-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
OpenShift Jenkins LTS 2.528.3
-
False
-
-
False
-
-
Description of problem:
When a Jenkins instance is created using (v4.18.0-1756734681) or newer, the initialPasword in /var/lib/jenkins/password is not created, there's an error coming from a missing class:
Exception in thread "main" java.lang.NoClassDefFoundError: org/mindrot/jbcrypt/BCrypt at com.redhat.openshift.PasswordEncoder.main(PasswordEncoder.java:23) Caused by: java.lang.ClassNotFoundException: org.mindrot.jbcrypt.BCrypt at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526) ... 1 more
It's not possible to log into Jenkins for any new deployment using the affected container images without disabling security manually in the config.xml files.
First occurrence of this issue
I've been tracing back to when this bcrypt issue started and it seems the first 4.18.0 image impacted by this is:
[v4.18.0-1756734681](https://catalog.redhat.com/en/software/containers/ocp-tools-4/jenkins-rhel9/65dc9063b7db2e8b83a5b299?image=68b5abbb6cb7528dad699103&architecture=amd64).
I tried to reproduce the issue with the v4.18.0-1750848396 tag but it was not affected.
Evidence
Affected image
[v4.18.0-1756734681](https://catalog.redhat.com/en/software/containers/ocp-tools-4/jenkins-rhel9/65dc9063b7db2e8b83a5b299?image=68b5abbb6cb7528dad699103&architecture=amd64).
I tried to find any jbcrypt files in there:
sh-5.1$ find /var/lib/jenkins/ -name "*jbcrypt*" /var/lib/jenkins/plugins/trilead-api/WEB-INF/lib/jbcrypt-1.0.2.jar
Not affected image
[v4.18.0-1750848396](registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:18d143a227c4547ad54f8c5a551971699548cc632ef9c4ba29239afb1cde47fd)
When I search for the bcrypt plugin:
sh-5.1$ find /var/lib/jenkins/ -name "*jbcrypt*" /var/lib/jenkins/plugins/trilead-api/WEB-INF/lib/jbcrypt-1.0.2.jar /var/lib/jenkins/war/WEB-INF/lib/jbcrypt-1.0.2.jar
Hypothesis
There's a file that is missing in the affected images and is causing the issue:
/var/lib/jenkins/war/WEB-INF/lib/jbcrypt-1.0.2.jar
Reproducing and applying a workaround to the issue
After reproducing this issue in the affected image with persistent storage (so even after restarting the pod, the issue persists).
1. Created 2 Jenkins pods, one of them using the unaffected image and the other one using the affected one.
2. Copied the missing file out of the unaffected container image:
oc cp jenkins-v4.18.0-589fc47c9c-ztj9d:/var/lib/jenkins/war/WEB-INF/lib/jbcrypt-1.0.2.jar ./jbcrypt-1.0.2.jar
3. Created a configMap with the jar file as its content:
$ oc create configmap --from-file jbcrypt-1.0.2.jar jbcrypt-jar
4. Mounted the configMap in the affected deployment:
spec:
volumes:
- name: jbcrypt
configMap:
name: jbcrypt-jar
defaultMode: 420
- name: jenkins-reproducer
persistentVolumeClaim:
claimName: jenkins-reproducer
containers:
name: container
volumeMounts:
- name: jbcrypt
mountPath: /opt/jbcrypt-1.0.2.jar
subPath: jbcrypt-1.0.2.jar
- name: jenkins-reproducer
mountPath: /var/lib/jenkins
5. Got into the pod, copied the jar file into `/var/lib/jenkins/war/WEB-INF/lib/` and replicated the permissions the rest of the jarfiles have:
$ cp /opt/jbcrypt-1.0.2.jar /var/lib/jenkins/war/WEB-INF/lib/ $ chown 1000770000 /var/lib/jenkins/war/WEB-INF/lib/jbcrypt-1.0.2.jar $ chmod g+w /var/lib/jenkins/war/WEB-INF/lib/jbcrypt-1.0.2.jar
6. Restarted the pod and checked those logs are not showing up anymore *and* the `/var/lib/jenkins/password` initial password file is now populated.
Actual results: The initial password is not created so a workaround is required to log into Jenkins.
Expected results: The initial password is created.
Reproducibility (Always/Intermittent/Only Once): ALWAYS
Acceptance criteria:
- links to