Hide Forgot
Description of problem: User is seeing issue where setting the BUILD_LOGLEVEL=5 env variable in the build-config appears to corrupt the proxy related env variables in the output container. The NO_PROXY, HTTP_PROXY, and HTTPS_PROXY env vars not only get redacted in the build logs (as they should), the final running container also has the redacted env variables. This is causing problems with internal application service calls. How reproducible: Consistently Steps to Reproduce: 1. Add BUILD_LOGLEVEL=5 to the build-config... source: type: Binary binary: {} strategy: sourceStrategy: from: kind: ImageStreamTag namespace: ${IMAGE_NAMESPACE} name: 'system-ocpimage-springboot:1.0.1.14' env: - name: BUILD_LOGLEVEL value: "5" type: Source 2. Build and deploy an image based on the config Actual results: The container result from the build has redacted env proxy vars... ========== HTTP_PROXY=http://redacted@proxy.example.com:8080 HTTPS_PROXY=https://redacted@proxy.example.com:8080 NO_PROXY=//redacted@.cluster.local,.svc ========== Expected results: ========== HTTP_PROXY=http://svc-satellite:pass1@proxy.example.com:8080 HTTPS_PROXY=https://svc-satellite:pass1@proxy.example.com:8080 NO_PROXY=.cluster.local ========== Additional info: From the user... ============================================================== "I was able to reproduce the behavior in tomcat and springboot image below is the docker file content for system-ocpimage-springboot. We are not doing anything else for spring boot." FROM registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift:1.1-11 USER root ENV TZ=America/New_York RUN chmod -R 777 $HOME USER 1001 --------------------------------------------------------------- the issue is consistent when i add "BUILD_LOGLEVEL" with value "5" like below in the build YAML file. source: type: Binary binary: {} strategy: sourceStrategy: from: kind: ImageStreamTag namespace: ${IMAGE_NAMESPACE} name: 'system-ocpimage-springboot:1.0.1.14' env: - name: BUILD_LOGLEVEL value: "5" type: Source ============================================================== Version info: openshift-ansible-playbooks-3.6.173.0.83-1.git.0.84c5eff.el7.noarch tuned-profiles-atomic-openshift-node-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64 openshift-ansible-lookup-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch atomic-openshift-docker-excluder-3.6.173.0.83-1.git.0.1f70b16.el7.noarch atomic-openshift-sdn-ovs-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64 openshift-ansible-docs-3.6.173.0.83-1.git.0.84c5eff.el7.noarch openshift-ansible-roles-3.6.173.0.83-1.git.0.84c5eff.el7.noarch atomic-openshift-excluder-3.6.173.0.83-1.git.0.1f70b16.el7.noarch atomic-openshift-clients-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64 openshift-ansible-callback-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch atomic-openshift-utils-3.6.173.0.83-1.git.0.84c5eff.el7.noarch atomic-openshift-node-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64 openshift-ansible-filter-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch atomic-openshift-master-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64 openshift-ansible-3.6.173.0.83-1.git.0.84c5eff.el7.noarch atomic-openshift-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
Created attachment 1426104 [details] Build template
Created attachment 1426105 [details] Master config containing proxy settings
Origin PR: https://github.com/openshift/origin/pull/19532 s2i PR: https://github.com/openshift/source-to-image/pull/874
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/51b3047636ac7bebadd1114bc8a0d1e21d1f1c87 Ensure environment variables and URLs are not modified for safe logging. Bug 1571349
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/4650086d67bdf4a38213575245a04029a350d2fa bump(*): github.com/openshift/source-to-image 27f0729 github.com/emicklei/go-restful-swagger12 5e28dc7 github.com/skynetservices/skydns 775ef406 k8s.io forks * fixes bug 1571349 * Support for ConfigMap Build Sources ** Trello Card https://trello.com/c/RMKJxJUm/1020-5-allow-using-a-configmap-as-an-input-to-a-build-builds ** RFE/bug 1540978
verified in openshift v3.10.0-0.47.0 steps: 1. modify master-config.yaml as below,and restart master: admissionConfig: pluginConfig: BuildDefaults: configuration: apiVersion: v1 env: - name: HTTP_PROXY value: http://file.xxx.redhat.com:xxxx - name: HTTPS_PROXY value: https://file.xxx.redhat.com:xxx - name: CUSTOM_VAR value: custom_value kind: BuildDefaultsConfig gitHTTPProxy: http://file.xxx.redhat.com:xxx gitHTTPSProxy: https://file.xxx.redhat.com:xxx gitNoProxy: cluster.local,otherdomain.com 2. Create apps $oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json 3. Add BUILD_LOGLEVEL=5 to the build-config 4. Check the env in container [wewang@wen-local ~]$ oc rsh frontend-2-rzd7s sh-4.2$ env |grep HTTP HTTPS_PROXY=https://file.xxx.redhat.com:xxx HTTP_PROXY=http://file.xxx.redhat.com:xxxx
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816