Bug 1578987 - jenkins slave does not respect no_proxy 3.7
Summary: jenkins slave does not respect no_proxy 3.7
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 3.7.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.7.z
Assignee: Gabe Montero
QA Contact: Wenjing Zheng
Depends On: 1584507
TreeView+ depends on / blocked
Reported: 2018-05-16 18:07 UTC by Gabe Montero
Modified: 2018-06-07 08:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: jenkins no_proxy processing could not handle suffixes like ".svc" Consequence: communication between a jenkins k8s agent pod and the jenkins master would attempt to go through a configured http_proxy and fail Fix: the openshift jenkins agent images are updated to automatically include the jenkins master and jnlp hosts in the no_proxy list Result: the jenkins limitation for no_proxy processing is circumvented
Clone Of: 1573648
: 1578989 (view as bug list)
Last Closed: 2018-06-07 08:40:56 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3429951 0 None None None 2018-05-16 18:07:47 UTC
Red Hat Product Errata RHBA-2018:1798 0 None None None 2018-06-07 08:41:31 UTC

Comment 1 Gabe Montero 2018-05-16 18:10:39 UTC
PR https://github.com/openshift/jenkins/pull/608 with the 3.7 change has merged

Moving to modified, will update with repro instructions when I see the new image in brew-pulp for QA to try.

Comment 4 Gabe Montero 2018-05-29 15:17:41 UTC
Hi @Wen Wang

For some reason I could not find sha 53f24b04cdde, but I did download the following:

brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/jenkins-slave-nodejs-rhel7   v3.7.51.20180525.213521          c498467f0c15        3 days ago          1.51 GB

And I see it contains the fix.

Can you make sure you are using that specific tag, and have updated the pod template configuration for nodejs per the instructions at https://bugzilla.redhat.com/show_bug.cgi?id=1578993#c1

and report back.

In addition to the env validation you did last time, please also run `cat /usr/local/bin/run-jnlp-client` when you `oc rsh` into the slave pod.

You should see these lines among the entire file contents, which comprise the fix:

if [[ -z "${SKIP_NO_PROXY_DEFAULT}" ]]; then
    # we do not want jenkins svc or jenkins-jnlp svc
    # communication going through a http proxy
    # env vars to consider:
    # - no_proxy and NO_PROXY; case of string varies tool to tool
    # - JENKINS_URL and JENKINS_TUNNEL comes from k8s plugin
    # based on how our master image configures the cloud, but we need to strip the host / port
    jenkins_http_host=`echo $JENKINS_URL | sed 's#https://##' | sed 's#http://##' | cut -f1 -d":"`
    jnlp_http_host=`echo $JENKINS_TUNNEL | sed 's#https://##' | sed 's#http://##' | cut -f1 -d":"`
    # check if set to avoid having a comma as the last char
    if [[ -z "${no_proxy}" ]]; then
       export no_proxy=$jenkins_http_host,$jnlp_http_host
	export no_proxy=$jenkins_http_host,$jnlp_http_host,$no_proxy
    if [[ -z "${NO_PROXY}" ]]; then
       export NO_PROXY=$jenkins_http_host,$jnlp_http_host
	export NO_PROXY=$jenkins_http_host,$jnlp_http_host,$NO_PROXY

If you see that, we may have an issue with nodejs specifically, and not the image in general, in that nodejs is not honoring no_proxy or NO_PROXY.  We could compare the results between nodejs and maven using the maven image with the same tag to possibly confirm that.

Comment 5 Wenjing Zheng 2018-05-31 06:42:28 UTC
No response when clicking Add Environment Variables button in jenkins configure page and report it to #1584507. Will go on verify this bug when #1584507 has been fixed.

Comment 6 wewang 2018-06-01 05:41:28 UTC
k8s is still v.10 in jenkins2:v3.7, waiting v1.1.3 available  then verify the bug

Comment 7 wewang 2018-06-01 05:42:41 UTC

Comment 8 wewang 2018-06-04 07:02:17 UTC
@Gabe Montero
I saw jenkins2 was rebuild with k8s plugin:v1.1.3, and verified the bug with the version, is the version we tested,right? I will change status to VERIFIED

openshift v3.7.51
brew-pulp-xxxx/openshift3/jenkins-2-rhel7:v3.7                 044c1757df27 
brew-pulp-xxxxx/openshift3/jenkins-slave-maven-rhel7:v3.7      c571dfba5e60

1. oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml

2. Go to jenkins config page to modify slave image in pod template to brew-pulp-xxxxx/openshift3/jenkins-slave-maven-rhel7:v3.7

3. Add EnvVars http_proxy=http://file.rdu.redhat.com:3128 to slave pod template and save
4. Start build
  $oc start-build openshift-jee-sample

5. Build will succeed
[wewang@wen-local cucushift]$ oc get builds
NAME                            TYPE              FROM      STATUS     STARTED          DURATION
openshift-jee-sample-1          JenkinsPipeline             Complete   15 minutes ago   
openshift-jee-sample-docker-1   Docker            Binary    Complete   14 minutes ago   1m33s

Comment 9 Gabe Montero 2018-06-04 13:52:14 UTC
Yep I saw that as well @wewang ... I agree we are good here.

Comment 11 errata-xmlrpc 2018-06-07 08:40:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.