Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46724

[JDK9] Illegal reflective access from remoting

    Details

    • Similar Issues:

      Description

      While exploring Jenkins 2.60.3 on Oracle Java 9 build 181 (pre-release), it reports illegal access exceptions and warns that a future release of Java 9 will forbid illegal access.

      A stack trace shows:

      WARNING: Illegal reflective access by hudson.remoting.RemoteClassLoader (file:/var/jenkins_home/war/WEB-INF/lib/remoting-3.7.jar) to method java.lang.ClassLoader.getClassLoadingLock(java.lang.String)
              at hudson.remoting.RemoteClassLoader.<clinit>(RemoteClassLoader.java:330)
              at hudson.remoting.MultiClassLoaderSerializer$Output.annotateClass(MultiClassLoaderSerializer.java:69)
              at java.base/java.io.ObjectOutputStream.writeNonProxyDesc(ObjectOutputStream.java:1291)
              at java.base/java.io.ObjectOutputStream.writeClassDesc(ObjectOutputStream.java:1232)
              at java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1428)
              at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1179)
              at java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:349)
              at hudson.remoting.UserRequest._serialize(UserRequest.java:190)
              at hudson.remoting.UserRequest.serialize(UserRequest.java:199)
              at hudson.remoting.UserRequest.<init>(UserRequest.java:64)
              at hudson.remoting.Channel.call(Channel.java:828)
              at hudson.slaves.SlaveComputer.setChannel(SlaveComputer.java:517)
              at hudson.slaves.SlaveComputer.setChannel(SlaveComputer.java:390)
              at hudson.plugins.sshslaves.SSHLauncher.startSlave(SSHLauncher.java:1074)
              at hudson.plugins.sshslaves.SSHLauncher.access$500(SSHLauncher.java:145)
              at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:818)
              at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:793)
              at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
              at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
              at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
              at java.base/java.lang.Thread.run(Thread.java:844)
      

      If it helps you to duplicate the scenario with current Jenkins environment, I have a Dockerfile configured which will run the latest Jenkins Long Term Support release.

      To duplicate the problem:

      1. Clone, build, and run the docker instance
          $ git lfs clone https://github.com/MarkEWaite/docker-lfs JENKINS-46724
          $ cd JENKINS-46724
          $ git lfs fetch origin origin/lts-jdk9-with-plugins
          $ git checkout -b lts-jdk9-with-plugins -t origin/lts-jdk9-with-plugins
          $ docker build -t  lts-jdk9-with-plugins:latest .
          $ docker run -i --rm --publish 8080:8080 lts-jdk9-with-plugins:latest
        

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          It should be easy to fix: https://github.com/jenkinsci/remoting/blob/remoting-3.7/src/main/java/hudson/remoting/RemoteClassLoader.java#L330 . Seems this code is Java 6 support remnants.

          getClassLoadingLock is protected: https://docs.oracle.com/javase/7/docs/api/java/lang/ClassLoader.html#getClassLoadingLock(java.lang.String) . Maybe it still requires some reflective logic for Remoting use-cases

          Show
          oleg_nenashev Oleg Nenashev added a comment - It should be easy to fix: https://github.com/jenkinsci/remoting/blob/remoting-3.7/src/main/java/hudson/remoting/RemoteClassLoader.java#L330 . Seems this code is Java 6 support remnants. getClassLoadingLock is protected: https://docs.oracle.com/javase/7/docs/api/java/lang/ClassLoader.html#getClassLoadingLock(java.lang.String) . Maybe it still requires some reflective logic for Remoting use-cases
          Hide
          tonho Elton Alves added a comment - - edited

          Can  you give me some tip about this issue? i`m new with java.

           

          this is a problem with reflection accessing private property, right?

          after fix, how can i test it?

           

          Show
          tonho Elton Alves added a comment - - edited Can  you give me some tip about this issue? i`m new with java.   this is a problem with reflection accessing private property, right? after fix, how can i test it?  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Elton Alves the problem is with Reflection at all. I suppose the reflection calls should be replaced with new APIs offered in newer Java versions. Maybe I am wrong

          Show
          oleg_nenashev Oleg Nenashev added a comment - Elton Alves the problem is with Reflection at all. I suppose the reflection calls should be replaced with new APIs offered in newer Java versions. Maybe I am wrong
          Hide
          oleg_nenashev Oleg Nenashev added a comment -
          Show
          oleg_nenashev Oleg Nenashev added a comment - Another dangerous case: https://github.com/jenkinsci/remoting/pull/224
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/Launcher.java
          http://jenkins-ci.org/commit/remoting/8963035eb1f29d7d8bbe3a9f19cd73eaaaf947a8
          Log:
          JENKINS-46724 - Get rid of the illegal Reflective operation in Launcher.

          IIUC it may prevent Java Web Start agents from starting up in Java 9.
          Anyway, the reflection is not required anymore since Remoting requires Java 8

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/Launcher.java http://jenkins-ci.org/commit/remoting/8963035eb1f29d7d8bbe3a9f19cd73eaaaf947a8 Log: JENKINS-46724 - Get rid of the illegal Reflective operation in Launcher. IIUC it may prevent Java Web Start agents from starting up in Java 9. Anyway, the reflection is not required anymore since Remoting requires Java 8
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/Launcher.java
          http://jenkins-ci.org/commit/remoting/0b79eae623f8c9e354aca6b6c93d7276d5045dab
          Log:
          Merge pull request #224 from oleg-nenashev/bug/JENKINS-46724-reflective-operation-Launcher

          JENKINS-46724 - Get rid of the illegal Reflective operation in Launcher's checkTty()

          Compare: https://github.com/jenkinsci/remoting/compare/40def984ff65...0b79eae623f8

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/Launcher.java http://jenkins-ci.org/commit/remoting/0b79eae623f8c9e354aca6b6c93d7276d5045dab Log: Merge pull request #224 from oleg-nenashev/bug/ JENKINS-46724 -reflective-operation-Launcher JENKINS-46724 - Get rid of the illegal Reflective operation in Launcher's checkTty() Compare: https://github.com/jenkinsci/remoting/compare/40def984ff65...0b79eae623f8
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/RemoteClassLoader.java
          http://jenkins-ci.org/commit/remoting/085957317e4819aca3a9b66e927fe3aa641591a2
          Log:
          JENKINS-46724 - Remove obsolete ClassloadingLock reflection in RemoteClassloader.

          Remoting now required Java 8, so this Java 6 compatibility lgic is not required at all.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/RemoteClassLoader.java http://jenkins-ci.org/commit/remoting/085957317e4819aca3a9b66e927fe3aa641591a2 Log: JENKINS-46724 - Remove obsolete ClassloadingLock reflection in RemoteClassloader. Remoting now required Java 8, so this Java 6 compatibility lgic is not required at all.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          src/main/java/hudson/remoting/RemoteClassLoader.java
          http://jenkins-ci.org/commit/remoting/7efdd3f9c0ba5766346a62b988c8dc421e99d338
          Log:
          Merge pull request #223 from oleg-nenashev/bug/JENKINS-46724-reflective-operation

          JENKINS-46724 - Remove obsolete ClassloadingLock reflection in RemoteClassloader.

          Compare: https://github.com/jenkinsci/remoting/compare/0b79eae623f8...7efdd3f9c0ba

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/remoting/RemoteClassLoader.java http://jenkins-ci.org/commit/remoting/7efdd3f9c0ba5766346a62b988c8dc421e99d338 Log: Merge pull request #223 from oleg-nenashev/bug/ JENKINS-46724 -reflective-operation JENKINS-46724 - Remove obsolete ClassloadingLock reflection in RemoteClassloader. Compare: https://github.com/jenkinsci/remoting/compare/0b79eae623f8...7efdd3f9c0ba
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/main/java/hudson/Launcher.java
          core/src/main/java/hudson/model/Computer.java
          core/src/main/java/hudson/slaves/ChannelPinger.java
          core/src/main/java/hudson/slaves/SlaveComputer.java
          core/src/main/java/jenkins/FilePathFilter.java
          core/src/main/java/jenkins/slaves/StandardOutputSwapper.java
          pom.xml
          test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
          test/src/test/java/jenkins/security/Security218CliTest.java
          http://jenkins-ci.org/commit/jenkins/cb3990a4d6094260bea4571e7079fd0e3949047f
          Log:
          Update to Remoting 3.15 and Cleanup issues in Channel#current() usages (#3145)

          Pulls in fixes for: JENKINS-48133, JENKINS-48055, JENKINS-37566, JENKINS-48309, JENKINS-47965, JENKINS-48130, JENKINS-37670, JENKINS-37566, JENKINS-46724

          This change also adds some missing null/closing channel checks in the core.
          In some cases the change prevents spawning threads if the channel is in the invalid state.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/hudson/Launcher.java core/src/main/java/hudson/model/Computer.java core/src/main/java/hudson/slaves/ChannelPinger.java core/src/main/java/hudson/slaves/SlaveComputer.java core/src/main/java/jenkins/FilePathFilter.java core/src/main/java/jenkins/slaves/StandardOutputSwapper.java pom.xml test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java test/src/test/java/jenkins/security/Security218CliTest.java http://jenkins-ci.org/commit/jenkins/cb3990a4d6094260bea4571e7079fd0e3949047f Log: Update to Remoting 3.15 and Cleanup issues in Channel#current() usages (#3145) Pulls in fixes for: JENKINS-48133 , JENKINS-48055 , JENKINS-37566 , JENKINS-48309 , JENKINS-47965 , JENKINS-48130 , JENKINS-37670 , JENKINS-37566 , JENKINS-46724 This change also adds some missing null/closing channel checks in the core. In some cases the change prevents spawning threads if the channel is in the invalid state.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          The change has been released in Remoting 3.15 and integrated towards Jenkins 2.98

          Show
          oleg_nenashev Oleg Nenashev added a comment - The change has been released in Remoting 3.15 and integrated towards Jenkins 2.98
          Hide
          remik P4 added a comment -

          Hi.

          I probably reported to the wrong issue (JENKINS-46631) but this is happening on our environment right now. Any plans for fixation?

           

          Jenkins master: Windows Server 2012 R2; JDK 1.8.0_172-b11; Jenkins v2.176.2.

          Jenkins slave: Ubuntu 19.04 LTS; openjdk-11-jdk 11.0.4+11-post-Ubuntu-1ubuntu219.04

          Node log:

          ...
          [08/26/19 16:06:45] [SSH] Checking java version of java
          [08/26/19 16:06:45] [SSH] java -version returned 11.0.4.
          [08/26/19 16:06:45] [SSH] Starting sftp client.
          [08/26/19 16:06:45] [SSH] Copying latest remoting.jar...
          [08/26/19 16:06:45] [SSH] Copied 789,283 bytes.
          Expanded the channel window size to 4MB
          [08/26/19 16:06:45] [SSH] Starting agent process: cd "/home/jenkins/jenkins" && java -jar remoting.jar -workDir /home/jenkins/jenkins
          Aug 26, 2019 4:06:46 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir
          INFO: Using /home/jenkins/jenkins/remoting as a remoting work directory
          Both error and output logs will be printed to /home/jenkins/jenkins/remoting
          <===[JENKINS REMOTING CAPACITY]===>channel started
          Remoting version: 3.29
          This is a Unix agent
          WARNING: An illegal reflective access operation has occurred
          WARNING: Illegal reflective access by jenkins.slaves.StandardOutputSwapper$ChannelSwapper to constructor java.io.FileDescriptor(int)
          WARNING: Please consider reporting this to the maintainers of jenkins.slaves.StandardOutputSwapper$ChannelSwapper
          WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
          WARNING: All illegal access operations will be denied in a future release
          Evacuated stdout
          Aug 26, 2019 4:06:52 PM org.jenkinsci.remoting.util.AnonymousClassWarnings warn
          WARNING: Attempt to (de-)serialize anonymous class org.jenkinsci.plugins.envinject.EnvInjectComputerListener$1; see: https://jenkins.io/redirect/serialization-of-anonymous-classes/
          [StartupTrigger] - Scanning jobs for node node-linux
          Agent successfully connected and online
          Show
          remik P4 added a comment - Hi. I probably reported to the wrong issue ( JENKINS-46631 ) but this is happening on our environment right now. Any plans for fixation?   Jenkins master: Windows Server 2012 R2; JDK 1.8.0_172-b11; Jenkins v2.176.2. Jenkins slave: Ubuntu 19.04 LTS; openjdk-11-jdk 11.0.4+11-post-Ubuntu-1ubuntu219.04 Node log: ... [08/26/19 16:06:45] [SSH] Checking java version of java [08/26/19 16:06:45] [SSH] java -version returned 11.0.4. [08/26/19 16:06:45] [SSH] Starting sftp client. [08/26/19 16:06:45] [SSH] Copying latest remoting.jar... [08/26/19 16:06:45] [SSH] Copied 789,283 bytes. Expanded the channel window size to 4MB [08/26/19 16:06:45] [SSH] Starting agent process: cd "/home/jenkins/jenkins" && java -jar remoting.jar -workDir /home/jenkins/jenkins Aug 26, 2019 4:06:46 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir INFO: Using /home/jenkins/jenkins/remoting as a remoting work directory Both error and output logs will be printed to /home/jenkins/jenkins/remoting <===[JENKINS REMOTING CAPACITY]===>channel started Remoting version: 3.29 This is a Unix agent WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by jenkins.slaves.StandardOutputSwapper$ChannelSwapper to constructor java.io.FileDescriptor( int ) WARNING: Please consider reporting this to the maintainers of jenkins.slaves.StandardOutputSwapper$ChannelSwapper WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Evacuated stdout Aug 26, 2019 4:06:52 PM org.jenkinsci.remoting.util.AnonymousClassWarnings warn WARNING: Attempt to (de-)serialize anonymous class org.jenkinsci.plugins.envinject.EnvInjectComputerListener$1; see: https: //jenkins.io/redirect/serialization-of-anonymous-classes/ [StartupTrigger] - Scanning jobs for node node-linux Agent successfully connected and online
          Hide
          markewaite Mark Waite added a comment -

          Please don't use closed bug reports to ask additional questions P4. The users mailing list will generally provide better results than asking a question on a closed bug report.

          In this specific case, the message is a warning. There is no active project to remove those warnings. It may be a part of Hacktoberfest 2019 just as it was part of Hacktoberfest 2018. You're welcome to begin submitting pull requests to resolve those messages. This type of problem was mentioned in the "Running Jenkins with Java 9 & 10" blog post and in the Hacktoberfest 2018 announcement. Some of the places that may need to be addressed are listed in GitHub.

          Show
          markewaite Mark Waite added a comment - Please don't use closed bug reports to ask additional questions P4 . The users mailing list will generally provide better results than asking a question on a closed bug report. In this specific case, the message is a warning. There is no active project to remove those warnings. It may be a part of Hacktoberfest 2019 just as it was part of Hacktoberfest 2018. You're welcome to begin submitting pull requests to resolve those messages. This type of problem was mentioned in the " Running Jenkins with Java 9 & 10 " blog post and in the Hacktoberfest 2018 announcement . Some of the places that may need to be addressed are listed in GitHub .

            People

            • Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              markewaite Mark Waite
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: