Problems launching the slave agent via Java Web Start on Jenkins

Question

We have recently upgraded Jenkins to the latest verion.

and since then ive not been able to launch the slaves via Java WebStart through the command line everytime I try to launch it I get "Unable to Launch the application" error

with this in the details panel

CouldNotLoadArgumentException[ Could not load file/URL specified: http://MyServer:8080/computer/Slave1/slave-agent.jnlp]
    at com.sun.javaws.Main.launchApp(Unknown Source)
    at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
    at com.sun.javaws.Main.access$000(Unknown Source)
    at com.sun.javaws.Main$1.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

When try browsing to the Jenkins site and lunching it from there IT WORKS however if you then restart the box then the command line on the start up fails to do the job.

This is the command I am trying to run from the slave

cd "C:\Program Files (x86)\Java\jre7\bin"
javaws http://MyServer:8080/computer/Slave1/slave-agent.jnlp

The problem is that this used to work. I have also tried updating to the latest version of Java but no luck,

Any Idea anyone?

Answer 1

Supposedly, due in most part to posts on the Jenkins forums, this new behavior is due to a fix for a security issue: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04

Two solutions seem to be coming up:

1. Download the JNLP file (via browser, wget, curl, whatever) then run locally - may require extra parameters.
2. Go to Manage Jenkins -> Configure Global Security, and under Project-based Matrix Authorization Strategy, enable “connect” in the “slave” section, for user “Anonymous”. This would leave you open to attack where someone emulates a slave (but in my case, on a private work network - that's not an issue.)

Answer 2

If you want to leave the JNLP file on the master, and you don't want to open the security hole for Anonymous users to connect as a slave, edit the jenkins-slave.xml file to add the -jnlpCredentials option along with the -jnlpUrl option:

-jnlpCredentials {user}:{apiKey}

where:
user is the username in Jenkins' account database
apiKey is the user's API key (note this is NOT the user's password)

To get the API key for the user, go into:

http://SERVER/user/USER/configure

and click the button to show that user's API key.

Answer 3

For me, I had to make sure I had the "anonymous" connect set in jenkins matrix permissions AND I had to hack the JNLP file that is sent down from master.

I would say this is bug in Jenkins in 2.19.2. Basically, in the JNLP file that is pulled down from the server the tunneling argument that contains the master's ip and port gets replaced with the slave ip-addr only.

See the code for the engine.java, [line #308] which is where the exception is thrown from:

https://searchcode.com/codesearch/view/65603521/

Exception looks like:

Originally my JNLP file looked like:

<jnlp codebase="http://jenkins-master-ip-addr:8080/computer/Node1/" spec="1.0+">
<information>
    <title>Agent for Node1</title>
    <vendor>Jenkins project</vendor>
    <homepage href="https://jenkins-ci.org/"/>
</information>
<security>
    <all-permissions/>
</security>
<resources>
    <j2se version="1.7+"/>
    <jar href="http://jenkins-master-ip-addr:8080/jnlpJars/remoting.jar"/>
    <property name="hudson.showWindowsServiceInstallLink" value="true"/>
</resources>
<application-desc main-class="hudson.remoting.jnlp.Main">

    <argument>b16fdf4388d98e4be6910218cfb5a9b5fa999bcd8dec90264e525171a3b02fce</argument>
    <argument>Node1</argument>

    <argument>-tunnel</argument>
    <argument>jenkins-slave-ip-addr</argument>

    <argument>-url</argument>
    <argument>http://jenkins-master-ip-addr:8080/</argument>

</application-desc>

The problem is the "-tunnel" arg above. It contains the SLAVE machine's ip-addr only. CHANGING this to the MASTER machine's ip-add AND PORT, fixed it! Below:

    <argument>-tunnel</argument>
    <argument>jenkins-master-ip-addr:9080</argument>

Answer 4

检查命令行中的Slave1名称和jenkins节点defenition是否相同。它应该是jenkins节点中的Slave1