Bug 1405952 - Failed to build jenkins pipeline build from git repo behind http/https proxy
Summary: Failed to build jenkins pipeline build from git repo behind http/https proxy
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Gabe Montero
QA Contact: Wang Haoran
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-19 09:42 UTC by Dongbo Yan
Modified: 2017-06-16 17:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-16 17:29:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Dongbo Yan 2016-12-19 09:42:10 UTC
Description of problem:
Failed to jenkins pipeline build from git repo on openshift cluster behind http/https proxy

Version-Release number of selected component (if applicable):
openshift v3.4.0.37+3b76456-1
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0

How reproducible:
Always

Steps to Reproduce:
1.Launch an openshift cluster behind http/https proxy
2.Create a project, create pipeline bc
 $ oc new-app https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/samplepipeline.yaml
3.Edit bc to use git repo source, like below:
"source": {
            "type": "Git",
            "git": {
                "uri": "https://github.com/dongboyan77/jenkins-pipeline-ruby-test"
            }
        },
        "strategy": {
            "type": "JenkinsPipeline",
            "jenkinsPipelineStrategy": {
                "jenkinsfilePath": "jenkins/pipeline/Jenkinsfile"
            }
        },

4.Start a new pipeline build

Actual results:
Pipeline build failed, cannot git clone from git repo

Expected results:
Pipeline build succeed

Additional info:
OpenShift Build dyanv2/sample-pipeline1-4 from https://github.com/xiuwang/ruby-hello-world
 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url https://github.com/xiuwang/ruby-hello-world # timeout=10
Fetching upstream changes from https://github.com/xiuwang/ruby-hello-world
 > git --version # timeout=10
 > git fetch --tags --progress https://github.com/xiuwang/ruby-hello-world +refs/heads/*:refs/remotes/origin/*

ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from https://github.com/xiuwang/ruby-hello-world
	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:797)
	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1051)
	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1082)
	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109)
	at org.jenkinsci.plugins.workflow.cps.CpsScmFlowDefinition.create(CpsScmFlowDefinition.java:108)
	at org.jenkinsci.plugins.workflow.cps.CpsScmFlowDefinition.create(CpsScmFlowDefinition.java:57)
	at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:214)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:404)
Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress https://github.com/xiuwang/ruby-hello-world +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout: 
stderr: fatal: unable to access 'https://github.com/xiuwang/ruby-hello-world/': Failed connect to github.com:443; Operation now in progress

	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1752)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1495)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:64)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:315)
	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:795)
	... 8 more
ERROR: null
Finished: FAILURE

Comment 2 Dongbo Yan 2016-12-20 10:14:44 UTC
If we set proxy under "Manage Jenkins-> Manage Plugin-> Advanced" in jenkins webconsole, could git clone successfully while pipeline build

Comment 3 Jimmi Dyson 2016-12-21 11:28:25 UTC
This is not a sync plugin issue but a general Jenkins config problem. Assigning back to @bparees.

Comment 4 Ben Parees 2016-12-21 15:54:45 UTC
if it's really something that has to be done as a global configuration in jenkins, i'm not sure we're going to solve it cleanly (since each buildconfig could have a different proxy value set).

@Jimmi I know the sync plugin already respects the secret provided by the buildconfig for cloning, can it not also respect the proxy provided by the buildconfig?

Comment 5 Jimmi Dyson 2016-12-21 17:14:00 UTC
More details in https://issues.jenkins-ci.org/plugins/servlet/mobile#issue/JENKINS-31464.

There seems to be a pull request in that issue to the Jenkins git plugin that might handle this cleanly, but it's not merged or released. If it was then we'd need to somehow set the normal http_proxy etc env vars & they'd be respected. But haven't tried it myself I'm afraid.

Comment 7 Gabe Montero 2017-06-14 18:17:23 UTC
There is also a reference to the git plugin using that plugin manager proxy setting at https://wiki.jenkins-ci.org/display/JENKINS/JenkinsBehindProxy

Comment 8 Gabe Montero 2017-06-14 18:54:57 UTC
Confirmed that the very latest git-client-plugin code at the time of this comment is still pulling in the manage plugin proxy setting:

https://github.com/jenkinsci/git-client-plugin/blob/master/src/main/java/org/jenkinsci/plugins/gitclient/Git.java#L139-L140

The PR Jimmi referred to, https://github.com/jenkinsci/git-client-plugin/pull/201, is still open and has not been touched since Feb 2017.

Comment 9 Gabe Montero 2017-06-16 15:57:13 UTC
Trello card https://trello.com/c/lAJ0rmCa/1241-5-various-jenkins-plugins-inspect-jenkins-plugin-manager-proxy-setting-along-with-env-vars-jenkinsintegration has been opened for the broader jenkins plugin / proxy topic.

We'll see in the coming days whether we defer resolution of this bugzilla to that card's work, or employ some sort of (kludgy) dynamic saving the of the plugin manager proxy setting, temporarily setting that to the build config's proxy settings, and then reverting the plugin manager's setting back.

But for this to be done "properly", as Jimmi mentioned, it really makes sense to encourage https://github.com/jenkinsci/git-client-plugin/pull/201 to go through and then leverage that.

Comment 10 Ben Parees 2017-06-16 16:09:22 UTC
@Gabe if i understand the specific issue at this point (ignoring the broader question of how our plugins handle proxies, which as you note we have an RFE card for now), this is specifically about the git plugin (which we don't own) and how it gets its proxy information (only from the jenkins config today).

I agree we're don't want to do a kludgy thing of trying to temporarily set and unset that config (the race conditions there are terrifying).  So that means the fix is for the git plugin to respect the proxy env vars (which are already being set when the user defines them on their buildconfig).

If my understanding is all correct, then I suggest we close this as can't fix.

For now, users can define the proxy in the proxy plugin if they need this to work, and eventually(hopefully) the env vars will be respected by the git plugin.

Sound right?

Comment 11 Gabe Montero 2017-06-16 16:50:00 UTC
Yep, pretty much sounds right.  One small update, and then one thought:

update: git plugin maintainer reported back saying it would be "many months" before he gets back to reviewing the PR and potentially merging; he then asked for folks to test it / try it out to assist.  I agreed to give it a go in the next week or so.

thought: for our users, it might be beneficial to warn them that they will need to explicitly configure the plugin manager proxy in Jenkins in order for their builds to work; perhaps where we document the use of proxy's for our builds in the official docs.  And I went there because it seems like users who start with our build configs and then progress to jenkins would be the ones most likely bit by this; whereas user coming from jenkins and trying our build configs most likely are already aware of how you configure proxies in jenkins.

Thoughts?

Assuming some sort of doc update comes ... I'll reference the PR here and then close out as can't fix.

Comment 12 Ben Parees 2017-06-16 17:00:55 UTC
yeah, a note somewhere in the pipeline buildconfig strategy docs sounds reasonable to me.

Comment 13 Gabe Montero 2017-06-16 17:29:50 UTC
doc PR https://github.com/openshift/openshift-docs/pull/4594 created


Note You need to log in before you can comment on or make changes to this bug.