Gitlab MR decoration broken if Gitlab IP changes on same hostname

florck · May 6, 2020, 3:46pm

Versions and context

Gitlab self-hosted 12.7.6
Sonarqube self-hosted 8.2.0.32929
Gitlab and sonar installed through docker in AWS ECS cluster behind load-balancers

Error observed

MR decoration is set up in Gitlab and Sonarqube and working well.

After certain (long) time, MR decoration stops working.

Compute engine log shows errors like :

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname my.gitlab.url not verified:
    certificate: sha256/JYP42CCMuLi87AC6qUOOfaICgr819itewHstb1W+2cA=
    DN: CN=*.a_totally_different_url_i_dont_know_anything_about
    subjectAltNames: [*.a_totally_different_url_i_dont_know_anything_about]

It seems that the ip of my.gitlab.url has changed.
It seems then that this old ip has been reassigned to a_totally_different_url_i_dont_know_anything_about.
It seems that sonar is still using the old ip and then tries to interrogate a_totally_different_url_i_dont_know_anything_about.

Steps to reproduce

Install a sonar and gitlab
Configure MR decoration
Change public ip of gitlab
Update IP in DNS
Try an analyze
Observe that decoration is broken
Wait expiration of DNS configured TTL
Observe that decoration is still broken

Workaround

Restart SonarQube from administration module / system information page.

It enforces a DNS interrogation

TL;DR

If DNS entry changes and a new ip is assigned to gitlab, even after DNS TTL expiration, sonar will not re-request the DNS and still use obsolete IP.

Antoine · May 12, 2020, 7:08am

Hello @florck,

This is more a Java consideration than a purely SQ one. As explained on the JavaDoc (** Address Cache** at the end), results of DNS lookups are cached.
I don’t know the default value, it likely depends on the JVM implementation you use.

The Amazon doc gives good explanations on the topic, and a way to solve the issue.

I hope it will help!

florck · May 12, 2020, 7:29am

Thank you Antoine for your answer. However I’m using the official docker image (https://hub.docker.com/_/sonarqube) and would prefer not to customize it manually.

One other point is that TTL is not fixed here, it varies depending on several elements, so best would be for each DNS request to cache it on the TTL providen by the DNS itself in its answer, the source of trust.

Antoine · May 12, 2020, 7:39am

Good point indeed. But again, I’m quite sure it’s Java internal stuffs that we are dealing with here, nothing specifically implemented in SQ, so we don’t have control I’d say.

As you use the SQ Docker image, I know which JVM you use, so I’ll try to reproduce and see what could be done. BTW, SQ 8.3.1 docker image had been released, and as we changed the base image (from openjdk:11-jre-slim – to – alpine:3.11 with AdoptOpenJDK jdk-11.0.6+10) so it is possible that this behaves differently. Could you give it a try and trigger an IP change of GitLab on your infra?

florck · May 12, 2020, 7:43am

Sure I will do, thank you !

florck · September 17, 2020, 2:13pm

Sorry for the loooong delay. I have not been able to generate an ip change manually, but one just occured automatically, and then I got same issue.

Have you any other idea?

Thank you for your help.