On Wed, Aug 9, 2017 at 4:55 AM, Thorvald Hallvardsson < thorvald.hallvards...@gmail.com> wrote:
> Hi, > > Thank you for your update. > > As you can clearly see from my previous email I'm running OpenShift 3.5: > # oc version > oc v1.5.1 > kubernetes v1.5.2+43a9be4 > features: Basic-Auth GSSAPI Kerberos SPNEGO > > # origin version > origin v1.5.1 > kubernetes v1.5.2+43a9be4 > etcd 3.1.0 > Ah - apologies I missed that ! > > > Regarding your question and suggestions around OAUTH I ran official > openshift jenkins2 ephemeral template and that either doesn't work. > OK thanks for confirming that. Depending on how debug progresses, we may need `oc get sa jenkins -o yaml` to ensure the redirect annotation is correct. But for now, in revisiting your jenkins pod log and comparing with a jenkins start where the oauth auto config succeeds, your default client ID is null, where it should be something like "system:serviceaccount:myproject:jenkins" That stems from the second thing I missed in your prior debug datat ... jenkins pod logs .... the exception Aug 8 16:38:26 master journal: java.net.UnknownHostException: openshift.default.svc when we tried to access the master in order to construct the default client id. That host name should be resolvable on any typical openshift pod. There are a few possibilities as to why that would occur. To narrow down, let's start with the contents of the /etc/resolv.conf and /etc/hosts.conf files in your jenkins pod. thanks > > some data: > > [root@master ~]# oc get pods > NAME READY STATUS RESTARTS AGE > jenkins-1-j267m 1/1 Running 0 5m > [root@master ~]# oc describe pod jenkins-1-j267m > Name: jenkins-1-j267m > Namespace: jenkins > Security Policy: restricted > Node: node2.hr4.local/192.168.1.62 > Start Time: Wed, 09 Aug 2017 09:39:29 +0100 > Labels: deployment=jenkins-1 > deploymentconfig=jenkins > name=jenkins > Status: Running > IP: 10.129.0.26 > Controllers: ReplicationController/jenkins-1 > Containers: > jenkins: > Container ID: docker://22573e42063109528896bdeb7de54f > 45c7251d71c3ae2321a1d6fea94404d01f > Image: openshift/jenkins-2-centos7@sha256: > ad29fc43c3f9015a0fdbb3f3ba366ff511303f7f3a0bbb1bc4652ecf70eb3712 > Image ID: docker-pullable://docker.io/ > openshift/jenkins-2-centos7@sha256:ad29fc43c3f9015a0fdbb3f3ba366f > f511303f7f3a0bbb1bc4652ecf70eb3712 > Port: > Limits: > memory: 1Gi > Requests: > memory: 1Gi > State: Running > Started: Wed, 09 Aug 2017 09:41:59 +0100 > Ready: True > Restart Count: 0 > Liveness: http-get http://:8080/login delay=420s timeout=3s > period=10s #success=1 #failure=30 > Readiness: http-get http://:8080/login delay=3s timeout=3s > period=10s #success=1 #failure=3 > Volume Mounts: > /var/lib/jenkins from jenkins-data (rw) > /var/run/secrets/kubernetes.io/serviceaccount from > jenkins-token-txv72 (ro) > Environment Variables: > OPENSHIFT_ENABLE_OAUTH: true > OPENSHIFT_ENABLE_REDIRECT_PROMPT: true > OPENSHIFT_JENKINS_JVM_ARCH: x86_64 > KUBERNETES_MASTER: https://kubernetes.default:443 > KUBERNETES_TRUST_CERTIFICATES: true > JNLP_SERVICE_NAME: jenkins-jnlp > Conditions: > Type Status > Initialized True > Ready True > PodScheduled True > Volumes: > jenkins-data: > Type: EmptyDir (a temporary directory that shares a pod's > lifetime) > Medium: > jenkins-token-txv72: > Type: Secret (a volume populated by a Secret) > SecretName: jenkins-token-txv72 > QoS Class: Burstable > Tolerations: <none> > Events: > FirstSeen LastSeen Count From > SubObjectPath Type Reason Message > --------- -------- ----- ---- > ------------- -------- ------ ------- > 5m 5m 1 {default-scheduler } > Normal Scheduled Successfully > assigned jenkins-1-j267m to node2.hr4.local > 5m 5m 1 {kubelet node2.hr4.local} > spec.containers{jenkins} Normal Pulling pulling > image "openshift/jenkins-2-centos7@sha256:ad29fc43c3f9015a0fdbb3f3ba366f > f511303f7f3a0bbb1bc4652ecf70eb3712" > 2m 2m 1 {kubelet node2.hr4.local} > spec.containers{jenkins} Normal Pulled > Successfully pulled image "openshift/jenkins-2-centos7@sha256: > ad29fc43c3f9015a0fdbb3f3ba366ff511303f7f3a0bbb1bc4652ecf70eb3712" > 2m 2m 1 {kubelet node2.hr4.local} > spec.containers{jenkins} Normal Created Created > container with docker id 22573e420631; Security:[seccomp=unconfined] > 2m 2m 1 {kubelet node2.hr4.local} > spec.containers{jenkins} Normal Started Started > container with docker id 22573e420631 > 2m 1m 5 {kubelet node2.hr4.local} > spec.containers{jenkins} Warning Unhealthy Readiness > probe failed: HTTP probe failed with statuscode: 503 > 1m 23s 6 {kubelet node2.hr4.local} > spec.containers{jenkins} Warning Unhealthy Readiness > probe failed: Get http://10.129.0.26:8080/login: net/http: request > canceled (Client.Timeout exceeded while awaiting headers) > > [root@node2 ~]# docker inspect 22573e420631 > [ > { > "Id": "22573e42063109528896bdeb7de54f > 45c7251d71c3ae2321a1d6fea94404d01f", > "Created": "2017-08-09T08:41:58.321766924Z", > "Path": "/usr/libexec/s2i/run", > "Args": [], > "State": { > "Status": "running", > "Running": true, > "Paused": false, > "Restarting": false, > "OOMKilled": false, > "Dead": false, > "Pid": 99830, > "ExitCode": 0, > "Error": "", > "StartedAt": "2017-08-09T08:41:59.594662533Z", > "FinishedAt": "0001-01-01T00:00:00Z" > }, > "Image": "sha256:8dda791f1c46d2ea35867fd1fa89e6 > 4519f0bda17b1d26b2ac6cf92bc8966268", > "ResolvConfPath": "/var/lib/docker/containers/ > 59d10a28ec1b911ef5b38f1e42d5b1178681e5c488678c7002a36e844519 > b40b/resolv.conf", > "HostnamePath": "/var/lib/docker/containers/ > 59d10a28ec1b911ef5b38f1e42d5b1178681e5c488678c7002a36e844519 > b40b/hostname", > "HostsPath": "/var/lib/origin/openshift. > local.volumes/pods/42102c09-7cde-11e7-9a6c-525400c269f8/etc-hosts", > "LogPath": "", > "Name": "/k8s_jenkins.ca203105_jenkins-1-j267m_jenkins_ > 42102c09-7cde-11e7-9a6c-525400c269f8_b0e27732", > "RestartCount": 0, > "Driver": "devicemapper", > "MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c10,c0", > "ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c10,c0", > "AppArmorProfile": "", > "ExecIDs": null, > "HostConfig": { > "Binds": [ > "/var/lib/origin/openshift.local.volumes/pods/42102c09- > 7cde-11e7-9a6c-525400c269f8/volumes/kubernetes.io~empty- > dir/jenkins-data:/var/lib/jenkins:Z", > "/var/lib/origin/openshift.local.volumes/pods/42102c09- > 7cde-11e7-9a6c-525400c269f8/volumes/kubernetes.io~secret/ > jenkins-token-txv72:/var/run/secrets/kubernetes.io/serviceaccount:ro,Z", > "/var/lib/origin/openshift.local.volumes/pods/42102c09- > 7cde-11e7-9a6c-525400c269f8/etc-hosts:/etc/hosts:Z", > "/var/lib/origin/openshift.local.volumes/pods/42102c09- > 7cde-11e7-9a6c-525400c269f8/containers/jenkins/b0e27732:/ > dev/termination-log:Z" > ], > "ContainerIDFile": "", > "LogConfig": { > "Type": "journald", > "Config": {} > }, > "NetworkMode": "container:59d10a28ec1b911ef5b38f1e42d5b1 > 178681e5c488678c7002a36e844519b40b", > "PortBindings": null, > "RestartPolicy": { > "Name": "", > "MaximumRetryCount": 0 > }, > "AutoRemove": false, > "VolumeDriver": "", > "VolumesFrom": null, > "CapAdd": null, > "CapDrop": [ > "KILL", > "MKNOD", > "SETGID", > "SETUID", > "SYS_CHROOT" > ], > "Dns": null, > "DnsOptions": null, > "DnsSearch": null, > "ExtraHosts": null, > "GroupAdd": [ > "1000090000" > ], > "IpcMode": "container:59d10a28ec1b911ef5b38f1e42d5b1 > 178681e5c488678c7002a36e844519b40b", > "Cgroup": "", > "Links": null, > "OomScoreAdj": 730, > "PidMode": "", > "Privileged": false, > "PublishAllPorts": false, > "ReadonlyRootfs": false, > "SecurityOpt": [ > "seccomp=unconfined", > "label=level:s0:c10,c0" > ], > "UTSMode": "", > "UsernsMode": "", > "ShmSize": 67108864, > "Runtime": "docker-runc", > "ConsoleSize": [ > 0, > 0 > ], > "Isolation": "", > "CpuShares": 2, > "Memory": 1073741824, > "CgroupParent": "", > "BlkioWeight": 0, > "BlkioWeightDevice": null, > "BlkioDeviceReadBps": null, > "BlkioDeviceWriteBps": null, > "BlkioDeviceReadIOps": null, > "BlkioDeviceWriteIOps": null, > "CpuPeriod": 0, > "CpuQuota": 0, > "CpusetCpus": "", > "CpusetMems": "", > "Devices": [], > "DiskQuota": 0, > "KernelMemory": 0, > "MemoryReservation": 0, > "MemorySwap": -1, > "MemorySwappiness": -1, > "OomKillDisable": false, > "PidsLimit": 0, > "Ulimits": null, > "CpuCount": 0, > "CpuPercent": 0, > "IOMaximumIOps": 0, > "IOMaximumBandwidth": 0 > }, > "GraphDriver": { > "Name": "devicemapper", > "Data": { > "DeviceId": "956", > "DeviceName": "docker-253:0-2491527- > 6352b1d19f04272bc621e44bcf1b49f4a832886bdfb1d30359bae7b458fc0bb8", > "DeviceSize": "10737418240" > } > }, > "Mounts": [ > { > "Source": "/var/lib/origin/openshift. > local.volumes/pods/42102c09-7cde-11e7-9a6c-525400c269f8/volumes/ > kubernetes.io~empty-dir/jenkins-data", > "Destination": "/var/lib/jenkins", > "Mode": "Z", > "RW": true, > "Propagation": "rprivate" > }, > { > "Source": "/var/lib/origin/openshift. > local.volumes/pods/42102c09-7cde-11e7-9a6c-525400c269f8/volumes/ > kubernetes.io~secret/jenkins-token-txv72", > "Destination": "/var/run/secrets/kubernetes. > io/serviceaccount", > "Mode": "ro,Z", > "RW": false, > "Propagation": "rprivate" > }, > { > "Source": "/var/lib/origin/openshift. > local.volumes/pods/42102c09-7cde-11e7-9a6c-525400c269f8/etc-hosts", > "Destination": "/etc/hosts", > "Mode": "Z", > "RW": true, > "Propagation": "rprivate" > }, > { > "Source": "/var/lib/origin/openshift. > local.volumes/pods/42102c09-7cde-11e7-9a6c-525400c269f8/ > containers/jenkins/b0e27732", > "Destination": "/dev/termination-log", > "Mode": "Z", > "RW": true, > "Propagation": "rprivate" > } > ], > "Config": { > "Hostname": "jenkins-1-j267m", > "Domainname": "", > "User": "1000090000", > "AttachStdin": false, > "AttachStdout": false, > "AttachStderr": false, > "ExposedPorts": { > "50000/tcp": {}, > "8080/tcp": {} > }, > "Tty": false, > "OpenStdin": false, > "StdinOnce": false, > "Env": [ > "OPENSHIFT_ENABLE_OAUTH=true", > "OPENSHIFT_ENABLE_REDIRECT_PROMPT=true", > "OPENSHIFT_JENKINS_JVM_ARCH=x86_64", > "KUBERNETES_MASTER=https://kubernetes.default:443", > "KUBERNETES_TRUST_CERTIFICATES=true", > "JNLP_SERVICE_NAME=jenkins-jnlp", > "JENKINS_JNLP_PORT_50000_TCP_ADDR=172.30.98.196", > "JENKINS_PORT=tcp://172.30.125.4:80", > "KUBERNETES_PORT_53_UDP=udp://172.30.0.1:53", > "KUBERNETES_PORT_53_TCP=tcp://172.30.0.1:53", > "KUBERNETES_PORT_53_TCP_ADDR=172.30.0.1", > "JENKINS_SERVICE_PORT_WEB=80", > "JENKINS_JNLP_SERVICE_HOST=172.30.98.196", > "KUBERNETES_SERVICE_PORT=443", > "KUBERNETES_SERVICE_PORT_HTTPS=443", > "KUBERNETES_SERVICE_PORT_DNS=53", > "KUBERNETES_PORT_443_TCP_ADDR=172.30.0.1", > "KUBERNETES_PORT_53_UDP_PROTO=udp", > "KUBERNETES_PORT_53_UDP_PORT=53", > "KUBERNETES_PORT_53_UDP_ADDR=172.30.0.1", > "JENKINS_JNLP_SERVICE_PORT=50000", > "JENKINS_JNLP_SERVICE_PORT_AGENT=50000", > "JENKINS_JNLP_PORT_50000_TCP=tcp://172.30.98.196:50000", > "JENKINS_PORT_80_TCP=tcp://172.30.125.4:80", > "JENKINS_PORT_80_TCP_ADDR=172.30.125.4", > "KUBERNETES_SERVICE_HOST=172.30.0.1", > "KUBERNETES_PORT_443_TCP=tcp://172.30.0.1:443", > "KUBERNETES_PORT_53_TCP_PROTO=tcp", > "JENKINS_JNLP_PORT_50000_TCP_PROTO=tcp", > "JENKINS_JNLP_PORT_50000_TCP_PORT=50000", > "JENKINS_SERVICE_HOST=172.30.125.4", > "JENKINS_PORT_80_TCP_PORT=80", > "KUBERNETES_PORT_443_TCP_PORT=443", > "JENKINS_JNLP_PORT=tcp://172.30.98.196:50000", > "JENKINS_PORT_80_TCP_PROTO=tcp", > "JENKINS_SERVICE_PORT=80", > "KUBERNETES_PORT=tcp://172.30.0.1:443", > "KUBERNETES_PORT_53_TCP_PORT=53", > "KUBERNETES_SERVICE_PORT_DNS_TCP=53", > "KUBERNETES_PORT_443_TCP_PROTO=tcp", > "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/ > sbin:/bin", > "JENKINS_VERSION=2.46.3", > "HOME=/var/lib/jenkins", > "JENKINS_HOME=/var/lib/jenkins", > "JENKINS_UC=https://updates.jenkins-ci.org", > "LANG=en_US.UTF-8", > "LC_ALL=en_US.UTF-8" > ], > "Cmd": [ > "/usr/libexec/s2i/run" > ], > "Image": "openshift/jenkins-2-centos7@sha256: > ad29fc43c3f9015a0fdbb3f3ba366ff511303f7f3a0bbb1bc4652ecf70eb3712", > "Volumes": { > "/var/lib/jenkins": {} > }, > "WorkingDir": "", > "Entrypoint": null, > "OnBuild": null, > "Labels": { > "build-date": "20170705", > "io.kubernetes.container.hash": "ca203105", > "io.kubernetes.container.name": "jenkins", > "io.kubernetes.container.restartCount": "0", > "io.kubernetes.container.terminationMessagePath": > "/dev/termination-log", > "io.kubernetes.pod.name": "jenkins-1-j267m", > "io.kubernetes.pod.namespace": "jenkins", > "io.kubernetes.pod.terminationGracePeriod": "30", > "io.kubernetes.pod.uid": "42102c09-7cde-11e7-9a6c- > 