Hide Forgot
Description of problem: Failed to jenkins pipeline build from git repo on openshift cluster behind http/https proxy Version-Release number of selected component (if applicable): openshift v3.4.0.37+3b76456-1 kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 How reproducible: Always Steps to Reproduce: 1.Launch an openshift cluster behind http/https proxy 2.Create a project, create pipeline bc $ oc new-app https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/samplepipeline.yaml 3.Edit bc to use git repo source, like below: "source": { "type": "Git", "git": { "uri": "https://github.com/dongboyan77/jenkins-pipeline-ruby-test" } }, "strategy": { "type": "JenkinsPipeline", "jenkinsPipelineStrategy": { "jenkinsfilePath": "jenkins/pipeline/Jenkinsfile" } }, 4.Start a new pipeline build Actual results: Pipeline build failed, cannot git clone from git repo Expected results: Pipeline build succeed Additional info: OpenShift Build dyanv2/sample-pipeline1-4 from https://github.com/xiuwang/ruby-hello-world > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository > git config remote.origin.url https://github.com/xiuwang/ruby-hello-world # timeout=10 Fetching upstream changes from https://github.com/xiuwang/ruby-hello-world > git --version # timeout=10 > git fetch --tags --progress https://github.com/xiuwang/ruby-hello-world +refs/heads/*:refs/remotes/origin/* ERROR: Error fetching remote repo 'origin' hudson.plugins.git.GitException: Failed to fetch from https://github.com/xiuwang/ruby-hello-world at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:797) at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1051) at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1082) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109) at org.jenkinsci.plugins.workflow.cps.CpsScmFlowDefinition.create(CpsScmFlowDefinition.java:108) at org.jenkinsci.plugins.workflow.cps.CpsScmFlowDefinition.create(CpsScmFlowDefinition.java:57) at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:214) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:404) Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress https://github.com/xiuwang/ruby-hello-world +refs/heads/*:refs/remotes/origin/*" returned status code 128: stdout: stderr: fatal: unable to access 'https://github.com/xiuwang/ruby-hello-world/': Failed connect to github.com:443; Operation now in progress at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1752) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1495) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:64) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:315) at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:795) ... 8 more ERROR: null Finished: FAILURE
If we set proxy under "Manage Jenkins-> Manage Plugin-> Advanced" in jenkins webconsole, could git clone successfully while pipeline build
This is not a sync plugin issue but a general Jenkins config problem. Assigning back to @bparees.
if it's really something that has to be done as a global configuration in jenkins, i'm not sure we're going to solve it cleanly (since each buildconfig could have a different proxy value set). @Jimmi I know the sync plugin already respects the secret provided by the buildconfig for cloning, can it not also respect the proxy provided by the buildconfig?
More details in https://issues.jenkins-ci.org/plugins/servlet/mobile#issue/JENKINS-31464. There seems to be a pull request in that issue to the Jenkins git plugin that might handle this cleanly, but it's not merged or released. If it was then we'd need to somehow set the normal http_proxy etc env vars & they'd be respected. But haven't tried it myself I'm afraid.
There is also a reference to the git plugin using that plugin manager proxy setting at https://wiki.jenkins-ci.org/display/JENKINS/JenkinsBehindProxy
Confirmed that the very latest git-client-plugin code at the time of this comment is still pulling in the manage plugin proxy setting: https://github.com/jenkinsci/git-client-plugin/blob/master/src/main/java/org/jenkinsci/plugins/gitclient/Git.java#L139-L140 The PR Jimmi referred to, https://github.com/jenkinsci/git-client-plugin/pull/201, is still open and has not been touched since Feb 2017.
Trello card https://trello.com/c/lAJ0rmCa/1241-5-various-jenkins-plugins-inspect-jenkins-plugin-manager-proxy-setting-along-with-env-vars-jenkinsintegration has been opened for the broader jenkins plugin / proxy topic. We'll see in the coming days whether we defer resolution of this bugzilla to that card's work, or employ some sort of (kludgy) dynamic saving the of the plugin manager proxy setting, temporarily setting that to the build config's proxy settings, and then reverting the plugin manager's setting back. But for this to be done "properly", as Jimmi mentioned, it really makes sense to encourage https://github.com/jenkinsci/git-client-plugin/pull/201 to go through and then leverage that.
@Gabe if i understand the specific issue at this point (ignoring the broader question of how our plugins handle proxies, which as you note we have an RFE card for now), this is specifically about the git plugin (which we don't own) and how it gets its proxy information (only from the jenkins config today). I agree we're don't want to do a kludgy thing of trying to temporarily set and unset that config (the race conditions there are terrifying). So that means the fix is for the git plugin to respect the proxy env vars (which are already being set when the user defines them on their buildconfig). If my understanding is all correct, then I suggest we close this as can't fix. For now, users can define the proxy in the proxy plugin if they need this to work, and eventually(hopefully) the env vars will be respected by the git plugin. Sound right?
Yep, pretty much sounds right. One small update, and then one thought: update: git plugin maintainer reported back saying it would be "many months" before he gets back to reviewing the PR and potentially merging; he then asked for folks to test it / try it out to assist. I agreed to give it a go in the next week or so. thought: for our users, it might be beneficial to warn them that they will need to explicitly configure the plugin manager proxy in Jenkins in order for their builds to work; perhaps where we document the use of proxy's for our builds in the official docs. And I went there because it seems like users who start with our build configs and then progress to jenkins would be the ones most likely bit by this; whereas user coming from jenkins and trying our build configs most likely are already aware of how you configure proxies in jenkins. Thoughts? Assuming some sort of doc update comes ... I'll reference the PR here and then close out as can't fix.
yeah, a note somewhere in the pipeline buildconfig strategy docs sounds reasonable to me.
doc PR https://github.com/openshift/openshift-docs/pull/4594 created