-
Bug
-
Resolution: Unresolved
-
Major
-
Kubernetes 1.13.
Jenkins ver. 2.176.2
installPlugins:
- kubernetes:1.17.2
- workflow-job:2.32
- workflow-aggregator:2.6
- credentials-binding:1.19
- git:3.10.1
- oic-auth:1.6
- matrix-auth:2.4.2
- sonar:2.9
- config-file-provider:3.6.2
- gitea:1.1.2
- pipeline-maven:3.8.0
- junit-attachments:1.5
- jacoco:3.0.4
- warnings-ng:5.3.0
- pipeline-utility-steps:2.3.0
- groovy-postbuild:2.5
- embeddable-build-status:2.0.2
Kubernetes 1.13. Jenkins ver. 2.176.2 installPlugins: - kubernetes:1.17.2 - workflow-job:2.32 - workflow-aggregator:2.6 - credentials-binding:1.19 - git:3.10.1 - oic-auth:1.6 - matrix-auth:2.4.2 - sonar:2.9 - config-file-provider:3.6.2 - gitea:1.1.2 - pipeline-maven:3.8.0 - junit-attachments:1.5 - jacoco:3.0.4 - warnings-ng:5.3.0 - pipeline-utility-steps:2.3.0 - groovy-postbuild:2.5 - embeddable-build-status:2.0.2
Since yesterday my console logs have extra * stars at each character. Even if I have a really simple pipeline like
pipeline { options {
buildDiscarder(logRotator(numToKeepStr: "3"))
disableConcurrentBuilds()
timeout(time: 120, unit: "MINUTES")
} agent {
label "maven-3-jdk-12"
} stages { /**
* The stage will checkout the current branch.
*/
stage("Checkout Build") {
steps {
checkout scm
}
} } // stages}
The weird thing is that those * stars are only added if I use the maven-3-jdk-12 agent. I tried it with a docker and kubernetes agent and I do not get all those stars in my log.
Started by user Erwin Müller Querying the current revision of branch jenkins... Current revision of branch jenkins is 2a5e780086a6d95801378dd62c6107e3367d2b0f Obtained Jenkinsfile from 2a5e780086a6d95801378dd62c6107e3367d2b0f Running in Durability level: MAX_SURVIVABILITY [Pipeline] Start of Pipeline [Pipeline] node Still waiting to schedule task Waiting for next available executor on ‘maven-3-jdk-12-1566w’ Agent maven-3-jdk-12-x49g2 is provisioned from template Kubernetes Pod Template Agent specification [Kubernetes Pod Template] (maven-3-jdk-12): * [jnlp] jenkins/jnlp-slave:3.29-1-alpine * [maven] erwin82/maven:v3.6.1-jdk-12-r.10(resourceRequestCpu: 0, resourceRequestMemory: 0, resourceLimitCpu: 2.0, resourceLimitMemory: 2Gi) yaml: apiVersion: v1 kind: Pod spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: agent.jenkins.anrisoftware.com operator: In values: - required Running on maven-3-jdk-12-x49g2 in /home/jenkins/workspace/al-rest-analysis-service_jenkins [Pipeline] { [Pipeline] stage [Pipeline] { (Declarative: Checkout SCM) [Pipeline] checkout ********u********s********i********n********g******** ********c********r********e********d********e********n********t********i********a********l******** ********j********e********n********k********i********n********s********-********g********i********t********e********a********
It can not be this issue https://issues.jenkins-ci.org/browse/JENKINS-41760 because in the example pipeline I am not using any credentials. Also, this issue is only if I use the maven docker image but not in any other image.
