Bug 1571349 - Container ENV proxy vars getting redacted when BUILD_LOGLEVEL=5 used in build
Summary: Container ENV proxy vars getting redacted when BUILD_LOGLEVEL=5 used in build
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 3.10.0
Assignee: Adam Kaplan
QA Contact: wewang
Brandi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-24 14:59 UTC by Luke Stanton
Modified: 2018-07-30 19:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Some build container environment variables were modified when redacted in the container log. Consequence: URL proxy settings (such as HTTP/S proxies) were modified, breaking these settings. Fix: A copy of these environment variables are made prior to redaction in the logs. Result: Proxy URLs with user credentials are redacted in the container log, but are not modified when used in the build.
Clone Of:
Environment:
Last Closed: 2018-07-30 19:13:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:14:10 UTC

Description Luke Stanton 2018-04-24 14:59:38 UTC
Description of problem:
User is seeing issue where setting the BUILD_LOGLEVEL=5 env variable in the build-config appears to corrupt the proxy related env variables in the output container. The NO_PROXY, HTTP_PROXY, and HTTPS_PROXY env vars not only get redacted in the build logs (as they should), the final running container also has the redacted env variables. This is causing problems with internal application service calls.

How reproducible:
Consistently

Steps to Reproduce:
1. Add BUILD_LOGLEVEL=5 to the build-config...

  source:
    type: Binary
    binary: {}
  strategy:
    sourceStrategy:
      from:
        kind: ImageStreamTag
        namespace: ${IMAGE_NAMESPACE}
        name: 'system-ocpimage-springboot:1.0.1.14'
      env:
      - name: BUILD_LOGLEVEL
        value: "5"
    type: Source

2. Build and deploy an image based on the config

Actual results:
The container result from the build has redacted env proxy vars...
==========
HTTP_PROXY=http://redacted@proxy.example.com:8080
HTTPS_PROXY=https://redacted@proxy.example.com:8080
NO_PROXY=//redacted@.cluster.local,.svc
==========

Expected results:
==========
HTTP_PROXY=http://svc-satellite:pass1@proxy.example.com:8080
HTTPS_PROXY=https://svc-satellite:pass1@proxy.example.com:8080
NO_PROXY=.cluster.local
==========

Additional info:
From the user...

==============================================================

"I was able to reproduce the behavior in tomcat and springboot image
below is the docker file content for system-ocpimage-springboot.
We are not doing anything else for spring boot."

FROM registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift:1.1-11

USER root

ENV TZ=America/New_York

RUN chmod -R 777 $HOME

USER 1001
---------------------------------------------------------------

the issue is consistent when i add "BUILD_LOGLEVEL" with value "5" like below in the build YAML file.

    source:
      type: Binary
      binary: {}
    strategy:
      sourceStrategy:
        from:
          kind: ImageStreamTag
          namespace: ${IMAGE_NAMESPACE}
          name: 'system-ocpimage-springboot:1.0.1.14'
        env:
        - name: BUILD_LOGLEVEL
          value: "5"
      type: Source

==============================================================

Version info:

openshift-ansible-playbooks-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
tuned-profiles-atomic-openshift-node-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-lookup-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-docker-excluder-3.6.173.0.83-1.git.0.1f70b16.el7.noarch
atomic-openshift-sdn-ovs-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-docs-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
openshift-ansible-roles-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-excluder-3.6.173.0.83-1.git.0.1f70b16.el7.noarch
atomic-openshift-clients-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-callback-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-utils-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-node-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-filter-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-master-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64

Comment 1 Luke Stanton 2018-04-24 15:02:42 UTC
Created attachment 1426104 [details]
Build template

Comment 2 Luke Stanton 2018-04-24 15:03:26 UTC
Created attachment 1426105 [details]
Master config containing proxy settings

Comment 4 openshift-github-bot 2018-05-04 00:41:22 UTC
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/51b3047636ac7bebadd1114bc8a0d1e21d1f1c87
Ensure environment variables and URLs are not modified for safe logging.

Bug 1571349

Comment 5 openshift-github-bot 2018-05-04 21:55:53 UTC
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/4650086d67bdf4a38213575245a04029a350d2fa
bump(*):

github.com/openshift/source-to-image 27f0729
github.com/emicklei/go-restful-swagger12 5e28dc7
github.com/skynetservices/skydns 775ef406
k8s.io forks

* fixes bug 1571349
* Support for ConfigMap Build Sources
** Trello Card https://trello.com/c/RMKJxJUm/1020-5-allow-using-a-configmap-as-an-input-to-a-build-builds
** RFE/bug 1540978

Comment 7 wewang 2018-05-17 10:03:28 UTC
verified in openshift v3.10.0-0.47.0
steps:
1. modify master-config.yaml as below,and restart master:
admissionConfig:
  pluginConfig:
    BuildDefaults:
      configuration:
        apiVersion: v1
        env:
        - name: HTTP_PROXY 
          value: http://file.xxx.redhat.com:xxxx
        - name: HTTPS_PROXY 
          value: https://file.xxx.redhat.com:xxx
        - name: CUSTOM_VAR 
          value: custom_value
        kind: BuildDefaultsConfig
        gitHTTPProxy: http://file.xxx.redhat.com:xxx
        gitHTTPSProxy: https://file.xxx.redhat.com:xxx
        gitNoProxy: cluster.local,otherdomain.com

  
2. Create apps 
  $oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json
3. Add BUILD_LOGLEVEL=5 to the build-config
4. Check the env in container
[wewang@wen-local ~]$ oc rsh frontend-2-rzd7s
sh-4.2$ env |grep HTTP
HTTPS_PROXY=https://file.xxx.redhat.com:xxx
HTTP_PROXY=http://file.xxx.redhat.com:xxxx

Comment 9 errata-xmlrpc 2018-07-30 19:13:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.