perform(OpenShiftBaseStep.java:141)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:785)
	at hudson.model.Build$BuildExecution.build(Build.java:205)
	at hudson.model.Build$BuildExecution.doRun(Build.java:162)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
	at hudson.model.Run.execute(Run.java:1741)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:408)


BUILD STEP:  OpenShiftCreator in perform on namespace test1


BUILD STEP EXIT:  OpenShiftCreator resources(s) created
Finished: SUCCESS

5. Check the pod 
# oc get pods
NAME              READY     STATUS    RESTARTS   AGE
hello-openshift   1/1       Running   0          45m

Comment 10 Gabe Montero 2016-01-18 15:32:28 UTC
I'm able to reproduce this, and have started on a fix.

This should probably be opened as a separate defect though, between the fact that the resource is in fact created and where in the code we are talking about changing.  And I don't see this problem as a blocker (but this defect shows up on the blocker list).

Certainly I won't wait on the new defect to start work.

So I'm going to move this back to verified.  If @wewang objects, the two of us discuss and sort it out.  Otherwise I'll drive delivery with the new defect.

Thanks.

Comment 11 wewang 2016-01-19 05:20:25 UTC
OK, I will report a new bug,thinks

Comment 12 wewang 2016-01-19 05:27:10 UTC
(In reply to Gabe Montero from comment #10)
> I'm able to reproduce this, and have started on a fix.
> 
> This should probably be opened as a separate defect though, between the fact
> that the resource is in fact created and where in the code we are talking
> about changing.  And I don't see this problem as a blocker (but this defect
> shows up on the blocker list).
> 
> Certainly I won't wait on the new defect to start work.
> 
> So I'm going to move this back to verified.  If @wewang objects, the two of
> us discuss and sort it out.  Otherwise I'll drive delivery with the new
> defect.
> 
> Thanks.

Hi, new bug is :https://bugzilla.redhat.com/show_bug.cgi?id=1299709


Note You need to log in before you can comment on or make changes to this bug.