I'm currently trying to configure Jenkins in order to launch my Windows slave using EC2 plugin. However, my slave agent enters an infinite loop with the message:
Connecting to ip-10-180-10-223.ap-southeast-2.compute.internal(10.180.10.223) with WinRM as Waiting for WinRM to come up. Sleeping 10s.
I followed this post How to run Windows instance on EC2 from Jenkins? to troubleshoot my issue but to no avail. I configured for both the client and the server and used this command on the remote machine winrm identify -r:http://winrm_server:5985 -auth:basic -u:user_name -p:password -encoding:utf-8 as stated in this link http://www.gabrielmatteson.com/index.php/howto-configure-windows-remote-management-service-to-allow-http-and-basic-authentication/ but I got this message:
The WinRM client cannot process the request. If the authentication scheme is
different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure
TrustedHosts. Note that computers in the TrustedHosts list might not be
authenticated. You can get more information about that by running the
following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
I followed this post here Connecting to remote server failed using WinRM from PowerShell to troubleshoot again but I still got the same message as above. For the EC2 instance, I modified the Security Group to allow all inbound and outbound traffic but it has not worked.
I don't know the issue why but my WinRM on the virtual server is up and running.
WinRm need to be configured to allow remote server management.
Two ways to do this:
Start your instance from aws and run these WinRm commands via the command line.
winrm quickconfig
winrm set winrm/config/client '#{AllowUnencrypted="true"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
winrm set winrm/config/client/Auth '#{Basic="true"}'
winrm set winrm/config/service/auth '#{Basic="true"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="1024"}'
then save the image of this instance (aws ui -> ec2 -> select the instance -> actions -> images and templates -> create an image) and use it for your jenkins slave.
Put these commands in section "User Data" that you will find in the configurations of your jenkins agent (Jenkins UI -> Build Executor Status -> Configure Clouds).
<powershell>
winrm quickconfig
winrm set winrm/config/client '#{AllowUnencrypted="true"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
winrm set winrm/config/client/Auth '#{Basic="true"}'
winrm set winrm/config/service/auth '#{Basic="true"}'
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="1024"}'
</powershell>
NOTE that 1024 is an example, you can allocate more memory if needed. In my case my jenkins job needed more memory and because i have an t3.Xlarge instance type (16Gib memory) i've allocated 8Gib (8192) to WinRm.
Sources:
Jenkins Amazon EC2 plugin WinRM infinite loop
https://issues.jenkins.io/browse/JENKINS-34610
Related
I'm creating a windows slave in Jenkins and for that, I need to use the Java Web Start as a launch method in slave configuration.
I'm aware that to view this option in slave configuration, we need to change the setting in Manage Jenkins>Configure global security>Agents>TCP JNLP AGents to Random from disabled.
But in my case, I'm not able to see the JNLP port agent, the option visible is "TCP port for inbound agents" instead of "TCP port for JNLP agents".
I've installed JDK in Manage Jenkins>Global tool Configuration, but after this as well it's not giving an option for JNLP agents.
Can someone please help with this, where I can view the "TCP port for JNLP agents" option under Jenkins>Configure global security>Agents
The 'TCP port for JNLP agents' setting seems to be not available anymore in the 'Configure Global Security' settings. Instead of that modify your agent's settings and set Launch method as 'Launch agent by connecting it to master'. It works similarly to the option that you are looking for:
Agents communicate through each other over TCP.In my case i couldnt find "TCP port for JNLP agents".Solution for it is,before creating an agent ,go to Configure global security ->section labeled "Agents" and the line that says "TCP port for inbound agents". Insert a valid port value for the TCP port for inbound agents. Apply that change.
Then goto Configure Jenkins -> Manage Nodes -> create new node or configure node
Choose the setting "Launch agent by connecting it to the controller" under Launch Method.
The phrasing has been improved significantly in the user interface by removing the references to "JNLP". The key difference between the agent protocols is not the underlying transport, but rather which end initiates the connection. The agent launch method that was formerly called "JNLP" is a launch method that initiates the agent connection from the agent to the master. The launch method called "ssh" initiates the connection from the master to the agent.
I am using TFS (2015 update 3 and implemented CI build. I created two environments for release, one is staging and other is production hosted in AWS windows VM. I am using IIS Deploy WinRM extension(https://marketplace.visualstudio.com/items?itemName=ms-vscs-rm.iiswebapp) in release task to deploy the package to the remote server.
staging IIS is hosted in same build machine and deployment task is working fine. when I deploy to production environment I am getting following error.
Deployment failed on machine xx.xx.xx.xx with following message: System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server xx.xx.xx.xx failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
I believe WinRM is not able to communicate with target server hence it is not working. I tried to follow instructions in this link (https://learn.microsoft.com/en-us/vsts/build-release/apps/cd/deploy-webdeploy-iis-winrm).
I configured winRM in both machines and even added build machine (where I initiate release) to trusted hosts on the target server. In both machines, winRM service is listening to ports 5985,5986.
i tried to test WinRM connection and tried following command in build machine.
test-wsman -ComputerName -UseSSL
I got following error
test-wsman : ">WinRM cannot complete the operation. Verify that the specified
computer name is valid, that the WinRM
service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles
limits access to remote computers within the same local subnet.
I am sure the issue is WinRM not able to communicate with the target server. One of the requirements of this TFS winRM deployment extension is both servers should be domain joined or workgroup joined. (mentioned in https://learn.microsoft.com/en-us/vsts/build-release/apps/cd/deploy-webdeploy-iis-winrm) . Is this why deployment not working and how can I join both domains? As target server is hosted in AWS ( it is a windows VM machine), we connect through VPN.
Build machine's name is like MachineName.uk.companyname.com and target servers name is MachineName.abc.risk.cloud (both in different domains)
Any thoughts on debugging this and get this deployment working in target server?
WinRM configuration
Windows Remote Management (WinRM) requires target servers to be:
Domain-joined or workgroup-joined
Able to communicate using the HTTP or HTTPS protocol
Addressed by using a fully-qualified domain name (FQDN) or an IP address
Just as the document described, you need to follow the requirements of WinRm configuration. Since using test-wsman -ComputerName -UseSSL also shows communicate with the target server, this is why deployment not working.
For AWS related, you could try to use AWS Tools for Microsoft Visual Studio Team Services. The AWS Tools for Microsoft Visual Studio Team Services (VSTS) is an extension for Microsoft VSTS and on-premises Microsoft Team Foundation Server (TFS) that makes it easy to deploy .NET applications to AWS.
I'm getting a bit strange situation with a 'Visual Studio Test Agent Deploment' in TFS2015 Update 2.1. When in Machine Group the protocol is set to HTTP everthing is ok, testagent deploys sucsefully. But when I'm trying to do the same task with HTTPS connection to remote machine i'm getting exception:
DistributedTests: Task 'DownloadTestAgent' on machine 'XYZ:5986' is being run
DistributedTests: Task 'DownloadTestAgent' on machine 'XYZ:5986' completed.
DistributedTests: Task 'DownloadTestAgent' for machine XYZ:5986's Error : System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server XYZ failed with the following error message :
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
Machines are in the same domain. It's not a user/password problem because when I use HTTP it succesfully finishes the deployment, but when I edit 'Machine Group' to use HTTPS it failes.
Thanks for any ideas!
I'm afraid you didn't configure HTTPS for WinRM on the host machine, you would need to follow the directions for domain-joined machines:
If you choose HTTPS, you can use either a FQDN or an IP address to access the target machine(s). To use a FQDN to access the target machine(s), execute the following in a Command window with Administrative permissions:
ConfigureWinRM.ps1 {FQDN} https
To use an IP address to access the target machine(s), execute the following in a Command window with Administrative permissions:
ConfigureWinRM.ps1 {ipaddress} https
These commands create a test certificate by using MakeCert.exe, use
the certificate to create an HTTPS WinRM listener, and open port 5986
inbound for WinRM over HTTPS. The script also increases the WinRM
MaxEnvelopeSizekb setting. By default on Windows Server this is 500
KB, which can result in a "Request size exceeded the configured
MaxEnvelopeSize quota" error.
I have already configured the java enviroment and installtion
path
This is a duplicate question from Server Fault: Answer Here
Java Web Start utilizes TCP so it has to be enabled and configured in Jenkins...
Login to Jenkins as admin
Manage Jenkins > Configure Global Security > TCP port for JNLP agents
Do yourself a favor and pick a static port assignment...
As of Jenkins version 2.176.3, there is option enabled when "Launch agent by connecting it to the master" which is same as "launch agent via java web start" once you enable the "Manage Jenkins => Configure Global Security => Agents => TCP port for inbound agents" as mentioned above.
e.g. Fixed: 50000
Make sure that you've enabled a JNLP port in Manager Jenkins -> Configure Global Security. If no JNLP port is specified, then the JNLP slave option will not appear.
I had similar issue after updating my Jenkins, I then used "Launch agent by connecting it to the master" method to launch and my port "TCP port for inbound agents" under
- Manage Jenkins => Configure Global Security => Agents => TCP port for inbound agents got changed to 8888. I have updated it back to 50000 and that resolved the issue. Hope it helps.
On some systems I used to get a button to download the agent's JNLP. On my new linux mint system, I instead get the "JNLP not available" message. So was lost as to where to get the JNLP file. However, looking in the command below I saw the URL for downloading it, eg:
http://127.0.0.1:8080/computer/build_slave/jenkins-agent.jnlp
Go to the slave machine, paste the URL in the browser to download it!
This might also be due to missing permissions for the user trying to setup the agent via java web start, at least that was the case in my scenario;
To verify this, try to download the jnlp directly; URL would be of the form [jenkins url]/computer/[agent name]/slave-agent.jnlp, if there is a permissions issue you will get something along the lines of:
Access Denied
xxxx is missing the Agent/Connect permission
I would like to connected via JNLP to the Master Jenkins server and getting always following error
Failing to obtain https://<master-server>/buildserver/computer/CaptainBrowser/slave-agent.jnlp?encrypt=true
java.io.IOException: https://<master-server>/buildserver/computer/CaptainBrowser/slave-agent.jnlp?encrypt=true doesn't look like a JNLP file; content type was text/html; charset=iso-8859-1
at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:306)
at hudson.remoting.Launcher.run(Launcher.java:219)
at hudson.remoting.Launcher.main(Launcher.java:192)
I had a similar problem. For me the issue was that the Jenkins URL in 'Configure System' was set to 'http://...' instead of 'https://...'. This meant that when I set up a node, it showed the java command to run to be also use http. E.g it said
java -jar slave.jar -jnlpUrl http:///computer//slave-agent.jnlp -secret
Running it yielded
'Failing to obtain http:///computer//slave-agent.jnlp?encrypt=true'
Changing the server URL to 'https' enabled it to work for me. It changed the command for a Jenkins node to be a 'https' URL and running that worked.
Goto jenkins --> Manage jenkins --> configure system --> http://yoursystem ip:8080/ Make sue it will be http not https. Manage Jenkins --> Global security--> Agent -->
TCP port select fixed 50000 and Inbound TCP Agent Protocol/4 (TLS encryption) under agent protocol
Create Agent node gain it will work
In my case, it started working after adding HTTPS protocol to my security group for EC2 machines. Then again run jnlp command on to jenkins slave terminal and it will be connected.