[JENKINS-26580] Activate JNLP3 support

[kohsuke]

JENKINS-26580

Follow up to jenkinsci/remoting#69 to activate JNLP3 support on the server side

[kohsuke]

cc @akshayabd @oleg-nenashev @jglick

Merging this requires a corresponding remoting release

[oleg-nenashev]

It still breaks the binary compatibility, because external classes won't implement the new abstract method. Maybe NIT in the case of remoting

[oleg-nenashev]

BTW the invocation below catches the AbstractMethodError

[oleg-nenashev]

LGTM in general.

[amuniz]

Missing @Deprecated - given the javadoc.

[kohsuke]

One or the other is sufficient.

[kohsuke]

My plane is about to leave so I can't check this now but does this code correctly call ChannelConfigurator

[jglick]

Looks alarming. Why not just retain the original method signature, deprecate it, and delegate?

[kohsuke]

This was much shorter than the ping-pong and loop detection, plus it has the benefit of abstract method clearly marked as such.

[jglick]

does this code correctly call ChannelConfigurator

The fix of SECURITY-206 includes an assertion in JnlpAccessWithSecuredHudsonTest.testServiceUsingDirectSecret. If the agent and master automatically agree to use the v3 protocol, I suppose the existing test should cover this.

[jglick]

Could not resolve dependencies for project org.jenkins-ci.main:cli:jar:1.647-SNAPSHOT: Could not find artifact org.jenkins-ci.main:remoting:jar:2.54-SNAPSHOT in cloudbees-private-snapshot-repository

You need to deploy a snapshot of the library to have this PR be tested.

[kohsuke]

Wow, Jesse predicted the exact test case that fails!!

[akshayabd]

Initial manual testing looks good - the JNLP node connects with JNLP3 protocol and I can build a project on the node.

I think more stress testing needs to be done before JNLP3 is made the default protocol. In this initial release JNLP3 should only be available if the user explicitly asks for it. There are 3 approaches:

Master-side control
1. Making master support JNLP3 through a flag
2. Making master support JNLP3 through UI option
Node-side control
3. Making node try JNLP3 first using flag

Option 1 can be done in "easy" ways I suppose, this class can check for a boolean system property, if its not set fail and let JNLP2 take over.
Option 2 is a lot of work and I would not favor it.
Option 3 is easy, but requires some extra work for users starting up nodes with JNLP3.

I'm ok with either option 1 or 3, prefer 1 slightly since I like controlling the behavior from the master side, not the node.

[kohsuke]

OK, I'll ease this in by making this feature optional in the beginning for a while.

[akshayabd]

I'm going to spend some time dusting out the stress-test suites that we used before and run them for JNLP3. Will probably have to modify them a bit to have significant "work" being done for each build instead of just "sleep 5". Will let you know when I'm done.

[kohsuke]

I discovered that the protocol doesn't gracefully handle a server that doesn't understand the protocol. Needs further tweak in remoting.

[kohsuke]

Can somebody help me understand why the PR validation build doesn't pick up http://repo.jenkins-ci.org/snapshots/org/jenkins-ci/main/remoting/2.56-SNAPSHOT/ ?

[kohsuke]

FWIW locally it passes all the tests.

[aheritier]

@kohsuke https://repository-jenkins.forge.cloudbees.com/snapshot/org/jenkins-ci/main/remoting/ there is no 2.56-SNAPSHOT version here ....
Did you manually deployed it ?
I suppose you did and it was removed because Maven tries to get a version 2.56-20160304.223037-1 thus it must have this version in its local repository cache. The problem is that it doesn't use it because it isn't available in the remote repository. It is the crappy feature added in Maven 3.x and which always reports a stupid error message that doesn't explain the error cc @stephenc
Building with -U option (or repositories options in settings to always check snapshots) is safer/cleaner to enforce maven to try to get a new SNAPSHOt if available. It won't solve the issue that the SNAPSHOT was deleted in the remote. The problem can be bypassed (but it's crappy) and let maven use its local cached SNAPSHOT with the option

-llr,--legacy-local-repository         Use Maven 2 Legacy Local
                                        Repository behaviour, ie no use of
                                        _remote.repositories. Can also be
                                        activated by using
                                        -Dmaven.legacyLocalRepo=true

[kohsuke]

@aheritier see the link I provided above, which is the official snapshot repo for the Jenkins project. Sounds like the issue is that we are not configuring our POMs to refer to that snapshot repository, though it makes me wonder how others have been doing this.

[aheritier]

@kohsuke https://repository-jenkins.forge.cloudbees.com/snapshot/org/jenkins-ci/main/remoting/ is where the build is looking for snapshots instead of http://repo.jenkins-ci.org/snapshots/org/jenkins-ci/main/remoting

I agree that the snapshot repo http://repo.jenkins-ci.org/snapshots/org/jenkins-ci/main/remoting should be defined in the POM or in the maven settings

For now it's not defined in any POM
https://github.com/jenkinsci/pom/blob/master/pom.xml#L77
https://github.com/jenkinsci/jenkins/blob/master/pom.xml#L111

Thus I imagine that people using SNAPSHOTs are defining the repo in the maven settings used on CI
There is a settings.xml config defined in the Config File Provider plugin called JenkinsSettings activating in a jenkins profile snapshots from http://repo.jenkins-ci.org/public/ but this one isn't used by the job. I don't know what are the rules and how is managed this instance. maybe @abayer @rtyler or @daniel-beck know ...

[kohsuke]

The test failure is a fluke

[aheritier]

@kohsuke Great !!
I think that we should use for all jobs on https://jenkins.ci.cloudbees.com the same set of (maven) settings and to activate SNAPSHOTs for everyone (but I have no clue where to request it - INFRA ? - and who can/should take care of this)

[akshayabd]

Great to see this merged in - thanks @kohsuke! I always recommend caution, I still haven't done enough scale testing to see what sort of [CPU] performance requirements the Ciphers have. Is there a smaller Jenkins cluster you can test this on before activating it on the main https://jenkins.ci.cloudbees.com?

[stephenc]

Also, as I have pointed out, this is a non-NIO implementation and requires one reader thread per slave... I am working on a v4 protocol that uses a new SSLEngine aware NIOHub and hope to have that soon.

The consideration of @kohsuke and I is that allowing some encryption of the channel at the cost of threads is more important than waiting while I battle with SSLEngine to deliver a v4 protocol

Sent from my iPad

On 9 Mar 2016, at 19:43, akshayabd [email protected] wrote:

Great to see this merged in - thanks @kohsuke! I always recommend caution, I still haven't done enough scale testing to see what sort of [CPU] performance requirements the Ciphers have. Is there a smaller Jenkins cluster you can test this on before activating it on the main https://jenkins.ci.cloudbees.com?

—
Reply to this email directly or view it on GitHub.

[akshayabd]

@stephenc Yes good catch, I had not considered the NIOHub issue. Performance-wise it would probably make a significant difference.