Access Denied Issue - maven-3

Trying to use Maven from the command line. Have setup the setting.xml proxy -
<proxy>
<id>optional</id>
<active>true</active>
<protocol>http</protocol>
<username></username>
<password></password>
<host>access.lb.xxx.org</host>
<port>80</port>
<nonProxyHosts>local.net|some.host.com</nonProxyHosts>
</proxy>
From cmd screen tried running the command - mvn archetype:generate -X
Getting errors like -
...
Caused by: org.sonatype.aether.transfer.ArtifactTransferException:
Could not transfer artifact org.apache.maven.plugins:maven-release-plugin:pom:2.0
from/to central (http://repo.maven.apache.org/maven2): Access denied to:
http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-release
plugin/2.0/maven-release-plugin-2.0.pom, ReasonPhrase:Forbidden.
at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$4.wrap
(WagonRepositoryConnector.java:951) ...
Can't figure out if the proxy setting is correct? Is there a workaround to go pass the proxy? Or any other way to get me going to create a simple maven project at the least?
Thanks

Related

jib-maven-plugin I/O error for image [registry-1.docker.io/library/adoptopenjdk]

I have developed a Dockerized Spring Boot Application using as base image AdoptOpenJDK and using jib-maven-plugin.
My plugin configuration is:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>${jib-maven-plugin.version}</version>
<configuration>
<from>
<image>adoptopenjdk:11-jre-hotspot</image>
</from>
<to>
<image>public/my-app</image>
<tags>
<tag>latest</tag>
<tag>${project.version}</tag>
</tags>
</to>
<container>
<entrypoint>
<shell>bash</shell>
<option>-c</option>
<arg>/entrypoint.sh</arg>
</entrypoint>
<ports>
<port>8080</port>
</ports>
<environment>
<SPRING_OUTPUT_ANSI_ENABLED>ALWAYS</SPRING_OUTPUT_ANSI_ENABLED>
<JHIPSTER_SLEEP>0</JHIPSTER_SLEEP>
</environment>
<creationTime>USE_CURRENT_TIMESTAMP</creationTime>
</container>
<extraDirectories>
<paths>src/main/jib</paths>
<permissions>
<permission>
<file>/entrypoint.sh</file>
<mode>755</mode>
</permission>
</permissions>
</extraDirectories>
</configuration>
</plugin>
Everything is OK, and the app is builded correctly when launch ./mvnw package -Pprod -DskipTests jib:build -T16.0C. Now I'm integrating my app in a CI/CD Jenkins Pipeline and I'm creating a command like the first but passing Auth data using variables:
./mvnw -ntp -T2.0C jib:build -Djib.from.auth.username=myUserName -Djib.from.auth.password=mygitlabtoken01 -Dimage=registry.gitlab.com/myapp -X
When I run it i get:
[INFO] Using credentials from Docker config (/Users/myUser/.docker/config.json) for registry.gitlab.com/neoris-emea-internal/ianthe/ianthe-app/ianthe
[DEBUG] attempting bearer auth for registry.gitlab.com/app...
[INFO] The base image requires auth. Trying again for adoptopenjdk:11-jre-hotspot...
[INFO] Using credentials from <from><auth> for adoptopenjdk:11-jre-hotspot
[DEBUG] Trying basic auth for adoptopenjdk:11-jre-hotspot...
[DEBUG] configured basic auth for registry-1.docker.io/library/adoptopenjdk
[DEBUG] TIMED Authenticating push to registry.gitlab.com : 1091.927 ms
[DEBUG] TIMED Building and pushing image : 1122.522 ms
[ERROR] I/O error for image [registry-1.docker.io/library/adoptopenjdk]:
[ERROR] javax.net.ssl.SSLHandshakeException
[ERROR] Remote host terminated the handshake
I do not understand anything:
Why jib plugin is using my .docker/config.json if I have indicated the auth info with -Djib.from.auth.username=myUserName?
Why am I getting SSLHandshakeException? Although the build is using my credentials, these are correct.
If you look at the log messages carefully, Jib did use your credentials you specified via from.auth.username|password for adoptopenjdk (which is hosted on Docker Hub).
Using credentials from <from><auth> for adoptopenjdk:11-jre-hotspot
Note the following line says the Docker config is used for registry.gitlab.com (the target registry).
Using credentials from Docker config (/Users/myUser/.docker/config.json) for registry.gitlab.com/neoris-emea-internal/ianthe/ianthe-app/ianthe
About the SSLHandshakeException, it has nothing to do with any Docker credentials. The error is from a much lower network layer (TLS protocol), so the failure is fundamentally unrelated to Jib or any application running in the JVM on Jenkins. It is basically telling you that any Java app on the JVM just cannot make a secure TLS connection to some hosts. There is no simple answer or solution to a TLS handshake failure, so get some help from a network and TLS expert if possible. Also check out other SO questions like this one.

