Having seen recently a customer simply switch from JNLP2 to JNLP4 and get their instance back to working, after they had disabled JNLP4 after some mistake I'm +1 to help drive users more towards the "right"/recommended version.
2017-07-28 10:02 GMT+02:00 Stephen Connolly <[email protected] >: > +1 > > On Fri 28 Jul 2017 at 08:53, Oleg Nenashev <[email protected]> wrote: > >> Hi all, >> >> It is almost one year since the release of JNLP4 protocol in Remoting >> 3.0. This protocol is available in Jenkins LTS since 2.32.1, and so far it >> demonstrates good stability being compared to JNLP2 and especially to >> JNLP3. The protocol was enabled by default in 2.46.x, and we do not have >> confirmed JNLP4 issues since that. >> >> I propose to disable the previous protocols. I have created JENKINS-45841 >> <https://issues.jenkins-ci.org/browse/JENKINS-45841> for it. >> >> >> *Why?* >> >> - JNLP2 stability concerns >> - There are known issues in JNLP2 connection management. The >> engine is complex and barely diagnosable >> - Examples: >> - https://github.com/jenkinsci/remoting/pull/156 >> - JENKINS-31735 >> <https://issues.jenkins-ci.org/browse/JENKINS-31735> - >> NioChannelHub thread dies sometimes >> - JENKINS-24155 >> <https://issues.jenkins-ci.org/browse/JENKINS-24155> - Slaves >> going offline in NIO mode >> - In many cases update to JNLP4 was a resolution >> - JNLP1/JNLP2/CLI1 are known to be unencrypted >> - Sam Gleske also made it explicit in UI, Jenkins 2.41+ (pull >> request <https://github.com/jenkinsci/jenkins/pull/2682>) >> - It is not a security issue, they have been never claimed to be >> encrypted >> - Jenkins CERT team agreed that disabling protocols is reasonable >> from the security hardening standpoint >> >> *How?* >> >> - UPD: When installation wizard is enabled && it runs in the new >> installation mode, disable the old protocols during the instance >> initialization >> - It is similar to what we do for Remoting CLI disabling and the >> default security initialization in Jenkins 2.0 >> - ADD: administrative monitor, which warns about obsolete Remoting >> protocols and points to the errata documents (like this one) >> - ADD: Explicit deprecation notice to the built-in HTML documentation >> >> *Compatibility concerns* >> >> - Old instances won't be affected, protocols will be still enabled >> for them >> - "New" Jenkins instances installed via setup wizard may be affected >> in age cases. Examples: >> - Agents with Remoting older than 3.0 will be unable to connect. >> - One may bundle old Remoting in his custom Docker images, AMIs, >> etc. >> - Swarm Plugin >> <https://wiki.jenkins.io/display/JENKINS/Swarm+Plugin>: old >> versions of Swarm Client (before 3.3) will be unable to connect, >> because >> Remoting 2.x is bundled >> - **Very** old jenkins-cli.jar without CLI2 support will be unable >> to connect >> >> *Not affected:* >> >> - Newly installed instances created from scratch >> - Instances using the "-Djenkins.install.runSetupWizard=false" flag >> (all configuration-as-code instances) >> - SSH Slaves Plugin, any newly installed agent type, >> community-provided Docker packages for agents, etc. >> >> *Announcement* >> >> - It's a potentially breaking change, hence it should be announced in >> blog posts >> - The change and the corner cases should be addressed in the upgrade >> guide, which should be published within the blogpost >> >> >> >> *I think it's a good time to finally do this change. WDYT?Thanks in >> advance,Oleg Nenashev* >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ >> msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3% >> 40googlegroups.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > Sent from my phone > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ% > 3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ%3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS4-GLOSOw%3DKo-rpeo_7T0VAmo2xE7oW%2BikMc61s4-P%3DyA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
