Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64922

java.lang.UnsupportedOperationException: NOFOLLOW_LINKS not supported when opening file from workspace or artifacts

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • Jenkins 2.263.4
      OS: AIX

      We recently upgraded to Jenkins 2.263.4 (previous version
      2.235.1) ,now we have issue opening files form workspace.
      Below error is logged in logfile

      2021-02-23 10:48:50.237+0000 [id=76] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 9a8eb3ec-a05c-49cd-b4e1-f0c540d8d668
      java.lang.UnsupportedOperationException: NOFOLLOW_LINKS not supported
      at sun.nio.fs.UnixChannelFactory$Flags.toFlags(UnixChannelFactory.java:105)
      at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:131)
      at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:160)
      at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:224)
      at java.nio.file.Files.newByteChannel(Files.java:372)
      at java.nio.file.Files.newByteChannel(Files.java:418)
      at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:395)
      at java.nio.file.Files.newInputStream(Files.java:163)
      at hudson.FilePath.newInputStreamDenyingSymlinkAsNeeded(FilePath.java:2111)
      at hudson.FilePath.read(FilePath.java:2096)
      at jenkins.util.VirtualFile$FilePathVF.open(VirtualFile.java:1024)

          [JENKINS-64922] java.lang.UnsupportedOperationException: NOFOLLOW_LINKS not supported when opening file from workspace or artifacts

          Jeff Thompson added a comment -

          I knew AIX was a concern in this area. I read documentation and tried to put together a implementation that would work on AIX as well. With no AIX system available, I had to guess if it worked correctly there. I'll put together something to perform a different check. It will still need testing on AIX.

          Jeff Thompson added a comment - I knew AIX was a concern in this area. I read documentation and tried to put together a implementation that would work on AIX as well. With no AIX system available, I had to guess if it worked correctly there. I'll put together something to perform a different check. It will still need testing on AIX.

          Jeff Thompson added a comment -

          As a workaround you can set the system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true". This disables the symlink protections so is not generally recommended, but AIX is a special case.

          Jeff Thompson added a comment - As a workaround you can set the system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true". This disables the symlink protections so is not generally recommended, but AIX is a special case.

          Jeff Thompson added a comment -

          Digging through this again, it looks like the system property is probably the best we can do. The JVM implementation on AIX is weak.

          Some possibilities:

          1) Just use the system property to disable symlink detection. It looks like it's as good as anything else we could do.

          2) We could configure the system property automatically for AIX if there's sufficient interest. It's a little difficult to tell if NOFOLLOW_LINKS is implemented but there are probably a couple of different ways we could check for AIX.

          3) Use an improved JVM implementation on AIX that implements NOFOLLOW_LINKS. I don't know that one exists, but that would be the cleanest.

          4) Someone on AIX could determine if "Files.readAttributes(path, BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS);" throws an exception. According to documentation, readAttributes should throw an exception like newInputStream does here. If it throws then the previous options are the only workable ones.

          Jeff Thompson added a comment - Digging through this again, it looks like the system property is probably the best we can do. The JVM implementation on AIX is weak. Some possibilities: 1) Just use the system property to disable symlink detection. It looks like it's as good as anything else we could do. 2) We could configure the system property automatically for AIX if there's sufficient interest. It's a little difficult to tell if NOFOLLOW_LINKS is implemented but there are probably a couple of different ways we could check for AIX. 3) Use an improved JVM implementation on AIX that implements NOFOLLOW_LINKS. I don't know that one exists, but that would be the cleanest. 4) Someone on AIX could determine if "Files.readAttributes(path, BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS);" throws an exception. According to documentation, readAttributes should throw an exception like newInputStream does here. If it throws then the previous options are the only workable ones.

          Anjali added a comment -

          @jthompson,

          Can you please let me know steps to set system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true"?

          Anjali added a comment - @ jthompson , Can you please let me know steps to set system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true"?

          You can do java -Dhudson.model.DirectoryBrowserSupport.allowSymlinkEscape=true -jar jenkins.war or something similar to this.

          CC: markewaite We might need the upgrade guidelines have a line for this issue on AIX, Keeping you in the loop

          Raihaan Shouhell added a comment - You can do java -Dhudson.model.DirectoryBrowserSupport.allowSymlinkEscape=true -jar jenkins.war or something similar to this. CC: markewaite We might need the upgrade guidelines have a line for this issue on AIX, Keeping you in the loop

          Anjali added a comment -

          I set the system property hudson.model.DirectoryBrowserSupport.allowSymlinkEscape to true by reading documentation and now I am able to access files form workspace and archived artifacts.

          Is this going to be temporary workaround ? will there be a permanent fix for the same?

          Anjali added a comment - I set the system property hudson.model.DirectoryBrowserSupport.allowSymlinkEscape to true by reading documentation and now I am able to access files form workspace and archived artifacts. Is this going to be temporary workaround ? will there be a permanent fix for the same?

          Daniel Beck added a comment - - edited

          Given that AIX makes up less than 0.2% of the environments that report usage stats, and a workaround exists, I wouldn't hold my breath. Probably depends on how much time Jeff has to spare on this.

          I expect that any fix would be little different from essentially automatically applying the workaround that is currently required to be added manually. It's probably not worth adding a completely separate implementation that's still not quite right.

          Daniel Beck added a comment - - edited Given that AIX makes up less than 0.2% of the environments that report usage stats, and a workaround exists, I wouldn't hold my breath. Probably depends on how much time Jeff has to spare on this. I expect that any fix would be little different from essentially automatically applying the workaround that is currently required to be added manually. It's probably not worth adding a completely separate implementation that's still not quite right.

          Jeff Thompson added a comment -

          I'm surprised AIX usage is that high. I've got various other improvements that should be done in this area that are more valuable and keep getting delayed.

          I don't know of any alternative approach that would yield a fix on AiX, so the only reasonable code fix is to automatically apply the workaround.

          Jeff Thompson added a comment - I'm surprised AIX usage is that high. I've got various other improvements that should be done in this area that are more valuable and keep getting delayed. I don't know of any alternative approach that would yield a fix on AiX, so the only reasonable code fix is to automatically apply the workaround.

          Dinesh added a comment -

          anjali_waghmare raihaan Could you please let me know how to set the system property
          "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true"?
          Thank you!

          Dinesh added a comment - anjali_waghmare raihaan Could you please let me know how to set the system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true"? Thank you!

          Anjali added a comment -

          Anjali added a comment - dineshnirudhoddi , Please refer to https://www.jenkins.io/doc/book/managing/system-properties/ .

            jthompson Jeff Thompson
            anjali_waghmare Anjali
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: