-
Bug
-
Resolution: Fixed
-
Minor
The docker plugin serializes classes from the 3rd part docker-java library which have not been whitelisted.
Originally reported as a GitHub issue: https://github.com/jenkinsci/docker-plugin/issues/614.
Fixed in PR #619, which has not yet been released. (Although maybe these classes should not be whitelisted and instead the code should be changed to not serialize them. Needs investigation)
Example stack trace:
java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.model.Slave#launcher for class io.jenkins.docker.DockerTransientNode
at hudson.XmlFile.write(XmlFile.java:200)
at jenkins.model.Nodes.save(Nodes.java:274)
at hudson.util.PersistedList.onModified(PersistedList.java:173)
at hudson.util.PersistedList.replaceBy(PersistedList.java:85)
at hudson.model.Slave.setNodeProperties(Slave.java:299)
at com.nirima.jenkins.plugins.docker.DockerTemplate.provisionNode(DockerTemplate.java:448)
at com.nirima.jenkins.plugins.docker.DockerCloud$1.run(DockerCloud.java:268)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Failed to serialize hudson.model.Slave#launcher for class io.jenkins.docker.DockerTransientNode
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
at hudson.XmlFile.write(XmlFile.java:193)
... 12 more
Caused by: java.lang.RuntimeException: Failed to serialize hudson.slaves.DelegatingComputerLauncher#launcher for class io.jenkins.docker.connector.DockerComputerConnector$1
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
... 25 more
Caused by: java.lang.RuntimeException: Failed to serialize io.jenkins.docker.connector.DockerComputerJNLPConnector$1#val$inspect for class io.jenkins.docker.connector.DockerComputerJNLPConnector$1
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
... 34 more
Caused by: java.lang.UnsupportedOperationException: Refusing to marshal com.github.dockerjava.api.command.InspectContainerResponse for security reasons; see https://jenkins.io/redirect/class-filter/
at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
... 43 more
- relates to
-
-
- Open
-
-
-
- Resolved
-
- links to
[JENKINS-50480] UnsupportedOperationException: Refusing to marshal com.github.dockerjava.api.*
| Description |
Original:
The docker plugin serializes classes from the 3rd part docker-java library which have not been whitelisted. Originally reported as a GitHub issue: [https://github.com/jenkinsci/docker-plugin/issues/614]. Fixed in [PR #619|https://github.com/jenkinsci/docker-plugin/pull/619/], which has not yet been released. Example stack trace: {noformat} java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.model.Slave#launcher for class io.jenkins.docker.DockerTransientNode at hudson.XmlFile.write(XmlFile.java:200) at jenkins.model.Nodes.save(Nodes.java:274) at hudson.util.PersistedList.onModified(PersistedList.java:173) at hudson.util.PersistedList.replaceBy(PersistedList.java:85) at hudson.model.Slave.setNodeProperties(Slave.java:299) at com.nirima.jenkins.plugins.docker.DockerTemplate.provisionNode(DockerTemplate.java:448) at com.nirima.jenkins.plugins.docker.DockerCloud$1.run(DockerCloud.java:268) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: Failed to serialize hudson.model.Slave#launcher for class io.jenkins.docker.DockerTransientNode at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) ... 12 more Caused by: java.lang.RuntimeException: Failed to serialize hudson.slaves.DelegatingComputerLauncher#launcher for class io.jenkins.docker.connector.DockerComputerConnector$1 at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 25 more Caused by: java.lang.RuntimeException: Failed to serialize io.jenkins.docker.connector.DockerComputerJNLPConnector$1#val$inspect for class io.jenkins.docker.connector.DockerComputerJNLPConnector$1 at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 34 more Caused by: java.lang.UnsupportedOperationException: Refusing to marshal com.github.dockerjava.api.command.InspectContainerResponse for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 43 more {noformat} |
New:
The docker plugin serializes classes from the 3rd part docker-java library which have not been whitelisted. Originally reported as a GitHub issue: [https://github.com/jenkinsci/docker-plugin/issues/614]. Fixed in [PR #619|https://github.com/jenkinsci/docker-plugin/pull/619/], which has not yet been released. (Although maybe these classes should not be whitelisted and instead the code should be changed to not serialize them. Needs investigation) Example stack trace: {noformat} java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.model.Slave#launcher for class io.jenkins.docker.DockerTransientNode at hudson.XmlFile.write(XmlFile.java:200) at jenkins.model.Nodes.save(Nodes.java:274) at hudson.util.PersistedList.onModified(PersistedList.java:173) at hudson.util.PersistedList.replaceBy(PersistedList.java:85) at hudson.model.Slave.setNodeProperties(Slave.java:299) at com.nirima.jenkins.plugins.docker.DockerTemplate.provisionNode(DockerTemplate.java:448) at com.nirima.jenkins.plugins.docker.DockerCloud$1.run(DockerCloud.java:268) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: Failed to serialize hudson.model.Slave#launcher for class io.jenkins.docker.DockerTransientNode at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) ... 