Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image author / commit empty in oc image built thru jenkins shared lib #47

Closed
michaelsauter opened this issue Dec 3, 2018 · 16 comments
Closed

Image author / commit empty in oc image built thru jenkins shared lib #47

michaelsauter opened this issue Dec 3, 2018 · 16 comments
Assignees
@renedupont
Labels
bug Something isn't working
Projects
OpenDevStack 1.0.2 OpenDevStack 1.1.0

Comments

@michaelsauter
Copy link
Member

For some reason, the author of the image produced by the Jenkins build is unknown. This information should be set though as the commit author is known.
@michaelsauter michaelsauter added the bug Something isn't working label Dec 3, 2018
@clemensutschig
Copy link
Member

the difference is driven by the BC - if the BC is based on a GIT commit / git source then the author of the commit is taken

if the source is binary ...

Author
Unknown
Built
3 months ago
Digest
sha256:80bffd16ff2694e8b247206d0ec623f6def14306ec878ebe7f89714d48ca9041
Identifier
sha256:7d507dd355c894c43eeca9f943bd53c7bebbf61018ef5fada1cbb4ca7c77ab46
Labels
io.openshift.build.name=be-spring-boot-1-1
io.openshift.build.namespace=cle335-test

  • we have to fix this asap - because it kills tracibility!

@clemensutschig
Copy link
Member

clemensutschig commented Feb 1, 2019
edited
Loading

see https://github.com/opendevstack/ods-jenkins-shared-library/blob/master/src/org/ods/OdsContext.groovy#L116

we have the commit / branch etc ... we may need the author and the message as well
$ git show --format="%ae %ad %s" bc1e3541158b02783146bee112da4cb3387d9eea
40628552+clemensutschig@users.noreply.github.com Wed Nov 21 09:00:08 2018 +0100 Feature/confluence permission raise (#60)

could use this :) (question, but how?- via env,.... )

@renedupont - can you pick this up - this is a big one!
@michaelsauter - any ideas on label / env? ...

@clemensutschig
Copy link
Member

clemensutschig commented Feb 1, 2019
edited
Loading

update:
the author on the image - comes from dockerfile's author .. BUT

the *io. pieces come from the build config instance (use the BuildConfig.spec.output.imageLabels field to specify a list of custom labels that will be applied to each image built from the BuildConfig.)

and here is how :)

https://docs.openshift.com/container-platform/3.4/dev_guide/builds/build_output.html

@clemensutschig clemensutschig changed the title Image author in OpenShift is unknown Image author / commit empty in oc image built thru jenkins shared lib Feb 1, 2019
@michaelsauter
Copy link
Member Author

@renedupont Can you look into this - let me know if you need help.

@michaelsauter michaelsauter removed this from To Do in OpenDevStack 1.1.0 Feb 4, 2019
@renedupont
Copy link
Member

I talked to @michaelsauter about it and started working on it, should be done in a couple of days.

@renedupont
Copy link
Member

After implementing this for the label io.openshift.build.commit.author it turns out, that this is not the label that openshift pulls for the Author field in the Details view of the Image.
It just showed it like this there:
image

What I found out though is that this Author field is the MAINTAINER of the Docker image.
I put this in the dockerfile
image
and it was filled then in openshift:
image

This seems to be rather unhelpful regarding tracibility.

The question is now what we want to have here?

@clemensutschig
Copy link
Member

clemensutschig commented Feb 15, 2019
edited
Loading

@renedupont Put all the Info into labels
. Commit hash message Author and branch.. and date.. ;-)

@clemensutschig
Copy link
Member

clemensutschig commented Mar 1, 2019
edited
Loading

so here is the list of thngs we should put in

  • source repo URL (source.repo.url)
  • branch (source.repo.branch)
  • commit hash (source.repo.commit)
  • message (source.repo.commit.msg)
  • author (source.repo.commit.author)
  • time of commit (source.repo.commit.time)
  • jenkins build job url (jenkins.job.url)
  • date of build (date)
  • ODS shared lib version (lib.version)
  • ODS openshift build server (openshift.server)

I would stick them all under ods.build.

for the last one
oc project | cut -d "/" -f3 | cut -d "\"" -f1 does the trick

or

def ocAPiUrl = sh(returnStdout: true, script: 'oc project ${PROJECT}-cd').trim()
ocAPiUrl = ocAPiUrl.substring(ocAPiUrl.indexOf("http")).replaceAll("\".", "")

@clemensutschig clemensutschig mentioned this issue Mar 1, 2019
Closed
@renedupont
Copy link
Member

@clemensutschig I was now able to retrieve all of the information and present them as labels, BUT the shared lib version that we wanted to get via

config.odsSharedLibVersion = script.env["library.ods-library.version"]

causes a RejectAccessException during the build since it runs in a groovy sandbox. The precise exception is:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.lang.Object java.lang.String at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticMethod(StaticWhitelist.java:189) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetArray(SandboxInterceptor.java:447) at org.kohsuke.groovy.sandbox.impl.Checker$10.call(Checker.java:415) at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetArray(Checker.java:420) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getArray(SandboxInvoker.java:45) at com.cloudbees.groovy.cps.impl.ArrayAccessBlock.rawGet(ArrayAccessBlock.java:21) at org.ods.OdsContext.assemble(file:/var/lib/jenkins/jobs/owasp-cd/jobs/owasp-cd-be-spring-boot-2-master/builds/37/libs/ods-library/src/org/ods/OdsContext.groovy:44) at org.ods.OdsPipeline.execute(file:/var/lib/jenkins/jobs/owasp-cd/jobs/owasp-cd-be-spring-boot-2-master/builds/37/libs/ods-library/src/org/ods/OdsPipeline.groovy:28) at ___cps.transform___(Native Method) at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:74) at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30) at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:66) at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21) at com.cloudbees.groovy.cps.Next.step(Next.java:83) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163) at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122) at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261) at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:331) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:243) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:231) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

To allow that access it is possible to manually allow it in Jenkins Web UI under Script Approval:
image
After allowing, it shows successfully the lib version, in my case it is the branch name I am testing it on.

Since we obviously don't want to do this manually for every jenkins instance, besides being a security risk according to the script approval message, the question is how we deal with this. I remember there were similar issues in the past with this sandbox rejecting access, any idea how it was dealt with @michaelsauter ?

@clemensutschig
Copy link
Member

@renedupont ' then lets leave this one out.

@clemensutschig
Copy link
Member

Other Option- sh "env | grep"

@renedupont
Copy link
Member

echo script.sh(script: 'env|grep', returnStdout: true)
This resulted in
ERROR: script returned exit code 2
Then I did
echo script.sh(script: 'env|sort', returnStdout: true)
to see all env vars but regarding the ods library version it just showed as expected:
library.ods-library.version=feature/branchname

I'll take it out for now since it seems not to be accessible without this security issue.

@clemensutschig
Copy link
Member

env | grep "library.ods-library.version" should do .. grep expects an argument WHAT do search for ... :)

$ env | grep HOST
HOSTNAME=....

@renedupont
Copy link
Member

oh thank you, that helped 👍
It ended up being this:
script.sh(script: "env | grep 'library.ods-library.version' | cut -d= -f2", returnStdout: true)

@clemensutschig
Copy link
Member

clemensutschig commented Mar 3, 2019
edited
Loading

Nice. Pull in @michaelsauter tmrw to help with Upstream

@clemensutschig clemensutschig moved this from To do to In progress in OpenDevStack 1.0.2 Mar 4, 2019
@clemensutschig clemensutschig added this to In Progress in OpenDevStack 1.1.0 Mar 4, 2019
@michaelsauter
Copy link
Member Author

@clemensutschig @renedupont I realised what you used for ODS openshift build server (openshift.server) returns a private IP address :( I guess we can leave that out ...

michaelsauter pushed a commit to BIX-Digital/ods-jenkins-shared-library that referenced this issue Mar 4, 2019
@renedupont @michaelsauter
Add missing image labels
8d34e90 
Adds information from Git to image via labels.

Closes opendevstack#47.
This was referenced Mar 4, 2019
Merged
Merged
@michaelsauter michaelsauter moved this from In progress to Done in OpenDevStack 1.0.2 Mar 4, 2019
@michaelsauter michaelsauter moved this from In Progress to Done in OpenDevStack 1.1.0 Mar 4, 2019
stitakis pushed a commit that referenced this issue Aug 7, 2019
@gerardcl
Merge pull request #47 in OPENDEVSTACK/ods-jenkins-shared-library fro…
bcb013e 
…m feature/BIX-531-git-lfs-jenkins-configuration to production

* commit '2c12edc6e9355c520d2c76d4c009aa30c72c8b4f':
  adding git lfs migrate note in readme file
  adding whole GitSCM configuration
  GitSCMSource not resolved from Jenkins, switching to GitSCM
  checkout with git lfs extension enabled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@renedupont renedupont

Labels
bug Something isn't working
Projects
No open projects
OpenDevStack 1.0.2
  
Done
OpenDevStack 1.1.0
Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michaelsauter @renedupont @clemensutschig