Timeout on login with Gitlab

Aang23 · September 25, 2019, 7:34am

Hi! I’m currently having issues setting up Drone to integrate with my Gitlab instance.
Trying to login seems to work on the Gitlab end, and I am in fact redirected to drone with a proper login URL, though… It reaches timeout.

My docker-compose.yml :

version: '2'

services:
  drone-server:
image: drone/drone:1
ports:
  - 80:80
  - 443:443
volumes:
  - /var/lib/drone:/data
  - /var/run/docker.sock:/var/run/docker.sock
restart: always
container_name: dronepci
networks:
  - default
environment:
  - DRONE_SERVER_HOST=drone.example.com
  - DRONE_SERVER_PROTO=http
  - DRONE_TLS_AUTOCERT=false
  - DRONE_RPC_SECRET="pass"
  - DRONE_RUNNER_CAPACITY=2
  - DRONE_LOGS_DEBUG=true
  - DRONE_LOGS_PRETTY=false
  - DRONE_LOGS_COLOR=true
  - DRONE_GITLAB_SERVER=https://gitlab.example.com
  - DRONE_GITLAB_CLIENT_ID=0c5e23e3a536bc50168c7a19207714bd7a0c301658ae9709dc2d60a0a0bb995b
  - DRONE_GITLAB_CLIENT_SECRET=803b1643974844e7efff98fbc807e73607254b8c81d292f74bec57ac16d30803
  - DRONE_GITLAB_DEBUG=true
  - DRONE_GITLAB_SKIP_VERIFY=false
networks:
  default:
driver: bridge

Drone’s logs : https://paste.altillimity.com/edoxizukef.bash
Gitlab’s logs : https://paste.altillimity.com/zobehiyixo.coffeescript

bradrydzewski · September 25, 2019, 2:21pm

It sounds like a networking or dns issue. When you are redirected [1] back to Drone it makes an API call to Gitlab to exchange the oauth2 code for a token and this API call times out. Have you tried to docker exec into the Drone container and ping your gitlab instance?

[1] please note the redirect happens client-side in your browser, and therefore does not prove connectivity between Drone and GitLab. I mention this because it is a common misconception.

Aang23 · September 25, 2019, 2:42pm

This works just fine and even wget works as intended.
Something you may want to know is that everything’s running behind a Nginx reverse proxy (Client <=https=> Proxy <=http=> Drone / Gitlab).

bradrydzewski · September 25, 2019, 2:54pm

I also noticed this in your logs which indicates a response is being received, however, the response is either empty or not a valid json document

cannot authenticate user: Post https://gitlab.example.com/oauth/token: EOF

I also noticed there is not corresponding log entry in your gitlab logs for /oauth/token which indicates the request never reached the server. I would recommend investigating this further to understand why the request does not reach gitlab.

Aang23 · September 25, 2019, 4:09pm

Looking through Nginx’s logs no POST request appears.
Though it works just fine when using curl from inside the container.

Using tshark I can’t see any request coming out of the container at all unless I run curl / wget myself.
Any idea? I’m gonna check inside the container directly.

Edit :

# tail -f /var/log/nginx/access.log | grep POST
192.168.1.73 - - [26/Sep/2019:09:08:15 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:48 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:50 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:51 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:52 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:53 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:54 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:54 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:55 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:55 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:56 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:56 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:57 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:57 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:58 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:58 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:58 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:59 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:59 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:08:59 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"
192.168.1.73 - - [26/Sep/2019:09:09:00 +0200] "POST /oauth/token HTTP/1.1" 401 162 "-" "Wget"

Wget POST requests works from inside the container… Doesn’t seem to be a networking issue, and I’m now even wondering if Drone actually sends any request since nothing appears in tcpdump.

2nd Edit : Compiling Drone & running it without docker works fine (didn’t test anything else than login though since this installation method isn’t that clean).

Aang23 · September 27, 2019, 7:54pm

Well checked my whole networking setup, seems fine.
Even reinstalled my VM from scratch just to make sure. Didn’t change anything.