We use Jenkins 1.504 on Windows.
We need to have Master and Slave in different sub-networks with firewall in between.
We can't have ANY to ANY port firewall rules, we must specify exact port numbers.
I know the port Master is listening on.
I also see that Slave opens connection to the Master from the arbitrary port dynamically assigned every run, and port on the Master side is also arbitrary.
I can fix Master's port by specifying it in Manage Jenkins > Configure Global Security > TCP port for JNLP slave agents).
How to fix Slave port?
UPDATE: Found Connection Mechanism described here: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI#JenkinsCLI-Connectionmechanism
I think it might work for us, but still would be better to have fixed-2-fixed ports connection.
We had a similar situation, but in our case Infosec agreed to allow any to 1, so we didnt had to fix the slave port, rather fixing the master to high level JNLP port 49187 worked ("Configure Global Security" -> "TCP port for JNLP slave agents").
TCP
49187 - Fixed jnlp port
8080 - jenkins http port
Other ports needed to launch slave as a windows service
TCP
135
139
445
UDP
137
138
A slave isn't a server, it's a client type application. Network clients (almost) never use a specific port. Instead, they ask the OS for a random free port. This works much better since you usually run clients on many machines where the current configuration isn't known in advance. This prevents thousands of "client wouldn't start because port is already in use" bug reports every day.
You need to tell the security department that the slave isn't a server but a client which connects to the server and you absolutely need to have a rule which says client:ANY -> server:FIXED. The client port number should be >= 1024 (ports 1 to 1023 need special permissions) but I'm not sure if you actually gain anything by adding a rule for this - if an attacker can open privileged ports, they basically already own the machine.
If they argue, then ask them why they don't require the same rule for all the web browsers which people use in your company.
I have a similar scenario, and had no problem connecting after setting the JNLP port as you describe, and adding a single firewall rule allowing a connection on the server using that port. Granted it is a randomly selected client port going to a known server port (a host:ANY -> server:1 rule is needed).
From my reading of the source code, I don't see a way to set the local port to use when making the request from the slave. It's unfortunate, it would be a nice feature to have.
Alternatives:
Use a simple proxy on your client that listens on port N and then does forward all data to the actual Jenkins server on the remote host using a constant local port. Connect your slave to this local proxy instead of the real Jenkins server.
Create a custom Jenkins slave build that allows an option to specify the local port to use.
Remember also if you are using HTTPS via a self-signed certificate, you must alter the configuration jenkins-slave.xml file on the slave to specify the -noCertificateCheck option on the command line.
Related
I've got a Weblogic server environment setup that all works fine on my server - I've set up a Windows firewall inbound rule to expose ports 7001 & 7002, but all attempts to access the server (e.g. using curl commands) are still blocked by the firewall. When the firewall is disabled, everything (curl, Webserver console etc) works fine, so it looks like something else in my firewall that I need to configure but I can't figure out what else I need to do, any pointers? (Wireshark confirms correct ports are being specified in my calls)
There was a 'block' firewall rule on the Java exe - disabling this higher priority 'block' rule has sorted it by allowing the 7001/7002 'permit' rule to kick in.
I have installed Jenkins in Windows server 2012 64-bit machine and want to make it available in internal network.
I have added --httpListenAddress to 0.0.0.0 and restarted Jenkins and tried to access it with http://hostname:8080 but no page shows up(though It showing Jenkins icon in URL bar). However http://localhost:8080 works fine.
Further I checked the firewall inbound rule for the Jenkins but seems it has no issues.
I tried to catch the listening ports with "netstat -aon | find /i "8080" and found <host ip address>:8080 FIN_WAIT_2 which sign towards that the request is stuck(May be I am wrong).
I am clueless what exactly is blocking to use hostname with jenkins. Please share your solution if you already fixed this issue.
You might try adding a Windows Firewall rule. Go to Windows Firewall, Advanced Configuration, Inbound Rules rule and create an Allow rule for the specific version of java.exe you have installed.
This worked for us with the drawback that every time you upgrade Java, you must also modify the firewall rule. This is because Java creates a new subfolder for every version. We've tried using %JAVA_HOME% in firewall rules but it doesn't seem to work. We were on Windows Server 2012R2 at the time.
Similar answer here: https://stackoverflow.com/a/17479566/7752
On the server open a new command prompt and type
ipconfig
You should get a list of ips. Open a browser and type each up followed by 8080 for e.g.
http://202.123.2.1:8080
If Jenkins opens up, from another computer ping the ip and see if you can get a ping reply
ping 202.123.2.1
If you get a ping reply, you can access jenkins from any pc on the network by typing in the ip and port number.
Now to get to the hostname,you need to edit your host file
c:\Windows\System32\Drivers\etc\hosts
Type in the ip followed by the hostname
202.123.2.1 jenkins
If you can't get through, you need to open port 8080. See https://www.vultr.com/docs/how-to-open-a-port-in-windows-firewall-on-windows-server-2012
You cannot access from outside the machine because Jenkins Service does not have credentials to use that machine, only from localhost is accessible.
This is how to enter the credentials in Jenkins service.
In the Windows search bar, type services then enter.
Then scroll down to Jenkins and double-click on it.
In Jenkins Properties, select the tab "Log On".
Select Check box "This account"
Update your username and password.
Voila! Now Jenkins web can connect to the Jenkins machine via Jenkins service.
I have installed jenkins as windows service but every time after starting the machine i have to execute it through command line using $ java -jar jenkins.war
I am not able to directly open it into web browser at http://localhost:8080/
Am i missing something? Any help will be really appreciated.
Copy original 'jenkins.war' into 'jenkins' directory and restart service
Clear the Windows event viewer logs for Application and System
Please ensure your services are running and up
Firewall Issue:The easiest way to track down firewall issues is to use tcpdump. Just run the following command on the Jenkins server, which is trying to connect to the slave.
More Info on firewall part:
By default, Windows Firewall prevents the TCP connections necessary to make this mechanism work. The firewall on the slave must allow the following exceptions (see List of TCP&UDP port numbers):
TCP Port 135 (DCE/RPC Locator service)
TCP Port 139 (NetBIOS Session Service)
TCP Port 445 (Windows shares)
C:\WINDOWS\system32\dllhost.exe (dllhost.exe seems to use a random port number)
C:\WINDOWS\system32\javaw.exe (Jenkins also uses a random port number)
File and Printer sharing (TCP 139, TCP 445, UDP 137, UDP 138 (possibly only a subset of these is required))
The issue is fixed now. I have changed the service properties. In service properties -> Log On->Select Local system account and select the checkbox for allow the service to interact with desktop
I just set up JIRA on my ec2 instance after installing it via .bin installer file. But when I hit the ec2 url:
ec2-xxxxx.xxxxx.amazonaws.com
It is hitting the test success page for apache2 which I installed after JIRA installation.
How do I get to determine the correct URL for JIRA and hit the JIRA app?
Thanks
JIRA defaut http port is 8080. So you need access it via
ec2-xxxxx.xxxxx.amazonaws.com:8080
if you are not following the detault setting, then you need make sure which port are set by this document Changing JIRA's TCP Ports
You may need open the firewall port 8080 and set in one security group which you assign port 22 to be opened. Otherwise, you can't directly access that port.
Apart from the previous answer you may wish to ensure the following:
Your AWS EC2 Instance security group have the port opened
Your AWS VPC ACL allows TCP traffic on this port
Your VPC have an internet gateway
Your VPC have the routes configured
Your Apache proxy is configured to point to the Tomcat port
Your Tomcat is configured
You have enabled port allocation using setcap utility
Your local machine firewall enables the connection (in Red Hat ipconfig is enabled by default and blocks the connections)
As you can see it may be tricky to install Jira on AWS. It may be a good idea to use a deployment service like Deploy4Me to do this quickly.
Can someone explain why using a port is necessary when running things locally?
I assume the reason is because the same software could be run remotely and in that case specifying a port would be necessary.
When a database or server is running locally, do requests from a locally running web browser really "go through the port" specified?
Good question. In fact, there are local-only communication protocols, such as pipes and UNIX domain sockets that do not actually require port numbers to operate. This is because they refer to files or other identifiers that are only valid on the computer itself.
However, most servers are designed for TCP/IP connections. TCP/IP itself specifies a port number in the protocol. It is normally intended for remote use, but when a server that is used to TCP/IP runs "on local host", it must supply a port number to satisfy the TCP protocol.
Port numbers also enable multiple servers to coexist on a single computer, all running on different ports. For a protocol without port numbers, this is achieved by using different identifiers (e.g. a filesystem file) for each server.
Some servers can operate on both TCP/IP and local sockets. For example, MySQL can accept connections both through the usual TCP port, and also through a local socket (mysql.sock). Connecting through the local socket is reserved for local users only, and may be faster on some systems.
Sometimes You may have some other software installed in your computer that may use the same port. For instance Apache and IIS: imagine you set port 8080 to IIS as default, what about if you had previously installed Apache set port 8080 ?
Another example will be if you installed Mysql Workbench and days later install XAMPP you may have trouble with the ports if you don't change one instance's port different from 3306
This is why it is necessary to specify ports even though is locally.