Unix

Jenkins agent from behind firewall

ForceCore 2025. 1. 22. 16:15

Jenkins agent를 동원해서 jenkins test를 진행하려 한다. Jenkins server에서 SSH로 접속 가능한 곳이면 이야기가 아주 쉽지만 그렇지 않은 경우 조금 복잡함.

 

Jenkins server쪽은 AWS같이 방화벽 뒤의 agent쪽에서 접속이 매우 쉬운 곳이라고 가정.

curl -sO https://DOMAIN/jenkins/jnlpJars/agent.jar

java -jar agent.jar -url https://DOMAIN/jenkins/ -secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -name "jenkins-ci.host" -webSocket -workDir "/home/jenkins-ci/usr/jenkins"

이런 명령어를 쳐서 jenkins agent를 실행하라고 할텐데...

 

첫번째 curl 명령어부터 실패할 수 있다. 이건 방화벽을 열든지 알아서 하면 될 듯 (??) nginx reverse proxy를 동원하든 서버에서 적절히 처리를 해야 됨.

 

두번째 java명령어.

 

Jan 22, 2025 7:05:05 AM hudson.remoting.Engine$1HeaderHandler afterResponse
WARNING: Did not receive X-Remoting-Capability header
Jan 22, 2025 7:05:05 AM hudson.remoting.Launcher$CuiListener error
SEVERE: Handshake error.
io.jenkins.remoting.shaded.org.glassfish.tyrus.client.exception.DeploymentHandshakeException: Handshake error.
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.exception.Exceptions.deploymentException(Exceptions.java:38)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.ClientManager$3$1.run(ClientManager.java:622)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.ClientManager$3.run(ClientManager.java:657)
       at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
       at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.ClientManager$SameThreadExecutorService.execute(ClientManager.java:810)
       at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.ClientManager.connectToServer(ClientManager.java:460)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.ClientManager.lambda$connectToServer$2(ClientManager.java:313)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.ClientManager.tryCatchInterruptedExecutionEx(ClientManager.java:324)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.ClientManager.connectToServer(ClientManager.java:313)
       at hudson.remoting.Engine.runWebSocket(Engine.java:788)
       at hudson.remoting.Engine.run(Engine.java:543)
Caused by: io.jenkins.remoting.shaded.org.glassfish.tyrus.core.HandshakeException: Response code was not 101: 200.
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.client.TyrusClientEngine.processResponse(TyrusClientEngine.java:308)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.ClientFilter.processRead(ClientFilter.java:167)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.Filter.onRead(Filter.java:111)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.Filter.onRead(Filter.java:113)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.SslFilter.handleRead(SslFilter.java:402)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.SslFilter.processRead(SslFilter.java:365)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.Filter.onRead(Filter.java:111)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.Filter.onRead(Filter.java:113)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.TransportFilter$4.completed(TransportFilter.java:295)
       at io.jenkins.remoting.shaded.org.glassfish.tyrus.container.jdk.client.TransportFilter$4.completed(TransportFilter.java:279)
       at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:129)
       at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:221)
       at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:113)
       at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
       at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
       at java.base/java.lang.Thread.run(Thread.java:840)

 

이런 에러가 좀 까다로움.

 

https://www.jenkins.io/blog/2020/02/02/web-socket/

 

WebSocket

Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software

www.jenkins.io

https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/

 

Reverse proxy configuration

Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software

www.jenkins.io

 

 

    # Allow download of jenkins agent, without any auth
    location ~* /jenkins/(jnlpJars|computer|tcpSlaveAgentListener)/ {
        #
        # Jenkins reverse proxy part
        #
        proxy_pass http://localhost:11111; # do NOT put trailing slash!
        proxy_buffering off;
        proxy_request_buffering    off; # Required for HTTP CLI commands
        proxy_redirect     default;

        # Required for Jenkins websocket agents
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        proxy_set_header   Host              $http_host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_max_temp_file_size 0;
    }

    # Jenkins web UI
    location /jenkins/ {
        #
        # OAuth part
        #
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;
        # requires running with --set-xauthrequest flag
        auth_request_set $user $upstream_http_x_auth_request_user;
        auth_request_set $email $upstream_http_x_auth_request_email;
        proxy_set_header X-User $user;
        proxy_set_header X-Email $email;
        # if you enabled --pass-access-token, this will pass the token to the backend
        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        #
        # Jenkins reverse proxy part
        #
        proxy_pass http://localhost:11111; # do NOT put trailing slash!
        proxy_buffering off;
        proxy_request_buffering    off; # Required for HTTP CLI commands
        proxy_redirect     default;

        # Required for Jenkins websocket agents
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        proxy_set_header   Host              $http_host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_max_temp_file_size 0;
    }

 

Nginx reverse proxy에서 websocket지원도 하도록 만들어야 됨. 유저들은 OAuth2를 거쳐야하는데 agent들은 면제시켜줘야 해서 reverse proxy 설정이 까다로움.

 

디버그? -webSocket 옵션을 빼고 agent 실행을 하면 접속이 되나 보자. 필자의 경우 webSocket이 있는 경우만 문제임.

 

전엔 웹소켓으로 성공했었는데 ㄱ-;;; 모르겠다. 웹소켓 빼고 해야겠다. agent 따위가 중요한게 아니니까.

'Unix'의 다른글

  • 현재글Jenkins agent from behind firewall

관련글

티스토리툴바