Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31256

hudson.Remoting.Engine#waitForServerToBack does not use credentials for connection

    Details

    • Similar Issues:

      Description

      We have a jenkins instance running behind Apache web server, which forces basic authentication for accessing Jenkins.

      When using jnlp from a slave machine, then it works initially, because it uses provided basic authentication credentials. However at some point it stops working and in jenkins-slave.err.log this line is printed over and over again:
      Oct 29, 2015 12:38:23 PM hudson.remoting.Engine waitForServerToBack
      INFO: Master isn't ready to talk to us. Will retry again: response code=401

      Looking at the Engine#waitForServerToBack (https://github.com/jenkinsci/remoting/blob/master/src/main/java/hudson/remoting/Engine.java#L365) code, I can see that it does not provide credentials to path /tcpSlaveAgentListener.

      Although there's a comment at #run method (https://github.com/jenkinsci/remoting/blob/master/src/main/java/hudson/remoting/Engine.java#L185):
      // TODO /tcpSlaveAgentListener is unprotected so why do we need to pass any credentials?

      Reading this, It seems that Engine assumes that Jenkins is never placed behind firewalls and served directly to the public, which is not always the case, especially when Jenkins slaves are involved - they might be outside of Jenkins own network, thus firewalls/proxies are probably between them.

      In other words - Engine should always provide credentials to every request, if they exist, because assumption of something being unprotected might be wrong.

      PS! Same thing applies to proxy credentials, which are not provided in the #waitForServerToBack, but are provided in #run.

        Attachments

          Activity

          jarm0 Jarmo Pertman created issue -
          wiizzard Tim Pambor made changes -
          Field Original Value New Value
          Assignee Tim Pambor [ wiizzard ]
          wiizzard Tim Pambor made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          wiizzard Tim Pambor added a comment -

          I submitted a pull request for this bug. https://github.com/jenkinsci/remoting/pull/67

          Show
          wiizzard Tim Pambor added a comment - I submitted a pull request for this bug. https://github.com/jenkinsci/remoting/pull/67
          Hide
          danielbeck Daniel Beck added a comment -

          This only applies to setups that don't implement the 'contract' that unprotected root actions need to be accessible without authentication, right?

          Show
          danielbeck Daniel Beck added a comment - This only applies to setups that don't implement the 'contract' that unprotected root actions need to be accessible without authentication, right?
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/Util.java
          http://jenkins-ci.org/commit/remoting/fbb9aff7cf0f9acbba6e97c923efd640b5537c90
          Log:
          JENKINS-31256 Use credentials in waitForServerToBack (#87)

          • JENKINS-31256 Use credentials in waitForServerToBack
            This address three regressions introduced with HUDSON-4071, 662b0f and JENKINS-6167 as these only modified run() resulting in no proxy and no authorization support in waitForServerToBack()
          • Move authorization code to openURLConnection()
          • Factored out sslSocketFactory creation and use sslSocketFactory also in waitForServerToBack()
          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/Util.java http://jenkins-ci.org/commit/remoting/fbb9aff7cf0f9acbba6e97c923efd640b5537c90 Log: JENKINS-31256 Use credentials in waitForServerToBack (#87) JENKINS-31256 Use credentials in waitForServerToBack This address three regressions introduced with HUDSON-4071, 662b0f and JENKINS-6167 as these only modified run() resulting in no proxy and no authorization support in waitForServerToBack() Move authorization code to openURLConnection() Factored out sslSocketFactory creation and use sslSocketFactory also in waitForServerToBack()
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/Util.java
          http://jenkins-ci.org/commit/remoting/2d8e969ef9c218af437740d6047f4873bba959f8
          Log:
          Revert "JENKINS-31256 Use credentials in waitForServerToBack (#87)"

          This reverts commit fbb9aff7cf0f9acbba6e97c923efd640b5537c90.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/Util.java http://jenkins-ci.org/commit/remoting/2d8e969ef9c218af437740d6047f4873bba959f8 Log: Revert " JENKINS-31256 Use credentials in waitForServerToBack (#87)" This reverts commit fbb9aff7cf0f9acbba6e97c923efd640b5537c90.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Tim Pambor
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/Util.java
          http://jenkins-ci.org/commit/remoting/362cfb28e6073965e9146fca3875de39baf6d55e
          Log:
          JENKINS-31256 Reintegrated https://github.com/jenkinsci/remoting/pull/87 and https://github.com/jenkinsci/remoting/pull/67 with proper author

          Compare: https://github.com/jenkinsci/remoting/compare/fbb9aff7cf0f...362cfb28e607

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tim Pambor Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/Util.java http://jenkins-ci.org/commit/remoting/362cfb28e6073965e9146fca3875de39baf6d55e Log: JENKINS-31256 Reintegrated https://github.com/jenkinsci/remoting/pull/87 and https://github.com/jenkinsci/remoting/pull/67 with proper author Compare: https://github.com/jenkinsci/remoting/compare/fbb9aff7cf0f...362cfb28e607
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/d9f12b0e614d9598221c571001aa43c018b21e25
          Log:
          Update remoting to 2.60

          Changes summary:

          Fixed issues:

          Enhancements:

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/d9f12b0e614d9598221c571001aa43c018b21e25 Log: Update remoting to 2.60 Changes summary: Fixed issues: JENKINS-22722 ( https://issues.jenkins-ci.org/browse/JENKINS-22722 ) - Make the channel reader tolerant against Socket timeouts. ( https://github.com/jenkinsci/remoting/pull/80 ) JENKINS-32326 ( https://issues.jenkins-ci.org/browse/JENKINS-32326 ) - Support no_proxy environment variable. ( https://github.com/jenkinsci/remoting/pull/84 ) JENKINS-35190 ( https://issues.jenkins-ci.org/browse/JENKINS-35190 ) - Do not invoke PingFailureAnalyzer for agent=>master ping failures. ( https://github.com/jenkinsci/remoting/pull/85 ) JENKINS-31256 ( https://issues.jenkins-ci.org/browse/JENKINS-31256 ) - <code>hudson.Remoting.Engine#waitForServerToBack</code> now uses credentials for connection. ( https://github.com/jenkinsci/remoting/pull/87 ) JENKINS-35494 ( https://issues.jenkins-ci.org/browse/JENKINS-35494 ) - Fix issues in file management in <code>hudson.remoting.Launcher</code> (main executable class). ( https://github.com/jenkinsci/remoting/pull/88 ) Enhancements: Ensure a message is logged if remoting fails to override the default <code>ClassFilter</code>. ( https://github.com/jenkinsci/remoting/pull/80 )
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/c718516adfddeb10cbf616ce37c619cc6bbafd53
          Log:
          Update remoting to 2.60 (#2403)

          Changes summary:

          Fixed issues:

          Enhancements:

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/c718516adfddeb10cbf616ce37c619cc6bbafd53 Log: Update remoting to 2.60 (#2403) Changes summary: Fixed issues: JENKINS-22722 ( https://issues.jenkins-ci.org/browse/JENKINS-22722 ) - Make the channel reader tolerant against Socket timeouts. ( https://github.com/jenkinsci/remoting/pull/80 ) JENKINS-32326 ( https://issues.jenkins-ci.org/browse/JENKINS-32326 ) - Support no_proxy environment variable. ( https://github.com/jenkinsci/remoting/pull/84 ) JENKINS-35190 ( https://issues.jenkins-ci.org/browse/JENKINS-35190 ) - Do not invoke PingFailureAnalyzer for agent=>master ping failures. ( https://github.com/jenkinsci/remoting/pull/85 ) JENKINS-31256 ( https://issues.jenkins-ci.org/browse/JENKINS-31256 ) - <code>hudson.Remoting.Engine#waitForServerToBack</code> now uses credentials for connection. ( https://github.com/jenkinsci/remoting/pull/87 ) JENKINS-35494 ( https://issues.jenkins-ci.org/browse/JENKINS-35494 ) - Fix issues in file management in <code>hudson.remoting.Launcher</code> (main executable class). ( https://github.com/jenkinsci/remoting/pull/88 ) Enhancements: Ensure a message is logged if remoting fails to override the default <code>ClassFilter</code>. ( https://github.com/jenkinsci/remoting/pull/80 )
          Hide
          jbq jbq added a comment -

          I can confirm the fix solves the problem. I think you can mark this issue as resolved, at least a fresh install from the git remoting repo works for me, the slave reconnects successfully after the connection has dropped.

          Thanks!

          Show
          jbq jbq added a comment - I can confirm the fix solves the problem. I think you can mark this issue as resolved, at least a fresh install from the git remoting repo works for me, the slave reconnects successfully after the connection has dropped. Thanks!
          Hide
          wiizzard Tim Pambor added a comment -

          Fixed in remoting 2.60. Released as part of Jenkins 2.9.

          Show
          wiizzard Tim Pambor added a comment - Fixed in remoting 2.60. Released as part of Jenkins 2.9.
          wiizzard Tim Pambor made changes -
          Status In Progress [ 3 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 166506 ] JNJira + In-Review [ 209383 ]
          olivergondza Oliver Gond┼ża made changes -
          Labels 2.7.2-fixed

            People

            • Assignee:
              wiizzard Tim Pambor
              Reporter:
              jarm0 Jarmo Pertman
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: