search

sous-chefs / jenkins

Development repository for the jenkins cookbook
https://supermarket.chef.io/cookbooks/jenkins
Apache License 2.0
424 stars 635 forks source link

Ssh plugin 1.16 requires needs a host verification strategy set. #589

Open chazzly opened 7 years ago

chazzly commented 7 years ago

Cookbook version

5.0.0

Chef-client version

12.18

Platform Details

Jekins 2.32 ssh-slaves plugin 1.16

Scenario:

Adding ssh Slaves

Steps to Reproduce:

Create an ssh with version 1.15 or higher of the ssh-slaves plug-in

Expected Result:

Slave created with no errors or warnings

Actual Result:

Slave is created successfully, but Jenkins posts a Security warning saying:

SSH Host Key Verifiers are not configured for all SSH slaves on this Jenkins instance. This could leave these slaves open to man-in-the-middle attacks. Update your slave configuration to resolve this.

cheeseplus commented 7 years ago

Is there is a link to the change in the upstream code we could reference?

jamesbjackson commented 7 years ago

I found the following links in case they would be useful.

Jenkins Bug Report

SSH Slave Plugin Update

josh-barker commented 7 years ago

There is a new method definition for new hudson.plugins.sshslaves.SSHLauncher https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L518-L520

I've been able to patch https://github.com/chef-cookbooks/jenkins/blob/master/libraries/slave_ssh.rb#L103-L120 to the below, which changes the default configuration for the agent.

 def launcher_groovy
  <<-EOH.gsub(/ ^{8}/, '')
    import hudson.plugins.sshslaves.verifiers.*

    #{credential_lookup_groovy('credentials')}
    launcher =
      new hudson.plugins.sshslaves.SSHLauncher(
        #{convert_to_groovy(new_resource.host)},
        #{convert_to_groovy(new_resource.port)},
        credentials,
        #{convert_to_groovy(new_resource.jvm_options)},
        #{convert_to_groovy(new_resource.java_path)},
        null, // jdkInstaller parameter
        #{convert_to_groovy(new_resource.command_prefix)},
        #{convert_to_groovy(new_resource.command_suffix)},
        #{convert_to_groovy(new_resource.launch_timeout)},
        #{convert_to_groovy(new_resource.ssh_retries)},
        #{convert_to_groovy(new_resource.ssh_wait_retries)},
        new KnownHostsFileKeyVerificationStrategy()
      )
  EOH
end

We could create a property for the Verification Strategy (and possibly jdkInstaller) and translate that into the class name, instead of the new KnownHostsFileKeyVerificationStrategy() line.

damnski commented 5 years ago

Howdy,

Is there any update on this? It would be helpful in my environment; I'd rather not keep around a local monkey-patched jenkins cookbook.

Thanks much, Best, -dkw

github-daniel-stoian commented 5 years ago

Hello,

This issue is still active, preventing creation on new jenkins agent. We used patching solution provided above by josh-barker, but SSHLauncher constructor is not called correctly and we are suspecting that credentialsId send from https://github.com/chef-cookbooks/jenkins/blob/master/libraries/slave_ssh.rb#L110 is not a string as defined here https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L251

Can you please look on this problem? Thank you.

ERROR: Unexpected exception occurred while performing groovy command. groovy.lang.GroovyRuntimeException: Could not find matching constructor for: hudson.plugins.sshslaves.SSHLauncher(java.lang.String, java.lang.Integer, com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl, null, null, null, null, null, null, null, hudson.plugins.sshslaves.verifiers.NonVerifyingKeyVerificationStrategy) at groovy.lang.MetaClassImpl.invokeConstructor(MetaClassImpl.java:1732) at groovy.lang.MetaClassImpl.invokeConstructor(MetaClassImpl.java:1532) at org.codehaus.groovy.runtime.callsite.MetaClassConstructorSite.callConstructor(MetaClassConstructorSite.java:49) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235) at RemoteClass.run(RemoteClass:75) at groovy.lang.GroovyShell.runScriptOrMainOrTestOrRunnable(GroovyShell.java:263) at groovy.lang.GroovyShell.run(GroovyShell.java:518) at groovy.lang.GroovyShell.run(GroovyShell.java:497) at hudson.cli.GroovyCommand.run(GroovyCommand.java:71) at hudson.cli.CLICommand.main(CLICommand.java:251) at org.jenkinsci.main.modules.sshd.CLICommandAdapter$1.run(CLICommandAdapter.java:37) at org.jenkinsci.main.modules.sshd.AsynchronousCommand$1.run(AsynchronousCommand.java:112) at java.lang.Thread.run(Thread.java:745)

sekberg37 commented 4 years ago

As an FYI I tried many things to get the example that Josh provided to work for me. Also, thank you Josh!

Posting this below in case that helps anyone. See . In my case it was failing because of the "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" I just directly set the credId and that seemed to at least get me unblocked.

`def launcher_groovy <<-EOH.gsub(/ ^{8}/, '') import hudson.plugins.sshslaves.verifiers.*

    #{credential_lookup_groovy('credentials')}
    launcher =
      new hudson.plugins.sshslaves.SSHLauncher(
        #{convert_to_groovy(new_resource.host)},
        #{convert_to_groovy(new_resource.port)},
        '<YOUR CRED ID HERE>',
        #{convert_to_groovy(new_resource.jvm_options)},
        #{convert_to_groovy(new_resource.java_path)},
        #{convert_to_groovy(new_resource.command_prefix)},
        #{convert_to_groovy(new_resource.command_suffix)},
        #{convert_to_groovy(new_resource.launch_timeout)},
        #{convert_to_groovy(new_resource.ssh_retries)},
        #{convert_to_groovy(new_resource.ssh_wait_retries)},
        new KnownHostsFileKeyVerificationStrategy()
      )
  EOH
end`