Skript approvals

Hi,

I created a new agent and a pipeline job based on the agent. While running the job I got the following error.

  • sudo -u oracle /DBA/oracle/product/12c_ODIJEE_ICIS/Middleware_12_2_1_4/user_projects/domains/ODIDOMAINZDW6/bin/startscen.sh JENKINS_ODI_EXPORT_IMPORT_COMMAND_GENERATION 001 DBOTZDW3 6 -INSTANCE=OracleDIAgent -ASYNC=no

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
Build step ‘Execute shell’ marked build as failure

And also I see some pending approvals in (Skript Approval page) recommending to clear approvals. I dont see anywhere aapprove or deny button except those clear approvals button. Please let me know if these approvals are causing the pipeline job to fail.

The same code actually i used on different agents and pipeline jobs. I never got this error. I don’t understand what is making the job to fail.

I also installed Permissive+Script+Security+Plugin. It also didn’t help.

Please let me know how I can proceed.

Thank you,

Rachel

Hi @Rachel,

About the sudo problem

This is a “pure Linux” (e.g. not related to Jenkins in any way) issue.
The message comes from the sudo command, telling you that you are trying to invoke a command as the user oracle through the super-administrators privileges.
It appears that the Linux system where you are running this command is configured to only allow the Jenkins user to use sudo by typing its password.
So the command fails because it expects an interactive interaction while there isn’t any.

Some clues on the directions you might want to check:

  • If you absolutely need to execute the command as the user oracle, then you might want to either:
    • Look at using the su command if the Jenkins user has the permissions
    • Look at configuring the sudo setup (commonly referenced as “sudoers”) to allow this command (or any command but it’s less secure) to be executed passwordless.

** About the “Permissive Script”**

You should only approve script security signature if you are sure about what you are doing.
The reason is that this feature is to allow some -usually not recommended- groovy calls in your Jenkins pipelines.
These “calls” are pipeline steps executed in the Jenkins controller JVM, in something called the “Groovy sandbox”. Allowing these calls to run outside the “sandbox” by approving them in the screenshot you provided is dangerous, because it allows your Jenkins pipeline to access credentials, or sensitive elements.

We provide a documentation at In-process Script Approval to help understand.

Could you describe the problem you are trying to solve with this?
Usually one would want to execute the “groovy script” on a remote agent, through a shell command, and try to avoid putting any “smart” things in the pipeline as much as posible.

Alternatively, you might need this at all cost so you better use a Extending with Shared Libraries to hold and run this code.

Hi @dduportal ,

thanks for answering my question. Will check permissions with our linux administrators.

I created a new agent and this automatically popped in the skripts approval page. I would like to know if it is okay to run the jobs without clearing the approval?
I’m only calling the .bat files in my pipelinejobs nothing more than that. Does running pipeline jobs without approving fail them ?

Hi @Rachel !

I would like to know if it is okay to run the jobs without clearing the approval?

Clearing the approvals looks an excellent idea, but it might have impacts if other jobs are running on this Jenkins instance:

  • If these other jobs than yours rely on these security approval, it will fail these jobs.
  • If you are the only user of this Jenkins controller, then go for it!

However that would be a great thing to do: you will be able to audit “which pipeline does need which groovy method” and get an exhuastive list.
Then you can take this list and fix the pipeline until all are working again, without requiring any specific call (or using a shared library that you control).

I’m only calling the .bat files in my pipelinejobs nothing more than that. Does running pipeline jobs without approving fail them ?

No security approval should be required (as it is safe to invoke the pipeline step bat).
I might be wrong though: I remeber some issues in this area when a pipeline script was not loaded from code.
Do you mind sharing your job setup + pipeline scripot if you still have errors related to security approval after clearing it (so we can help you diagnose)?

Hi Damien, I’ll get back to you once I start working on it, Thank you