525400c269f8", > "io.openshift.builder-version": "fc9a5fc", > "io.openshift.s2i.scripts-url": > "image:///usr/libexec/s2i", > "k8s.io.description": "Jenkins is a continuous integration > server", > "k8s.io.display-name": "Jenkins 2.46.3", > "license": "GPLv2", > "name": "CentOS Base Image", > "openshift.io.expose-services": "8080:http", > "openshift.io.tags": "jenkins,jenkins2,ci", > "vendor": "CentOS" > } > }, > "NetworkSettings": { > "Bridge": "", > "SandboxID": "", > "HairpinMode": false, > "LinkLocalIPv6Address": "", > "LinkLocalIPv6PrefixLen": 0, > "Ports": null, > "SandboxKey": "", > "SecondaryIPAddresses": null, > "SecondaryIPv6Addresses": null, > "EndpointID": "", > "Gateway": "", > "GlobalIPv6Address": "", > "GlobalIPv6PrefixLen": 0, > "IPAddress": "", > "IPPrefixLen": 0, > "IPv6Gateway": "", > "MacAddress": "", > "Networks": null > } > } > ] > > So I think everything is as it should I believe... but OAUTH doesn't work > I got jenkins login screen when I click on the jenkins URL. > > On 8 August 2017 at 18:51, Gabe Montero <gmont...@redhat.com> wrote: > >> >> >> On Tue, Aug 8, 2017 at 11:43 AM, Thorvald Hallvardsson < >> thorvald.hallvards...@gmail.com> wrote: >> >>> Hi, >>> >>> I found the problem with Siamak git repo. Plugins.txt refers to >>> blueocean 1.0.0 which doesn't exist anymore. I forked his repo and changed >>> that to 1.0.1 and it builds fine now however I have an OAUTH issues still >>> even on the blueocean image. >>> >>> >>> This is a bit of interesting log I found: >>> Aug 8 16:38:26 master journal: Aug 08, 2017 3:38:26 PM >>> org.openshift.jenkins.plugins.openshiftlogin.OpenShiftSetOAuth setOauth >>> Aug 8 16:38:26 master journal: INFO: OpenShift OAuth: enable oauth set >>> to true force false lastCheck Tue Aug 08 15:38:16 UTC 2017 >>> Aug 8 16:38:26 master journal: Aug 08, 2017 3:38:26 PM >>> org.openshift.jenkins.plugins.openshiftlogin.OpenShiftSetOAuth setOauth >>> Aug 8 16:38:26 master journal: INFO: OpenShift OAuth: configured >>> security realm on startup: hudson.security.HudsonPrivateS >>> ecurityRealm@41464f last check Tue Aug 08 15:38:16 UTC 2017 >>> Aug 8 16:38:26 master journal: Aug 08, 2017 3:38:26 PM >>> org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm >>> populateDefaults >>> Aug 8 16:38:26 master journal: INFO: populateDefaults >>> Aug 8 16:38:26 master journal: java.net.UnknownHostException: >>> openshift.default.svc >>> Aug 8 16:38:26 master journal: #011at java.net.AbstractPlainSocketIm >>> pl.connect(AbstractPlainSocketImpl.java:184) >>> Aug 8 16:38:26 master journal: #011at java.net.SocksSocketImpl.conne >>> ct(SocksSocketImpl.java:392) >>> Aug 8 16:38:26 master journal: #011at java.net.Socket.connect(Socket >>> .java:589) >>> Aug 8 16:38:26 master journal: #011at sun.security.ssl.SSLSocketImpl >>> .connect(SSLSocketImpl.java:673) >>> Aug 8 16:38:26 master journal: #011at sun.net.NetworkClient.doConnec >>> t(NetworkClient.java:175) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.http.HttpClient.op >>> enServer(HttpClient.java:463) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.http.HttpClient.op >>> enServer(HttpClient.java:558) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Htt >>> psClient.<init>(HttpsClient.java:264) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Htt >>> psClient.New(HttpsClient.java:367) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Abs >>> tractDelegateHttpsURLConnection.getNewHttpClient(AbstractDel >>> egateHttpsURLConnection.java:191) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.http.Http >>> URLConnection.plainConnect0(HttpURLConnection.java:1138) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.http.Http >>> URLConnection.plainConnect(HttpURLConnection.java:1032) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Abs >>> tractDelegateHttpsURLConnection.connect(AbstractDelegateHttp >>> sURLConnection.java:177) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Htt >>> psURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) >>> Aug 8 16:38:26 master journal: #011at com.google.api.client.http.jav >>> anet.NetHttpRequest.execute(NetHttpRequest.java:93) >>> Aug 8 16:38:26 master journal: #011at com.google.api.client.http.Htt >>> pRequest.execute(HttpRequest.java:972) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftOAuth2SecurityRealm.getOpenShiftUser >>> Info(OpenShiftOAuth2SecurityRealm.java:489) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftOAuth2SecurityRealm.populateDefaults >>> (OpenShiftOAuth2SecurityRealm.java:337) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftOAuth2SecurityRealm.<init>(OpenShift >>> OAuth2SecurityRealm.java:273) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftSetOAuth.setOauth(OpenShiftSetOAuth.java:69) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftPermissionFilter.doFilter(OpenShiftP >>> ermissionFilter.java:106) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at org.jenkinsci.plugins.ssegatew >>> ay.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at com.cloudbees.jenkins.support. >>> slowrequest.SlowRequestFilter.doFilter(SlowRequestFilter.java:38) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at io.jenkins.blueocean.ResourceC >>> acheControl.doFilter(ResourceCacheControl.java:134) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at jenkins.metrics.impl.MetricsFi >>> lter.doFilter(MetricsFilter.java:125) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r.doFilter(PluginServletFilter.java:126) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at hudson.security.csrf.CrumbFilt >>> er.doFilter(CrumbFilter.java:49) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:84) >>> Aug 8 16:38:26 master journal: #011at hudson.security.UnwrapSecurity >>> ExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at jenkins.security.ExceptionTran >>> slationFilter.doFilter(ExceptionTranslationFilter.java:117) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at org.acegisecurity.providers.an >>> onymous.AnonymousProcessingFilter.doFilter(AnonymousProcessi >>> ngFilter.java:125) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at org.acegisecurity.ui.rememberm >>> e.RememberMeProcessingFilter.doFilter(RememberMeProcessingFi >>> lter.java:135) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at org.acegisecurity.ui.AbstractP >>> rocessingFilter.doFilter(AbstractProcessingFilter.java:271) >>> Aug 8 16:38:26 master journal: Aug 08, 2017 3:38:26 PM >>> org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm >>> populateDefaults >>> Aug 8 16:38:26 master journal: INFO: OpenShift OAuth returning false >>> with namespace ci SA dir null default /run/secrets/kubernetes.io/ser >>> viceaccount SA name null default null client ID >>> null default null secret null default [LONG STRING HERE] redirect null >>> default null server null default https: >>> //openshift.default.svc >>> Aug 8 16:38:26 master journal: Aug 08, 2017 3:38:26 PM >>> org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm >>> populateDefaults >>> Aug 8 16:38:26 master journal: INFO: populateDefaults >>> Aug 8 16:38:26 master journal: java.net.UnknownHostException: >>> openshift.default.svc >>> Aug 8 16:38:26 master journal: #011at java.net.AbstractPlainSocketIm >>> pl.connect(AbstractPlainSocketImpl.java:184) >>> Aug 8 16:38:26 master journal: #011at java.net.SocksSocketImpl.conne >>> ct(SocksSocketImpl.java:392) >>> Aug 8 16:38:26 master journal: #011at java.net.Socket.connect(Socket >>> .java:589) >>> Aug 8 16:38:26 master journal: #011at sun.security.ssl.SSLSocketImpl >>> .connect(SSLSocketImpl.java:673) >>> Aug 8 16:38:26 master journal: #011at sun.net.NetworkClient.doConnec >>> t(NetworkClient.java:175) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.http.HttpClient.op >>> enServer(HttpClient.java:463) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.http.HttpClient.op >>> enServer(HttpClient.java:558) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Htt >>> psClient.