Jenkins Swarm plugin authentication

2
votes

I have a jenkins master and a separate slave server. I using swarm plugin to connect the slaves to the master. Everything works fine before I configured LDAP authetication and revoke the grants from the anonymous user.

enter image description here Obviously now I have to autheticate swarm client but I cannot able to do this. If anyone has experience with swarm plugin please let me know.

Console from slave machine:

$ java -jar swarm-client-2-0.jar -master http://x.x.x.x:8080/ -username 'exxxx' -password common.pwd
Discovering Jenkins master
Oct 01, 2015 2:14:51 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
INFO: basic authentication scheme selected
Oct 01, 2015 2:14:51 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
INFO: Failure authenticating with BASIC 'Jenkins'@x.x.x.x:8080
Failed to fetch slave info from Jenkins CODE: 401
Retrying in 10 seconds

Br,

2
jenkinsjenkins-plugins
What version of Jenkins are you using? It turned out that swarm-client requires password to be single quoted. tried -disableSslVerification : Disables SSL verification in the HttpClient.?AKS
You need the pass the user in Jenkins who has Create Slave access. Look Manage Users/Roles in Jenkins OR try creating a user in Jenkins and assign him create slave access and use command.AKS

2 Answers

11
votes

You need at least Create Slave permission or higher to create the slave using Swarm plugin.

You have the following options:

  1. Open a request and have your network team create a new LDAP/service account (generic) so that you don't have to worry about it's password getting changed within next N no. of days.

  2. Assign that user or grant it Create Slave permission or all access that see within (Slave section as per your image snapshot).

  3. Use that user's userid/password. You can create a global variable / use manage credential section in Jenkins to define the user/password and it'll be available to use an ENV variable or for doing credential based authentication.

  4. Run your command to create the slave and it'll work, something like:

$ java -jar swarm-client-2.0-jar-with-dependencies.jar \
    -name "$(hostname -a)_01" \
    -fsroot "$(pwd)/$(hostname -a)_01" \
    -master http://my_jenkins_server.my.company.com:8081 \
    -disableSslVerification \
    -username c123456_or_slaveSpecialUser \
    -password $p \
    -description "$(hostname -a) " \
    -executors 5 \
    -labels "Linux CentOS ANSIBLE" \
    -mode 'normal' \
    -retry 3 \
    -showHostName \
    -t java=~/tools/jdk1.8.0_45 \
    -t gradle=~/tools/gradle-2.9 \
    -t Maven=~/tools/apache-maven-3.3.3 \
    -t Groovy2=~/tools/groovy-2.4.5 \
    --showHostName \
    -disableClientsUniqueId

Note:
Mode can be -mode 'exclusive'
Using -disableClientsUniqueId option will create slave with the name as per your -name parameter (instead of suffixing it with a unique/alphanumeric ID).

Addition: To create Tool locations within the slave's configuration, I initially used -t **Java=~/tools/jdk1.8.0_45 -t Gradle=~/tools/gradle-2.9** and the command gave me an error No tool 'Java' is defined on Jenkins.

javax.servlet.ServletException: java.lang.RuntimeException: No tool 'Java' is defined on Jenkins.

After researching, I found this is because in my Jenkins Master (that I used), it's JDK Installations section in Jenkins global settings had this tool Name value set as "java" (all lower).

Trying -t java=~/tools/jdk1.8.0_45 resolved the issue and now I can see (JDK) java tool with value ~/tools/jdk1.8.0_45 in the slave's configuration.

NOTE:
If you are connecting or want to connect your slave to your Jenkins master using "Anonymous" user (i.e. then you don't have to provide -username c123456_or_slaveSpecialUser -password $p parameters), then in Jenkins Master's (with admin level permission do this one time only setup) > Under Manage Roles and Users > Under GLOBAL Roles section, create a role (or change existing Viewer role) and assign "Overall + Read" and "Slave + Create" access.

Then, on the same page, under "Slave Roles", create a Role for ex: autoslave or something like that and assign all access (Connect, Configure, ..., Delete) and MAKE sure assign a pattern(regex) for ex: "swarm_slave.*" in it. What this will do is, from now onwards, you can run java -jar slave-client-...depedencies.jar without using -username and -password paramters and if you are creating swarm slaves with name starting with "swarm_slave...." then, they will auto-create/connect/delete (as long as the swarm slave java process will run/exist on the slave server).

Following a standard name pattern for slaves will also give you more control if you'd use Jenkins Rest/API (groovy) scripts to maintain the swarm slaves.

Also look here for more (how to add ENVIRONMENT variables to the newly created node): Jenkins Slave - How to add or update ENVIRONMENT variables

Using Docker for creating containers on slave nodes is the next step. Don't forget to read more about these here:

http://dockins.github.io/ and https://wiki.jenkins.io/display/JENKINS/Docker+Slaves+Plugin https://github.com/jenkinsci/docker-slaves-plugin

1
votes

After we failed implementing the solution by Arun Sangal we found a way to allow everything to everyone when being logged in while still being able to use SWARM nodes.

We managed to do this by assinging Anonymous all "agent" rights, plus Read and Discover for jobs as well as Read for views and in general.

Then we created an additional role "admin" which has all rights (both in "Manage Roles").

In "Assign Roles" we assigned the admin role to the build-in group "authenticated" and "Anonymous" to "Anonymous".