+1 On Fri 28 Jul 2017 at 08:53, Oleg Nenashev <[email protected]> wrote:
> Hi all, > > It is almost one year since the release of JNLP4 protocol in Remoting 3.0. > This protocol is available in Jenkins LTS since 2.32.1, and so far it > demonstrates good stability being compared to JNLP2 and especially to > JNLP3. The protocol was enabled by default in 2.46.x, and we do not have > confirmed JNLP4 issues since that. > > I propose to disable the previous protocols. I have created JENKINS-45841 > <https://issues.jenkins-ci.org/browse/JENKINS-45841> for it. > > > *Why?* > > - JNLP2 stability concerns > - There are known issues in JNLP2 connection management. The engine > is complex and barely diagnosable > - Examples: > - https://github.com/jenkinsci/remoting/pull/156 > - JENKINS-31735 > <https://issues.jenkins-ci.org/browse/JENKINS-31735> - > NioChannelHub thread dies sometimes > - JENKINS-24155 > <https://issues.jenkins-ci.org/browse/JENKINS-24155> - Slaves > going offline in NIO mode > - In many cases update to JNLP4 was a resolution > - JNLP1/JNLP2/CLI1 are known to be unencrypted > - Sam Gleske also made it explicit in UI, Jenkins 2.41+ (pull > request <https://github.com/jenkinsci/jenkins/pull/2682>) > - It is not a security issue, they have been never claimed to be > encrypted > - Jenkins CERT team agreed that disabling protocols is reasonable > from the security hardening standpoint > > *How?* > > - UPD: When installation wizard is enabled && it runs in the new > installation mode, disable the old protocols during the instance > initialization > - It is similar to what we do for Remoting CLI disabling and the > default security initialization in Jenkins 2.0 > - ADD: administrative monitor, which warns about obsolete Remoting > protocols and points to the errata documents (like this one) > - ADD: Explicit deprecation notice to the built-in HTML documentation > > *Compatibility concerns* > > - Old instances won't be affected, protocols will be still enabled for > them > - "New" Jenkins instances installed via setup wizard may be affected > in age cases. Examples: > - Agents with Remoting older than 3.0 will be unable to connect. > - One may bundle old Remoting in his custom Docker images, AMIs, > etc. > - Swarm Plugin > <https://wiki.jenkins.io/display/JENKINS/Swarm+Plugin>: old > versions of Swarm Client (before 3.3) will be unable to connect, because > Remoting 2.x is bundled > - **Very** old jenkins-cli.jar without CLI2 support will be unable > to connect > > *Not affected:* > > - Newly installed instances created from scratch > - Instances using the "-Djenkins.install.runSetupWizard=false" flag > (all configuration-as-code instances) > - SSH Slaves Plugin, any newly installed agent type, > community-provided Docker packages for agents, etc. > > *Announcement* > > - It's a potentially breaking change, hence it should be announced in > blog posts > - The change and the corner cases should be addressed in the upgrade > guide, which should be published within the blogpost > > > > *I think it's a good time to finally do this change. WDYT?Thanks in > advance,Oleg Nenashev* > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Sent from my phone -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ%3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
