Thanks for the help Stephen and Les. I really appreciate it. I'm going to try and see if I can work around the Windows 2008 problems with controlling slaves as a service [1]. It just so happens I have a fresh machine here that I can play with.
[1] https://issues.jenkins-ci.org/browse/JENKINS-4859 A From: [email protected] [mailto:[email protected]] On Behalf Of Stephen Connolly Sent: Wednesday, February 13, 2013 8:12 AM To: [email protected] Subject: Re: Issues after moving to 1.501 With Slave Nodes LTS is supposed to include critical security fixes too... otherwise it's just a version that stays around for a while. https://groups.google.com/forum/?fromgroups=#!topic/jenkinsci-advisories/P32IpTQNT5o https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 "Slaves that are started via Java Web Start will fail to reconnect if the *.jnlp file is locally stored. This is because the authentication tokens change. An administrator would have to login to the UI, retrieve the *.jnlp file and overwrite what's already on the slave. A slave that was launched via Java Web Start and then turned into a service through its menu falls into this category." My understanding of this issue, and until now I have stayed off contributing to the security advisory list as I don't want that to be seen as too CloudBees heavy (there's already KK & Jesse on the list and perhaps Ryan and Nicolas too), is that there was no other way to fix the issue at hand. Perhaps the changelog (http://jenkins-ci.org/changelog-stable) could have given a link to the Security Advisory, or at least mentioned that there were manual steps to be taken... that would be a good issue to put before the biweekly jenkins project meetings (at a time when I am cooking dinner, hence why I am never on them) -Stephen On 13 February 2013 13:39, Les Mikesell <[email protected]<mailto:[email protected]>> wrote: So, does that mean surprising changes should go undocumented and even backed into revs where they are more surprising? Or did I just miss the part in the release notes that said previously-working systems would break? On Wed, Feb 13, 2013 at 2:57 AM, Stephen Connolly <[email protected]<mailto:[email protected]>> wrote: > IIRC this was fallout from fixing a critical security issue > > > On 12 February 2013 16:21, Les Mikesell > <[email protected]<mailto:[email protected]>> wrote: >> >> On Tue, Feb 12, 2013 at 9:37 AM, Fisher, Allen >> <[email protected]<mailto:[email protected]>> >> wrote: >> > I did notice something interesting. If I launch via the website, the >> > slaves >> > will connect, until I install the service. After that, they don't >> > connect. >> >> If it works when you are authenticated in the browser before >> launching, but not as a service it is because the system changed to >> require slaves to authenticate via jnlp but it seems to be mostly >> broken. I changed mine to start via ssh (linux) and 'let jenkins >> control this windows slave" on the windows systems where that worked. >> Not sure what to do about the windows 2008 systems where none of that >> works. >> >> If you are on a private firewalled LAN, you might be OK with allowing >> anonymous read and slave connect in your main authorization matrix to >> restore the old behavior. >> >> By the way - was this change documented somewhere for the LTS 1.480.2 >> release?. I had seen the problem mentioned for 1.49x versions but >> wasn't expecting it in 1.480.2. - and I thought the point of the LTS >> line was to avoid surprises. >> >> -- >> Les Mikesell >> [email protected]<mailto:[email protected]> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to >> [email protected]<mailto:jenkinsci-users%[email protected]>. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected]<mailto:jenkinsci-users%[email protected]>. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:jenkinsci-users%[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