Jenkins - No valid crumb was included in request

Jenkins - 2.263.1(LTS) deployed through tomcat on CentOS-8.2and have Nginx reverse proxy running in-front of Jenkins.
Under Manage Jenkins > Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome).
HTTP Status 403 – Forbidden
Type Status Report
Message No valid crumb was included in the request
Description The server understood the request but refuses to authorize
it. Apache Tomcat/9.0.30
Also Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save not working this too results same above given error.
Systems log error message.
Feb 19, 2021 10:56:05 AM WARNING hudson.security.csrf.CrumbFilter
doFilter No valid crumb was included in request for
/jenkins/configSubmit by ankit.sahu. Returning 403.
Workaround tried:-
1) Under Configure Global security > CSRF Protection > Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even this didn't solve the problem.
3) Installed the Strict Crumb Issuer plugin.
Enabled this plugin and unchecked Check the session ID from its configuration (Under Jenkins Configure Global Security).
4) Restated the Jenkins.
Even tried by adding below in /apache-tomcat-9.0.30/conf/tomcat-users.xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
However still experiencing same problem. I don't know how to fix it, Can someone help me?
You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
The nonces embedded into web output from Jenkins with CSRF protection are based (at least in part as I've read) on values from the requesting client. In addition to making sure your reverse proxy is correctly configured to pass X-Forwarded-For and X-Forwarded-Proto, make sure that Tomcat valve is in place to expose those header values in the servlet request API so Jenkins has access to them.
Add the following to $CATALINA_BASE/conf/server.xml, subordinate to the <Host> element:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-troubleshooting/
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/
ref: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
If you're using jenkinsapi, I resolved this error by specifying useCrumb=True in the constructor:
j = Jenkins(base_url, username=username, password=password, useCrumb=True)

get jmx attributes with jolokia telegraf

I have a JAVA application which I want to monitor its JMX attributes using telegraf tool.
The tool provides jolikia plugin to monitor JMX attributes. I have added following dependencies to my app's pom.xml file regarding Maven section of Jolokia documentation:
<dependency>
<groupId>org.jolokia</groupId>
<artifactId>jolokia-core</artifactId>
<version>1.3.7</version>
</dependency>
<dependency>
<groupId>org.jolokia</groupId>
<artifactId>jolokia-client-java</artifactId>
<version>1.3.7</version>
</dependency>
This is my /etc/telegraf/telegraf.conf file:
[[inputs.jolokia]]
context = "/jolokia/"
[[inputs.jolokia.servers]]
name = "wr-core"
host = "192.168.100.175"
port = "1998"
[[inputs.jolokia.metrics]]
name = "send_success"
mbean = "wr-core:type=monitor,name=execution"
attribute = "MessageSendSuccessCount"
The application is up in the provided IP/port (I can connect to it with jconsole). The application has a monitoring section which its object name (as shown in jconsole) is wr-core:type=monitor,name=execution and has the attribute MessageSendSuccessCount. But when I start telegraf service, following error occurs:
Jan 14 14:30:32 ZiZi telegraf[17258]: 2018-01-14T11:00:32Z E! Error in plugin [inputs.jolokia]: error performing request: Error decoding JSON response: invalid character '\x00' looking for beginning of value:
Note that 1998 is my app's jmx port. I also tried using 8778 which is jolokia-agent port; got:
Jan 14 14:40:03 ZiZi telegraf[9150]: 2018-01-14T11:10:03Z E! Error in plugin [inputs.jolokia]: error performing request: Post http://192.168.100.175:8778/jolokia/: dial tcp 192.168.100.175:8778: getsockopt: connection refused
EDIT 1:
I have checked my CLASSPATH and both jolokia-client and jolokia-core were listed: ../lib/jolokia-client-java-1.3.7.jar:../lib/jolokia-core-1.3.7.jar.
EDIT 2:
I have put following lines into my app's execution file:
JOLOKIA_OPTS=-javaagent:$LIB_PATH/jolokia-core-java-1.3.7.jar=port=8778,host=0.0.0.0
JAVA_OPTS="-mx4096M $JAVA_OPTS $JACOCO_OPTS $JOLOKIA_OPTS"
But when I run the file, I get this error (even though ../lib/jolokia-core-java-1.3.7.jar has been listed in the CLASSPATH):
Error opening zip file or JAR manifest missing : ../lib/jolokia-core-java-1.3.7.jar
Error occurred during initialization of VM
agent library failed to init: instrument
Found the solution.
I have skipped maven solution and tried the javaagent approach, but I had misunderstood the usage of javaagent previously; I should address jolokia jvm agent (this helped):
JOLOKIA_OPTS=-javaagent:/root/jolokia-jvm-1.3.7-agent.jar=port=8778,host=0.0.0.0
JAVA_OPTS="-mx4096M $JAVA_OPTS $JACOCO_OPTS $JOLOKIA_OPTS"
Now, my app starts with this log (successfully):
I> No access restrictor found, access to any MBean is allowed
Jolokia: Agent started with URL http://192.168.100.175:8778/jolokia/
In the other side there is no error in the telegraf console for jolokia anymore.
All the observation are implying the jolokia jvm library has been started and works successfully.
I have also found jolokia jmx documentation for using it as dependencies in the project; but since I'm not a JAVA expert (I'm testing the app), I prefer to currently use the javaagent approach and leave it for future study/experience. BTW, it may help the others.
EDIT 1:
I have found and deployed jolokia jvm agent using its spring support.
Configuring it in the spring XML file, I can now have jolokia jvm agent start listening at my app's startup.

