1578987 – jenkins slave does not respect no_proxy 3.7

Bug 1578987 - jenkins slave does not respect no_proxy 3.7

Summary: jenkins slave does not respect no_proxy 3.7

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build
Sub Component:
Version:	3.7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.7.z
Assignee:	Gabe Montero
QA Contact:	Wenjing Zheng
Docs Contact:
URL:
Whiteboard:
Depends On:	1584507
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-16 18:07 UTC by Gabe Montero
Modified:	2021-12-10 16:10 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: jenkins no_proxy processing could not handle suffixes like ".svc" Consequence: communication between a jenkins k8s agent pod and the jenkins master would attempt to go through a configured http_proxy and fail Fix: the openshift jenkins agent images are updated to automatically include the jenkins master and jnlp hosts in the no_proxy list Result: the jenkins limitation for no_proxy processing is circumvented
Clone Of:	1573648
Clones:	1578989 (view as bug list)
Environment:
Last Closed:	2018-06-07 08:40:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3429951	0	None	None	None	2018-05-16 18:07:47 UTC
Red Hat Product Errata	RHBA-2018:1798	0	None	None	None	2018-06-07 08:41:31 UTC

Comment 1 Gabe Montero 2018-05-16 18:10:39 UTC

PR https://github.com/openshift/jenkins/pull/608 with the 3.7 change has merged

Moving to modified, will update with repro instructions when I see the new image in brew-pulp for QA to try.

Comment 4 Gabe Montero 2018-05-29 15:17:41 UTC

Hi @Wen Wang

For some reason I could not find sha 53f24b04cdde, but I did download the following:

brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/jenkins-slave-nodejs-rhel7   v3.7.51.20180525.213521          c498467f0c15        3 days ago          1.51 GB

And I see it contains the fix.

Can you make sure you are using that specific tag, and have updated the pod template configuration for nodejs per the instructions at https://bugzilla.redhat.com/show_bug.cgi?id=1578993#c1

and report back.

In addition to the env validation you did last time, please also run `cat /usr/local/bin/run-jnlp-client` when you `oc rsh` into the slave pod.

You should see these lines among the entire file contents, which comprise the fix:

if [[ -z "${SKIP_NO_PROXY_DEFAULT}" ]]; then
    # we do not want jenkins svc or jenkins-jnlp svc
    # communication going through a http proxy
    # env vars to consider:
    # - no_proxy and NO_PROXY; case of string varies tool to tool
    # - JENKINS_URL and JENKINS_TUNNEL comes from k8s plugin
    # based on how our master image configures the cloud, but we need to strip the host / port
    jenkins_http_host=`echo $JENKINS_URL | sed 's#https://##' | sed 's#http://##' | cut -f1 -d":"`
    jnlp_http_host=`echo $JENKINS_TUNNEL | sed 's#https://##' | sed 's#http://##' | cut -f1 -d":"`
    # check if set to avoid having a comma as the last char
    if [[ -z "${no_proxy}" ]]; then
       export no_proxy=$jenkins_http_host,$jnlp_http_host
    else
	export no_proxy=$jenkins_http_host,$jnlp_http_host,$no_proxy
    fi
    if [[ -z "${NO_PROXY}" ]]; then
       export NO_PROXY=$jenkins_http_host,$jnlp_http_host
    else
	export NO_PROXY=$jenkins_http_host,$jnlp_http_host,$NO_PROXY
    fi
fi


If you see that, we may have an issue with nodejs specifically, and not the image in general, in that nodejs is not honoring no_proxy or NO_PROXY.  We could compare the results between nodejs and maven using the maven image with the same tag to possibly confirm that.

Comment 5 Wenjing Zheng 2018-05-31 06:42:28 UTC

No response when clicking Add Environment Variables button in jenkins configure page and report it to #1584507. Will go on verify this bug when #1584507 has been fixed.

Comment 6 wewang 2018-06-01 05:41:28 UTC

k8s is still v.10 in jenkins2:v3.7, waiting v1.1.3 available  then verify the bug

Comment 7 wewang 2018-06-01 05:42:41 UTC

s/v.10/v1.0/

Comment 8 wewang 2018-06-04 07:02:17 UTC

@Gabe Montero
I saw jenkins2 was rebuild with k8s plugin:v1.1.3, and verified the bug with the version, is the version we tested,right? I will change status to VERIFIED

openshift v3.7.51
brew-pulp-xxxx/openshift3/jenkins-2-rhel7:v3.7                 044c1757df27 
brew-pulp-xxxxx/openshift3/jenkins-slave-maven-rhel7:v3.7      c571dfba5e60


steps:
1. oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml

2. Go to jenkins config page to modify slave image in pod template to brew-pulp-xxxxx/openshift3/jenkins-slave-maven-rhel7:v3.7

3. Add EnvVars http_proxy=http://file.rdu.redhat.com:3128 to slave pod template and save
4. Start build
  $oc start-build openshift-jee-sample

5. Build will succeed
[wewang@wen-local cucushift]$ oc get builds
NAME                            TYPE              FROM      STATUS     STARTED          DURATION
openshift-jee-sample-1          JenkinsPipeline             Complete   15 minutes ago   
openshift-jee-sample-docker-1   Docker            Binary    Complete   14 minutes ago   1m33s

Comment 9 Gabe Montero 2018-06-04 13:52:14 UTC

Yep I saw that as well @wewang ... I agree we are good here.

Comment 11 errata-xmlrpc 2018-06-07 08:40:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1798

Note You need to log in before you can comment on or make changes to this bug.