Tests in upstream playbooks fail with "Cannot get CSRF"

[geerlingguy]

In many of my upstream playbooks, after the change to make the role compatible with the updated jenkins_plugin module in 2.5, automated builds are failing with:

TASK [geerlingguy.jenkins : Install Jenkins plugins using password.] ***********
failed: [127.0.0.1] (item=git) => {"changed": false, "details": "HTTP Error 401: Invalid password/token for user: ********", "item": "git", "msg": "Cannot get CSRF"}
failed: [127.0.0.1] (item=ssh-agent) => {"changed": false, "details": "HTTP Error 401: Invalid password/token for user: ********", "item": "ssh-agent", "msg": "Cannot get CSRF"}
failed: [127.0.0.1] (item=ansicolor) => {"changed": false, "details": "HTTP Error 401: Invalid password/token for user: ********", "item": "ansicolor", "msg": "Cannot get CSRF"}

Note that normal playbook runs which use a vault-encrypted admin password seem to still work okay, so it could be something with the way I have the CI jobs set up. Just wanted to document this here since I've hit this error on a few different playbooks that use this role.

[geerlingguy]

One quick fix I tried:

    - name: Set Jenkins credentials (for testing).
      set_fact:
        jenkins_admin_username: ''
        jenkins_admin_password: ''

That seems to have worked, at least somewhat... I'm testing this stuff on Ubuntu currently, and I think what's happening is Jenkins is starting up on install (I hate that Debian packages do that sometimes), so the configure default users handler hasn't run yet by the time the jenkins_plugin task runs the first time... meaning the admin user account password is set to whatever Jenkins created in /var/lib/jenkins/secrets/initialAdminPassword at the first time jenkins_plugins are installed.

So my idea is to add a meta: flush_handlers immediately after install so the configure default users handler is run, which adds the Groovy security file, and then add the restart jenkins handler to the apt install tasks too, so Jenkins picks up the security file. Testing locally now.

[geerlingguy]

Ha, except that we have a check for when: jenkins_admin_password != '', so that first quick fix doesn't do anything besides skip the plugin installation :P

[geerlingguy]

The Groovy Hook Script seems like it has to be in place before first startup, otherwise it seems the initial admin password gets locked in :(

[geerlingguy]

I tried adding another groovy init script (this one: jenkinsci/docker#310 (comment)), but that ran and didn't seem to cause the setup wizard to be skipped (/var/log/jenkins/jenkins.log showed it run, but then immediately after the setup wizard ran and created a new admin account even though this role's basic-security.groovy script ran too...).

So now I'm trying adding the option -Djenkins.install.runSetupWizard=false in JENKINS_ARGS in the jenkins_init_file... we'll see if that helps.

[geerlingguy]

Hmm... might have to be in JAVA_ARGS... and I just realized this particular playbook overrides the default jenkins_init_changes, which includes jenkins_java_options, which is jenkins_java_options: "-Djenkins.install.runSetupWizard=false":

jenkins_init_changes:
  - option: "JENKINS_ARGS"
    value: "--prefix={{ jenkins_url_prefix }} --httpListenAddress=127.0.0.1"
  - option: "{{ jenkins_java_options_env_var }}"
    value: "{{ jenkins_java_options }}"

So... trying that. Stinks if that's the whole reason this playbook (and a couple other ones I maintain) are breaking builds just because of that change :P

[geerlingguy]

That... was it. Grr.

[bdellegrazie]

Just FYI,
I stumbled across this issue while looking at something else:

what's happening is Jenkins is starting up on install (I hate that Debian packages do that sometimes)

According to Ansible docs (https://docs.ansible.com/ansible/latest/modules/apt_module.html#apt-module) this can be avoided by setting the RUNLEVEL environment variable to 1

You probably know this already but just in case...

[sumitsharma16]

failed: [localhost] (item=git) => {"ansible_loop_var": "item", "changed": false, "details": "Request failed: <urlopen error [Errno 111] Connection refused>", "item": "git", "msg": "Cannot get CSRF"}
kindly help