Jenkins - can't see "Manage Jenkins" option

I've just installed the latest version of Jenkins and enabled the so-called "Project-based Matrix Authorization Strategy".
I have added a few users with all privileges and some of them can see the "Manage Jenkins" option after logging into Jenkins, but there are people who can log in but can't see this option.
Really strange behavior. I have checked the configuration in jenkins.xml but it seems ok. Do you have any idea what can be an issue?
Thank you for any suggestions,
Foxrafi
Try using the link https://<JENKINS_URL>:8080/manage loaded the Manage Jenkins option on the UI.
OS: CentOS
Java Version: 1.8
It seems the permissions in config.xml are case-sensitive. So when there is such an entry :
<permission>hudson.model.Item.Build:mysuperuserlogin</permission>
and you log using LDAP authentication and this variant of password MySuperUserLogin, you will be able to log in successfully but you won't be able to use the permission.
Looks like your authorizationStrategy has been updated
Step 1: Go to your config.xml file and open this to any editor
sudo vim /var/lib/jenkins/config.xml
Step 2: Search authorizationStrategy tag inside xml file and change the value to
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
Step 3: Restart Jenkins:
sudo systemctl restart jenkins
Try to log in now!
Here is the default xml file of Jenkins you can crosscheck your other configurations
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors/>
<version>2.277.2</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>false</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>all</primaryView>
<slaveAgentPort>-1</slaveAgentPort>
<label></label>
<crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
<excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
</crumbIssuer>
<nodeProperties/>
<globalNodeProperties/>
</hudson>

Tapestry getting started

All goes OK until mvn jetty:run which ends with [ERROR] Failed to execute goal org.mortbay.jetty:maven-jetty-plugin:6.1.16:run (default-cli) on project newapp: Failure: Address already in use: bind
That is no surprise as I have Tomcat running on 8080 with my own site (that can not be changed). Did mvn indeed install jetty and tries running it? May I configure Jetty to a different port or maybe use Tomcat instead?
You can configure Jetty to use another port by setting the system property jetty.port.
The jetty.port property can be set in the command line when running Maven:
mvn -Djetty.port=9090 jetty:run
Or it can be set in the project's pom.xml, as part of the maven-jetty-plugin configuration:
<plugin>
<groupId>org.mortbay.jetty</groupId>
<artifactId>maven-jetty-plugin</artifactId>
<version>6.1.16</version>
<configuration>
<systemProperties>
<systemProperty>
<name>tapestry.execution-mode</name>
<value>development</value>
</systemProperty>
<systemProperty>
<name>jetty.port</name>
<value>9090</value>
</systemProperty>
</systemProperties>
</configuration>
</plugin>
In both examples Jetty is configured to listen to port 9090.

Resources