Having seen recently a customer simply switch from JNLP2 to JNLP4 and get
their instance back to working, after they had disabled JNLP4 after some
mistake I'm +1 to help drive users more towards the "right"/recommended
version.

2017-07-28 10:02 GMT+02:00 Stephen Connolly <[email protected]
>:

> +1
>
> On Fri 28 Jul 2017 at 08:53, Oleg Nenashev <[email protected]> wrote:
>
>> Hi all,
>>
>> It is almost one year since the release of JNLP4 protocol in Remoting
>> 3.0. This protocol is available in Jenkins LTS since 2.32.1, and so far it
>> demonstrates good stability being compared to JNLP2 and especially to
>> JNLP3. The protocol was enabled by default in 2.46.x, and we do not have
>> confirmed JNLP4 issues since that.
>>
>> I propose to disable the previous protocols. I have created JENKINS-45841
>> <https://issues.jenkins-ci.org/browse/JENKINS-45841> for it.
>>
>>
>> *Why?*
>>
>>    - JNLP2 stability concerns
>>       - There are known issues in JNLP2 connection management. The
>>       engine is complex and barely diagnosable
>>       - Examples:
>>          - https://github.com/jenkinsci/remoting/pull/156
>>          - JENKINS-31735
>>          <https://issues.jenkins-ci.org/browse/JENKINS-31735> -
>>          NioChannelHub thread dies sometimes
>>          - JENKINS-24155
>>          <https://issues.jenkins-ci.org/browse/JENKINS-24155> - Slaves
>>          going offline in NIO mode
>>       - In many cases update to JNLP4 was a resolution
>>    - JNLP1/JNLP2/CLI1 are known to be unencrypted
>>       - Sam Gleske also made it explicit in UI, Jenkins 2.41+ (pull
>>       request <https://github.com/jenkinsci/jenkins/pull/2682>)
>>       - It is not a security issue, they have been never claimed to be
>>       encrypted
>>       - Jenkins CERT team agreed that disabling protocols is reasonable
>>       from the security hardening standpoint
>>
>> *How?*
>>
>>    - UPD: When installation wizard is enabled && it runs in the new
>>    installation mode, disable the old protocols during the instance
>>    initialization
>>       - It is similar to what we do for Remoting CLI disabling and the
>>       default security initialization in Jenkins 2.0
>>       - ADD: administrative monitor, which warns about obsolete Remoting
>>    protocols and points to the errata documents (like this one)
>>    - ADD: Explicit deprecation notice to the built-in HTML documentation
>>
>> *Compatibility concerns*
>>
>>    - Old instances won't be affected, protocols will be still enabled
>>    for them
>>    - "New" Jenkins instances installed via setup wizard may be affected
>>    in age cases. Examples:
>>       - Agents with Remoting older than 3.0 will be unable to connect.
>>       - One may bundle old Remoting in his custom Docker images, AMIs,
>>          etc.
>>          - Swarm Plugin
>>       <https://wiki.jenkins.io/display/JENKINS/Swarm+Plugin>: old
>>       versions of Swarm Client (before 3.3) will be unable to connect, 
>> because
>>       Remoting 2.x is bundled
>>       - **Very** old jenkins-cli.jar without CLI2 support will be unable
>>       to connect
>>
>> *Not affected:*
>>
>>    - Newly installed instances created from scratch
>>    - Instances using the "-Djenkins.install.runSetupWizard=false" flag
>>    (all configuration-as-code instances)
>>    - SSH Slaves Plugin, any newly installed agent type,
>>    community-provided Docker packages for agents, etc.
>>
>> *Announcement*
>>
>>    - It's a potentially breaking change, hence it should be announced in
>>    blog posts
>>    - The change and the corner cases should be addressed in the upgrade
>>    guide, which should be published within the blogpost
>>
>>
>>
>> *I think it's a good time to finally do this change. WDYT?Thanks in
>> advance,Oleg Nenashev*
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit https://groups.google.com/d/
>> msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%
>> 40googlegroups.com
>> <https://groups.google.com/d/msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> Sent from my phone
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ%
> 3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ%3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS4-GLOSOw%3DKo-rpeo_7T0VAmo2xE7oW%2BikMc61s4-P%3DyA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to