>I'm not sure if I'm misunderstanding your situation but as far as I understand >the security fix had two parts:
Our individual situation was that we had launched the JNLP slave on our boxes, then installed it as a service. We tried to roll first to the edge, which didn't work (and I saw a hint about the security) so I tried the LTS, which didn't work either. Stephen C. noted the communication problem with KK (muchas gracias), so that hopefully won't be an issue going forward. >1 - invalidate all existing authentication tokens because they could have >already been compromised. New ones are generated This wasn't a big deal, I re-started the slaves and re-downloaded the JNLP to get new tokens. >2 - stop slaves (or indeed anyone else) downloading the authentication tokens >without being properly authenticated. This turned out to be the bigger deal. When I attempted to turn the JNLP into a service, it had to restart the JNLP connection: > The main breakage for jnlp slaves was that they tried to download the > authentication token on each startup. This is no longer allowed so they need > to get the token by another means. This was the problem I ran into, and it took me a while to find it. In the interim, I've tried to jump through the hoops of making Jenkins control the slaves via DCOM (Control this slave as a Windows Service), which as we all know is a whole other bucket of fun on windows server 2008. > There are quite a few examples of how to setup the configuration in > https://issues.jenkins-ci.org/browse/JENKINS-16273 > I'm using the one that I posted there on 11/Jan and it works fine for my jnlp > slaves. Thanks for this link! I didn't hit the right google-fu to dredge it up. I'm going to give your solution a try. If that fails (I highly doubt it since you've been running for a month), I'm going to go the route that a couple of others have suggested and attempt to get SSH up and running on these boxes and see if the SSH option will work with them. Lest anyone think I was complaining about fixing security issues, I wasn't. I hope that we can maybe in the future be able to provide credentials in some way that doesn't require some manual tweaking. That combined with a little higher profile on things that could break working configs will help a lot. Thanks again for the help! Allen A -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Richard Mortimer Sent: Wednesday, February 20, 2013 11:19 AM To: [email protected] Cc: Les Mikesell Subject: Re: Issues after moving to 1.501 With Slave Nodes On 20/02/2013 17:01, Les Mikesell wrote: > On Wed, Feb 20, 2013 at 10:53 AM, Stephen Connolly > <[email protected]> wrote: >>> >>> On 20 February 2013 16:43, Les Mikesell <[email protected]> wrote: >>>> >>>> On Wed, Feb 20, 2013 at 10:26 AM, Fisher, Allen >>>> <[email protected]> >>>> wrote: ... snip ... > And, as this thread points out - we need a usable workaround for > win2008R2 slaves. I'm fine with installing some flavor of ssh if that > would work, but I can't be the first/only one to run into the problem. > Why is it a surprise? > I'm not sure if I'm misunderstanding your situation but as far as I understand the security fix had two parts: 1 - invalidate all existing authentication tokens because they could have already been compromised. New ones are generated 2 - stop slaves (or indeed anyone else) downloading the authentication tokens without being properly authenticated. The main breakage for jnlp slaves was that they tried to download the authentication token on each startup. This is no longer allowed so they need to get the token by another means. An easy way to do this is to download the token, in slave-agent.jnlp, (once) for each slave and to save it on the slave. Then the windows service startup script needs to be changed to reference this rather than downloading the file each time it starts up. Note that the security token only changes once and does not need re-downloading each time you restart/reboot the slave instance. There are quite a few examples of how to setup the configuration in https://issues.jenkins-ci.org/browse/JENKINS-16273 I'm using the one that I posted there on 11/Jan and it works fine for my jnlp slaves. Regards Richard -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