<init>(HttpsClient.java:264) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Htt >>> psClient.New(HttpsClient.java:367) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Abs >>> tractDelegateHttpsURLConnection.getNewHttpClient(AbstractDel >>> egateHttpsURLConnection.java:191) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.http.Http >>> URLConnection.plainConnect0(HttpURLConnection.java:1138) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.http.Http >>> URLConnection.plainConnect(HttpURLConnection.java:1032) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Abs >>> tractDelegateHttpsURLConnection.connect(AbstractDelegateHttp >>> sURLConnection.java:177) >>> Aug 8 16:38:26 master journal: #011at sun.net.www.protocol.https.Htt >>> psURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) >>> Aug 8 16:38:26 master journal: #011at com.google.api.client.http.jav >>> anet.NetHttpRequest.execute(NetHttpRequest.java:93) >>> Aug 8 16:38:26 master journal: #011at com.google.api.client.http.Htt >>> pRequest.execute(HttpRequest.java:972) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftOAuth2SecurityRealm.getOpenShiftUser >>> Info(OpenShiftOAuth2SecurityRealm.java:489) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftOAuth2SecurityRealm.populateDefaults >>> (OpenShiftOAuth2SecurityRealm.java:337) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftSetOAuth.setOauth(OpenShiftSetOAuth.java:73) >>> Aug 8 16:38:26 master journal: #011at org.openshift.jenkins.plugins. >>> openshiftlogin.OpenShiftPermissionFilter.doFilter(OpenShiftP >>> ermissionFilter.java:106) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at org.jenkinsci.plugins.ssegatew >>> ay.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at com.cloudbees.jenkins.support. >>> slowrequest.SlowRequestFilter.doFilter(SlowRequestFilter.java:38) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at io.jenkins.blueocean.ResourceC >>> acheControl.doFilter(ResourceCacheControl.java:134) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at jenkins.metrics.impl.MetricsFi >>> lter.doFilter(MetricsFilter.java:125) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r$1.doFilter(PluginServletFilter.java:132) >>> Aug 8 16:38:26 master journal: #011at hudson.util.PluginServletFilte >>> r.doFilter(PluginServletFilter.java:126) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at hudson.security.csrf.CrumbFilt >>> er.doFilter(CrumbFilter.java:49) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:84) >>> Aug 8 16:38:26 master journal: #011at hudson.security.UnwrapSecurity >>> ExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at jenkins.security.ExceptionTran >>> slationFilter.doFilter(ExceptionTranslationFilter.java:117) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at org.acegisecurity.providers.an >>> onymous.AnonymousProcessingFilter.doFilter(AnonymousProcessi >>> ngFilter.java:125) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at org.acegisecurity.ui.rememberm >>> e.RememberMeProcessingFilter.doFilter(RememberMeProcessingFi >>> lter.java:135) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at org.acegisecurity.ui.AbstractP >>> rocessingFilter.doFilter(AbstractProcessingFilter.java:271) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at jenkins.security.BasicHeaderPr >>> ocessor.doFilter(BasicHeaderProcessor.java:93) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at org.acegisecurity.context.Http >>> SessionContextIntegrationFilter.doFilter(HttpSessionContextI >>> ntegrationFilter.java:249) >>> Aug 8 16:38:26 master journal: #011at hudson.security.HttpSessionCon >>> textIntegrationFilter2.doFilter(HttpSessionContextIntegratio >>> nFilter2.java:67) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter$1.doFilter(ChainedServletFilter.java:87) >>> Aug 8 16:38:26 master journal: #011at hudson.security.ChainedServlet >>> Filter.doFilter(ChainedServletFilter.java:76) >>> Aug 8 16:38:26 master journal: #011at hudson.security.HudsonFilter.d >>> oFilter(HudsonFilter.java:171) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at org.kohsuke.stapler.compressio >>> n.CompressionFilter.doFilter(CompressionFilter.java:49) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at hudson.util.CharacterEncodingF >>> ilter.doFilter(CharacterEncodingFilter.java:82) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at org.kohsuke.stapler.Diagnostic >>> ThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler.doHandle(ServletHandler.java:585) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.handl >>> er.ScopedHandler.handle(ScopedHandler.java:143) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.security.Sec >>> urityHandler.handle(SecurityHandler.java:553) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.sessi >>> on.SessionHandler.doHandle(SessionHandler.java:223) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.handl >>> er.ContextHandler.doHandle(ContextHandler.java:1127) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.servlet.Serv >>> letHandler.doScope(ServletHandler.java:515) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.sessi >>> on.SessionHandler.doScope(SessionHandler.java:185) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.handl >>> er.ContextHandler.doScope(ContextHandler.java:1061) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.handl >>> er.ScopedHandler.handle(ScopedHandler.java:141) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.handl >>> er.HandlerWrapper.handle(HandlerWrapper.java:97) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.Serve >>> r.handle(Server.java:499) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.HttpC >>> hannel.handle(HttpChannel.java:311) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.server.HttpC >>> onnection.onFillable(HttpConnection.java:257) >>> Aug 8 16:38:26 master journal: #011at org.eclipse.jetty.io.AbstractC >>> onnection$2.run(AbstractConnection.java:544) >>> Aug 8 16:38:26 master journal: #011at winstone.BoundedExecutorServic >>> e$1.run(BoundedExecutorService.java:77) >>> Aug 8 16:38:26 master journal: #011at java.util.concurrent.ThreadPoo >>> lExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> Aug 8 16:38:26 master journal: #011at java.util.concurrent.ThreadPoo >>> lExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> Aug 8 16:38:26 master journal: #011at java.lang.Thread.run(Thread.ja >>> va:748) >>> Aug 8 16:38:26 master journal: >>> Aug 8 16:38:26 master journal: Aug 08, 2017 3:38:26 PM >>> org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm >>> populateDefaults >>> Aug 8 16:38:26 master journal: INFO: OpenShift OAuth returning false >>> with namespace ci SA dir null default /run/secrets/kubernetes.io/ser >>> viceaccount SA name null default null client ID null default null >>> secret null default [LONG STRING HERE] redirect null default null server >>> null default https://openshift.default.svc >>> Aug 8 16:38:26 master journal: Aug 08, 2017 3:38:26 PM >>> org.openshift.jenkins.plugins.openshiftlogin.OpenShiftSetOAuth setOauth >>> Aug 8 16:38:26 master journal: INFO: OpenShift OAuth: running in >>> OpenShift pod with required OAuth features: false >>> >>> >>> # oc version >>> oc v1.5.1 >>> kubernetes v1.5.2+43a9be4 >>> features: Basic-Auth GSSAPI Kerberos SPNEGO >>> >>> >>> I think I will just come back to version 3.2 and 3.3 as I didn't have >>> any issues with any of these versions... since version 3.4 I just >>> constantly run into more and more issues :/. >>> >> >> To run with the openshift jenkins oauth integration (i.e. our "login" >> plugin) with the openshift oauth server running in an openshift master, if >> you run with a pre-3.4 master, you have to manually >> configure the plugin in the jenkins image to talk with the oauth server, >> and you had to manually add the jenkins service to the oauth whitelist on >> the master. >> >> From what I'm gathering here you did not previously do that. >> >> With a master at 3.4 or beyond, aside from not having the configure the >> login plugin out of the box if jenkins is running in an openshift pod, the >> templates we shipped for jenkins >> in 3.4 and beyond leverage a new annotation provided by to the oauth >> server that allows the bypassing of the manual whitelist update. >> >> Based on the pod logs you posted, either a) your jenkins image is not >> running in an openshift pod, b) it was a pod instantiated with a pre-3.4 >> template, or c) you are running >> against a pre-3.4 openshift master. Because of that, we cannot >> autoconfigure the oauth integration and fall back to the default jenkins >> authentication. >> >> >>> Thank you for your help. >>> >>> >>> On 8 August 2017 at 16:35, Ben Parees <bpar...@redhat.com> wrote: >>> >>>> >>>> >>>> On Tue, Aug 8, 2017 at 10:52 AM, Thorvald Hallvardsson < >>>> thorvald.hallvards...@gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm trying to run jenkins on OpenShift to integrate it nicely with >>>>> pipelines and OAUTH. I have done that in the past and it was all working >>>>> but I'm trying to reproduce what I used to do before and it simply doesn't >>>>> work. I don't know why but from one version to another OpenShift is >>>>> becominbg more and more pain. >>>>> >>>>> I was following official blog article https://blog.openshift >>>>> .com/openshift-pipelines-jenkins-blue-ocean/ which used to work >>>>> however jenkins changed something now and that build simply doesn't work >>>>> anymore: >>>>> Cloning "https://github.com/siamaksade/jenkins-blueocean.git" ... >>>>> WARNING: timed out waiting for git server, will wait 1m4s >>>>> Commit: 70cff8557908b592d291e6ea0b3a018069b61324 (updated README) >>>>> Author: Siamak Sadeghianfar <ssade...@redhat.com> >>>>> Date: Thu Apr 6 18:48:41 2017 +0700 >>>>> ---> Copying repository files ... >>>>> ---> Installing Jenkins 0 plugins using /opt/openshift/plugins.txt ... >>>>> Creating initial locks... >>>>> Locking blueocean:1.0.0 >>>>> Analyzing war... >>>>> Downloading plugins... >>>>> Downloading plugin: blueocean from https://updates.jenkins-ci.org >>>>> /download/plugins/blueocean/1.0.0/blueocean.hpi >>>>> Downloading plugin: blueocean-plugin from >>>>> https://updates.jenkins-ci.org/download/plugins/blueocean-pl >>>>> ugin/1.0.0/blueocean-plugin.hpi >>>>> Failed to download plugin: blueocean or blueocean-plugin >>>>> Failed to install plugins. >>>>> error: build error: non-zero (13) exit code from >>>>> openshift/jenkins-2-centos7@sha256:ad29fc43c3f9015a0fdbb3f3b >>>>> a366ff511303f7f3a0bbb1bc4652ecf70eb3712 >>>>> >>>>> Simply because second link drops 404... blueocean-plugin.hpi doesn't >>>>> exist anymore. >>>>> >>>> >>>> Sounds like some stuff has bit-rotted in that blog, CCing Siamak in >>>> case he has time to update it. >>>> >>>> But note that we do already install blue ocean in our jenkins centos >>>> image and we'll be adding it to our rhel image most likely in 3.7. >>>> >>>> >>>> >>>>> >>>>> >>>>> I decided OK... I don't need blueocean so I will just go for standard >>>>> Jenkins from OpenShift templates. That did install successfuly but when I >>>>> click on the link it asks for username and password (on Jenkins screen) so >>>>> simply OAUTH doesn't work at all. >>>>> >>>>> The pod has >>>>> # oc exec jenkins-1-28l8x env |grep -i auth >>>>> OPENSHIFT_ENABLE_OAUTH=true >>>>> >>>>> it is running but ... yeah how do I integrate it with my pipelines? >>>>> Any ideas? >>>>> >>>> >>>> Gabe and Mo (on CC) have added some debug for oauth flow failures, what >>>> version of openshift are you running and can you provide openshift master >>>> logs and jenkins pod logs? >>>> >>>> >>>> >>>> >>>>> >>>>> Thanks! >>>>> >>>>> _______________________________________________ >>>>> users mailing list >>>>> users@lists.openshift.redhat.com >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ben Parees | OpenShift >>>> >>>> >>> >> >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users