For example with the docker agent:
Started by user Erwin Müller Querying the current revision of branch jenkins... Current revision of branch jenkins is 360c219162eae6026a231ff6c49103666770355a Obtained Jenkinsfile from 360c219162eae6026a231ff6c49103666770355a Running in Durability level: MAX_SURVIVABILITY [Pipeline] Start of Pipeline [Pipeline] node Agent docker-18-dwxpr is provisioned from template Kubernetes Pod Template Agent specification [Kubernetes Pod Template] (docker): * [jnlp] jenkins/jnlp-slave:3.29-1-alpine * [docker] docker:18.09.7-git(resourceRequestCpu: 0, resourceRequestMemory: 0, resourceLimitCpu: 1.0, resourceLimitMemory: 1Gi) * [dind] docker:18.09.7-dind(resourceRequestCpu: 0, resourceRequestMemory: 0, resourceLimitCpu: 1.0, resourceLimitMemory: 1Gi)Running on docker-18-dwxpr in /home/jenkins/workspace/al-rest-analysis-service_jenkins [Pipeline] { [Pipeline] stage [Pipeline] { (Declarative: Checkout SCM) [Pipeline] checkout using credential jenkins-gitea Fetching changes from the remote Git repository Fetching without tags Checking out Revision 360c219162eae6026a231ff6c49103666770355a (jenkins) > git rev-parse --is-inside-work-tree # timeout=10 > git config remote.origin.url https://gitea.anrisoftware.com/anrisoftware.com/timefractal-rest-analysis-service.git # timeout=10 Fetching upstream changes from https://gitea.anrisoftware.com/anrisoftware.com/timefractal-rest-analysis-service.git > git --version # timeout=10 using GIT_ASKPASS to set credentials > git fetch --no-tags --force --progress https://gitea.anrisoftware.com/anrisoftware.com/timefractal-rest-analysis-service.git +refs/heads/jenkins:refs/remotes/origin/jenkins > git config core.sparsecheckout # timeout=10 > git checkout -f 360c219162eae6026a231ff6c49103666770355a Commit message: "Use docker." > git rev-list --no-walk 2a5e780086a6d95801378dd62c6107e3367d2b0f # timeout=10 [Gitea] Notifying branch build status: PENDING Build started... [Gitea] Notified [Pipeline] } [Pipeline] // stage [Pipeline] withEnv [Pipeline] { [Pipeline] timeout Timeout set to expire in 2 hr 0 min [Pipeline] { [Pipeline] stage [Pipeline] { (Checkout Build) [Pipeline] checkout using credential jenkins-gitea Fetching changes from the remote Git repository Fetching without tags Checking out Revision 360c219162eae6026a231ff6c49103666770355a (jenkins) Commit message: "Use docker." [Gitea] Notifying branch build status: PENDING Build started... > git rev-parse --is-inside-work-tree # timeout=10 > git config remote.origin.url https://gitea.anrisoftware.com/anrisoftware.com/timefractal-rest-analysis-service.git # timeout=10 Fetching upstream changes from https://gitea.anrisoftware.com/anrisoftware.com/timefractal-rest-analysis-service.git > git --version # timeout=10 using GIT_ASKPASS to set credentials > git fetch --no-tags --force --progress https://gitea.anrisoftware.com/anrisoftware.com/timefractal-rest-analysis-service.git +refs/heads/jenkins:refs/remotes/origin/jenkins > git config core.sparsecheckout # timeout=10 > git checkout -f 360c219162eae6026a231ff6c49103666770355a [Gitea] Notified [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // timeout [Pipeline] } [Pipeline] // withEnv [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline [Gitea] Notifying branch build status: SUCCESS This commit looks good [Gitea] Notified Finished: SUCCESS
- relates to
-
JENKINS-58706 Define API for secret masking in console output
-
- Resolved
-
- links to
[JENKINS-58540] Console output of pipeline extra stars
I think the problem lies in `SecretsMasker` class.
Here, it tries to replace every value kept in `values` set with bunch of asterisks: https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/SecretsMasker.java#L74
But what is not takes into account I assume, is that some of strings kept in `values` field may be empty string "" causing this line be like:
s = s.replace("", "********");
which actually gives away the secret value 
I'm not sure how to implement it properly, but this assumes that secrets are not obvious strings that will be replaced.
Karol Gil
added a comment - - edited I think the problem lies in `SecretsMasker` class.
Here, it tries to replace every value kept in `values` set with bunch of asterisks: https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/SecretsMasker.java#L74
But what is not takes into account I assume, is that some of strings kept in `values` field may be empty string "" causing this line be like:
s = s.replace("", "********");
which actually gives away the secret value
I'm not sure how to implement it properly, but this assumes that secrets are not obvious strings that will be replaced. karolgil Agree, that was also my guess in the first comment.
Would consider no value shorter than two characters maskable.
Karol Gil
added a comment - I think it still might not be enough. The problem is IMO that your secret may be common for example `kubernetes` and then making it into `*******` can easily give away your secret anyway - as you'll find many like that in the logs. But this is fixable on end user side of things, so I agree, having even length > 0 would be great or even better - to be configurable.
Karol Gil
added a comment - I think it still might not be enough. The problem is IMO that your secret may be common for example `kubernetes` and then making it into `*******` can easily give away your secret anyway - as you'll find many like that in the logs. But this is fixable on end user side of things, so I agree, having even length > 0 would be great or even better - to be configurable. A single character is also too short to be useful in masking. 2 should be the minimum for masking (and it needs to be documented).
Would recommend against an option, the vast majority won't care or even understand it, and it'll just clutter up the UI.
Karol Gil
added a comment - I meant using system properties - won't clutter the UI but will still be an option.
Karol Gil
added a comment - I meant using system properties - won't clutter the UI but will still be an option. Karol Gil
added a comment - I've added a PR with fix proposal, feel free to comment/feedback there: https://github.com/jenkinsci/kubernetes-plugin/pull/558
Karol Gil
added a comment - I've added a PR with fix proposal, feel free to comment/feedback there: https://github.com/jenkinsci/kubernetes-plugin/pull/558 As a matter of curiosity, how did you wind up with an empty secret to begin with?
Karol Gil
added a comment - jglick we have a set of secrets assigned to pods depending on the environment which they are testing. If given service does not exist on certain environment secret for it is empty.
Karol Gil
added a comment - jglick we have a set of secrets assigned to pods depending on the environment which they are testing. If given service does not exist on certain environment secret for it is empty. 
Any updates here ? we have exactly the same problem on our end.