12 more Caused by: java.lang.RuntimeException: Failed to serialize hudson.slaves.DelegatingComputerLauncher#launcher for class io.jenkins.docker.connector.DockerComputerConnector$1 at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 25 more Caused by: java.lang.RuntimeException: Failed to serialize io.jenkins.docker.connector.DockerComputerJNLPConnector$1#val$inspect for class io.jenkins.docker.connector.DockerComputerJNLPConnector$1 at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 34 more Caused by: java.lang.UnsupportedOperationException: Refusing to marshal com.github.dockerjava.api.command.InspectContainerResponse for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) ... 43 more {noformat} |
Note that the GitHub issue was reported a few days before docker-plugin:1.1.3 was released which included some significant changes to the classes in the stack trace, so I think this issue should be reinvestigated in 1.1.3. In particular I think that 4ae1f17 and/or 5a2a123 might eliminate the specific error in the description, or at least will alter where the error is thrown.
I think that whitelisting the classes in the com.github.dockerjava.api.model package is probably ok since they have been marked as serializable in the library they come from and all appear to be simple wrappers, but serializing the 2 commands in the com.github.dockerjava.api.command package seem like an accident where an inner class picks up a parameter or local variable. If the commands are fixed than I think that would eliminate all of the places where the model classes are serialized as well (but am not 100% sure, there might be some uses I missed).
> The docker-java library is not a direct dependency of the docker plugin but is pulled in transitively through the docker-java-api plugin. Would it make more sense to whitelist the classes in that plugin instead if they can be safely serialized?
This library is generally a risky thing, because it does not consistently retain binary compatibility. That's why it has been originally shaded in plugins like Docker, Yet Another Docker Plugin, Docker Traceability, etc. So a user of such API library may find his plugin broken by a library update. Maybe the situation became better over years, integer improved Docker Java's lifecycle a lot
Apart from that, +1 for moving whitelist to a library in the current state.
> I think that whitelisting the classes in the com.github.dockerjava.api.model package is probably ok
I have reviewed all classes, and yes they are OK in the current version.
OTOH the whitelist does not seem to be enough. com.github.dockerjava.api.command.InspectContainerResponse$Node is not whitelisted. The serialization of InspectContainerResponse may fail if the field is not null
> but serializing the 2 commands in the com.github.dockerjava.api.command package seem like an accident where an inner class picks up a parameter or local variable
Yes, InspectContainerResponse$ContainerState and InspectContainerResponse$Node inner classes are not static. Making them static would break binary compatibility. It may be acceptable for Docker Java tho.
Probably it's fine to keep it whitelisted. E.g. InspectContainerResponse is also explicitly persisted in the Docker Traceability plugin (within https://github.com/jenkinsci/docker-traceability-plugin/blob/49141a86d41269799e00161a02ac72e9aa9a3a15/docker-traceability-api/src/main/java/org/jenkinsci/plugins/docker/traceability/api/DockerTraceabilityReport.java#L51). This does seem to be a valid use-case for serialization though it makes the plugin affected by JEP-200 for sure. I will create a ticket
| Link | New: This issue relates to JENKINS-50509 [ JENKINS-50509 ] |
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |
| Remote Link | New: This issue links to "https://github.com/jenkinsci/docker-plugin/pull/619/ (Web Link)" [ 20354 ] |
BTW DockerComputerJNLPConnector$1#val$inspect sounds like it will trigger some anonymous inner class warning in new cores, too (and rightly).
The docker-java library is not a direct dependency of the docker plugin but is pulled in transitively through the docker-java-api plugin. Would it make more sense to whitelist the classes in that plugin instead if they can be safely serialized?