-
-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removing configurability of Jenkins.agentProtocols
#9903
Conversation
JnlpSlaveAgentProtocol.displayName=Inbound TCP Agent Protocol/1 (deprecated, unencrypted) | ||
JnlpSlaveAgentProtocol2.displayName=Inbound TCP Agent Protocol/2 (deprecated, unencrypted) | ||
JnlpSlaveAgentProtocol3.displayName=Inbound TCP Agent Protocol/3 (deprecated, basic encryption) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently forgotten in some earlier cleanup.
JnlpSlaveAgentProtocol2.displayName=Inbound TCP Agent Protocol/2 (deprecated, unencrypted) | ||
JnlpSlaveAgentProtocol3.displayName=Inbound TCP Agent Protocol/3 (deprecated, basic encryption) | ||
JnlpSlaveAgentProtocol4.displayName=Inbound TCP Agent Protocol/4 (TLS encryption) | ||
DeprecatedAgentProtocolMonitor.displayName=Deprecated Agent Protocol Monitor |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/label ready-for-merge This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback. Thanks! |
There may be automated tests in the plugin BOM that depend on the agent protocols configuration. Run the tests to confirm that they are unaffected by: * jenkinsci/jenkins#9903
This causes test failures in the plugin BOM. The configuration as code plugin shows several test failures with this change. Other plugins may also show failures. I've started a plugin BOM run to check other plugins: Pull requests that need to be included in the plugin BOM run are: |
Thanks @jglick ! The incremental builds of those plugins passed the plugin BOM tests in I would love to have a release of those two plugins at about the same time as 2.483 releases tomorrow so that the plugin BOM can include those new releases. |
Well jenkinsci/configuration-as-code-plugin#2580 is outside my control. jenkinsci/support-core-plugin#592 I could merge myself but would prefer to wait for a review from somebody. |
Could this be breaking additional protocols defined by proprietary software (I know at least of one custom protocol defined by CloudBees for network diagnosis). |
No, I do not think so. |
I ran into a case where a CloudBees CI customer was missing a proprietary agent protocol (see #8621). It seems that this was quite inadvertent: they had in the past exported a JCasC bundle that included something like
despite never having touched this configuration section, and without paying attention to this line had committed it to SCM, where it prevented new protocols from appearing! (You can find lots of similar examples, some outdated, by searching.)
The history here is long and tortured (#2010, #2950, #3188, #4387, #7451, etc.) but essentially there was a period of Jenkins development in which new TCP (agent) protocols were being actively developed, and a rather complex opt-in-and-out system was devised to allow administrators to pick which protocol(s) to allow and have that choice be partially preserved across upgrades. But for years now, there has only been
JNLP4-connect
, and there is no meaningful choice: if you do not wish to allow inbound TCP agents, just disable the port.The entire protocol selection system seems like technical debt now. This PR just deletes it all and treats
AgentProtocol
like any other headless extension: whichever protocols are registered by core or plugins are allowed. If a plugin developer wishes to conditionally roll out a protocol behind a feature flag, they can conditionally returnnull
fromgetName
. If an administrator has some weird reason to disable one protocol (but allow others) they could filter it out, but this is not something we would advertise as a supported controller customization.Testing done
The protocols section in Configure Security is gone.
Proposed changelog entries
Proposed upgrade guidelines
The list of agent protocols is no longer configurable, either through the GUI or JCasC. (Normally there will be two protocols, one for inbound TCP agents, and a ping protocol used to test connectivity.) The
agentProtocols
section of a JCasC bundle will now be ignored and should be deleted. If you do not wish to allow inbound TCP agents, disable the port rather than the protocol.Submitter checklist
Desired reviewers
@mention
Before the changes are marked as
ready-for-merge
:Maintainer checklist