Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31256

hudson.Remoting.Engine#waitForServerToBack does not use credentials for connection

    XMLWordPrintable

Details

    Description

      We have a jenkins instance running behind Apache web server, which forces basic authentication for accessing Jenkins.

      When using jnlp from a slave machine, then it works initially, because it uses provided basic authentication credentials. However at some point it stops working and in jenkins-slave.err.log this line is printed over and over again:
      Oct 29, 2015 12:38:23 PM hudson.remoting.Engine waitForServerToBack
      INFO: Master isn't ready to talk to us. Will retry again: response code=401

      Looking at the Engine#waitForServerToBack (https://github.com/jenkinsci/remoting/blob/master/src/main/java/hudson/remoting/Engine.java#L365) code, I can see that it does not provide credentials to path /tcpSlaveAgentListener.

      Although there's a comment at #run method (https://github.com/jenkinsci/remoting/blob/master/src/main/java/hudson/remoting/Engine.java#L185):
      // TODO /tcpSlaveAgentListener is unprotected so why do we need to pass any credentials?

      Reading this, It seems that Engine assumes that Jenkins is never placed behind firewalls and served directly to the public, which is not always the case, especially when Jenkins slaves are involved - they might be outside of Jenkins own network, thus firewalls/proxies are probably between them.

      In other words - Engine should always provide credentials to every request, if they exist, because assumption of something being unprotected might be wrong.

      PS! Same thing applies to proxy credentials, which are not provided in the #waitForServerToBack, but are provided in #run.

      Attachments

        Activity

          wiizzard Tim Pambor added a comment -

          I submitted a pull request for this bug. https://github.com/jenkinsci/remoting/pull/67

          wiizzard Tim Pambor added a comment - I submitted a pull request for this bug. https://github.com/jenkinsci/remoting/pull/67
          danielbeck Daniel Beck added a comment -

          This only applies to setups that don't implement the 'contract' that unprotected root actions need to be accessible without authentication, right?

          danielbeck Daniel Beck added a comment - This only applies to setups that don't implement the 'contract' that unprotected root actions need to be accessible without authentication, right?

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/Util.java
          http://jenkins-ci.org/commit/remoting/fbb9aff7cf0f9acbba6e97c923efd640b5537c90
          Log:
          JENKINS-31256 Use credentials in waitForServerToBack (#87)

          • JENKINS-31256 Use credentials in waitForServerToBack
            This address three regressions introduced with HUDSON-4071, 662b0f and JENKINS-6167 as these only modified run() resulting in no proxy and no authorization support in waitForServerToBack()
          • Move authorization code to openURLConnection()
          • Factored out sslSocketFactory creation and use sslSocketFactory also in waitForServerToBack()
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/Util.java http://jenkins-ci.org/commit/remoting/fbb9aff7cf0f9acbba6e97c923efd640b5537c90 Log: JENKINS-31256 Use credentials in waitForServerToBack (#87) JENKINS-31256 Use credentials in waitForServerToBack This address three regressions introduced with HUDSON-4071, 662b0f and JENKINS-6167 as these only modified run() resulting in no proxy and no authorization support in waitForServerToBack() Move authorization code to openURLConnection() Factored out sslSocketFactory creation and use sslSocketFactory also in waitForServerToBack()

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/Util.java
          http://jenkins-ci.org/commit/remoting/2d8e969ef9c218af437740d6047f4873bba959f8
          Log:
          Revert "JENKINS-31256 Use credentials in waitForServerToBack (#87)"

          This reverts commit fbb9aff7cf0f9acbba6e97c923efd640b5537c90.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/Util.java http://jenkins-ci.org/commit/remoting/2d8e969ef9c218af437740d6047f4873bba959f8 Log: Revert " JENKINS-31256 Use credentials in waitForServerToBack (#87)" This reverts commit fbb9aff7cf0f9acbba6e97c923efd640b5537c90.

          Code changed in jenkins
          User: Tim Pambor
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/Util.java
          http://jenkins-ci.org/commit/remoting/362cfb28e6073965e9146fca3875de39baf6d55e
          Log:
          JENKINS-31256 Reintegrated https://github.com/jenkinsci/remoting/pull/87 and https://github.com/jenkinsci/remoting/pull/67 with proper author

          Compare: https://github.com/jenkinsci/remoting/compare/fbb9aff7cf0f...362cfb28e607

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tim Pambor Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/Util.java http://jenkins-ci.org/commit/remoting/362cfb28e6073965e9146fca3875de39baf6d55e Log: JENKINS-31256 Reintegrated https://github.com/jenkinsci/remoting/pull/87 and https://github.com/jenkinsci/remoting/pull/67 with proper author Compare: https://github.com/jenkinsci/remoting/compare/fbb9aff7cf0f...362cfb28e607

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/d9f12b0e614d9598221c571001aa43c018b21e25
          Log:
          Update remoting to 2.60

          Changes summary:

          Fixed issues:

          Enhancements:

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/d9f12b0e614d9598221c571001aa43c018b21e25 Log: Update remoting to 2.60 Changes summary: Fixed issues: JENKINS-22722 ( https://issues.jenkins-ci.org/browse/JENKINS-22722 ) - Make the channel reader tolerant against Socket timeouts. ( https://github.com/jenkinsci/remoting/pull/80 ) JENKINS-32326 ( https://issues.jenkins-ci.org/browse/JENKINS-32326 ) - Support no_proxy environment variable. ( https://github.com/jenkinsci/remoting/pull/84 ) JENKINS-35190 ( https://issues.jenkins-ci.org/browse/JENKINS-35190 ) - Do not invoke PingFailureAnalyzer for agent=>master ping failures. ( https://github.com/jenkinsci/remoting/pull/85 ) JENKINS-31256 ( https://issues.jenkins-ci.org/browse/JENKINS-31256 ) - <code>hudson.Remoting.Engine#waitForServerToBack</code> now uses credentials for connection. ( https://github.com/jenkinsci/remoting/pull/87 ) JENKINS-35494 ( https://issues.jenkins-ci.org/browse/JENKINS-35494 ) - Fix issues in file management in <code>hudson.remoting.Launcher</code> (main executable class). ( https://github.com/jenkinsci/remoting/pull/88 ) Enhancements: Ensure a message is logged if remoting fails to override the default <code>ClassFilter</code>. ( https://github.com/jenkinsci/remoting/pull/80 )

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/c718516adfddeb10cbf616ce37c619cc6bbafd53
          Log:
          Update remoting to 2.60 (#2403)

          Changes summary:

          Fixed issues:

          Enhancements:

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/c718516adfddeb10cbf616ce37c619cc6bbafd53 Log: Update remoting to 2.60 (#2403) Changes summary: Fixed issues: JENKINS-22722 ( https://issues.jenkins-ci.org/browse/JENKINS-22722 ) - Make the channel reader tolerant against Socket timeouts. ( https://github.com/jenkinsci/remoting/pull/80 ) JENKINS-32326 ( https://issues.jenkins-ci.org/browse/JENKINS-32326 ) - Support no_proxy environment variable. ( https://github.com/jenkinsci/remoting/pull/84 ) JENKINS-35190 ( https://issues.jenkins-ci.org/browse/JENKINS-35190 ) - Do not invoke PingFailureAnalyzer for agent=>master ping failures. ( https://github.com/jenkinsci/remoting/pull/85 ) JENKINS-31256 ( https://issues.jenkins-ci.org/browse/JENKINS-31256 ) - <code>hudson.Remoting.Engine#waitForServerToBack</code> now uses credentials for connection. ( https://github.com/jenkinsci/remoting/pull/87 ) JENKINS-35494 ( https://issues.jenkins-ci.org/browse/JENKINS-35494 ) - Fix issues in file management in <code>hudson.remoting.Launcher</code> (main executable class). ( https://github.com/jenkinsci/remoting/pull/88 ) Enhancements: Ensure a message is logged if remoting fails to override the default <code>ClassFilter</code>. ( https://github.com/jenkinsci/remoting/pull/80 )
          jbq jbq added a comment -

          I can confirm the fix solves the problem. I think you can mark this issue as resolved, at least a fresh install from the git remoting repo works for me, the slave reconnects successfully after the connection has dropped.

          Thanks!

          jbq jbq added a comment - I can confirm the fix solves the problem. I think you can mark this issue as resolved, at least a fresh install from the git remoting repo works for me, the slave reconnects successfully after the connection has dropped. Thanks!
          wiizzard Tim Pambor added a comment -

          Fixed in remoting 2.60. Released as part of Jenkins 2.9.

          wiizzard Tim Pambor added a comment - Fixed in remoting 2.60. Released as part of Jenkins 2.9.

          People

            wiizzard Tim Pambor
            jarm0 Jarmo Pertman
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: