[JIRA] (JENKINS-61212) CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

[fred.vogt@gmail.com (JIRA)]

Fred Vogt commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11 Jesse Glick - I retested with jdk8 and the web-socket inbound cli/agent are working. I'll update later today when I have more info. Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[fred.vogt@gmail.com (JIRA)]

Fred Vogt updated an issue

Jenkins / JENKINS-61212

CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Change By: Fred Vogt Summary:

CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11 Interesting. Is it the client or the server that matters? There are smoke tests of WebSocket modes in the Jenkins core tree which get run on JDK 11 in CI, but this is not using Jetty-terminated TLS or custom certificates.

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt edited a comment on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

[~jglick] - I retested with jdk8 and the web-socket inbound cli/agent are working. I'll update with more findings later today when I have more info - and you can decide if this is a bug or a jdk-11 compat issue to be addressed as described at [jenkins-on-java-11|https://jenkins . io/doc/administration/requirements/jenkins-on-java-11/] BTW - I was https with jdk-8 also.

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Jesse Glick - I'll try to distill it down to the simplest reproducible jdk-11 setup (without TLS), and test it with your smoke test and websocat.

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Jesse Glick -  hm... you are correct. jdk-11 with HTTP is working. TLS+websocket inbound cli/agent works with jdk-8, but NOT jdk-11.

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt updated an issue

Jenkins / JENKINS-61212

CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Change By: Fred Vogt Labels: java11-compatibility

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11 Very nice.  Using jdk-8 server / agent I can now use an AWS ALB for all Jenkins server ingress server-UI / CLI / Agents.

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Still unclear from comments whether the issue is caused by using Java 11 for the client or the server (or both).

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick assigned an issue to Unassigned

Jenkins / JENKINS-61212

CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Change By: Jesse Glick Assignee: Jesse Glick

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11 Jesse Glick just tested a bunch combinations, results below. https+websockets jdk-11 server - the CLI/agent to hang (jdk-8 and jdk-11 agent). jdk-8 server - the CLI/agent connect as expected (jdk-8 and jdk-11 agent) http+websockets all combinations of server / CLI/agent jdk work as expected. TLDR - only jdk-11 server w/HTTPS port SERVER_URL hangs (client jdk doesn't matter in this case).

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt edited a comment on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

[~jglick] just tested a bunch combinations, results below. https+websockets * jdk-11 server - the CLI/agent to hang (jdk-8 and jdk-11 agent). * jdk-8 server - the CLI/agent connect as expected (jdk-8 and jdk-11 agent) http+websockets * all combinations of server / CLI/agent jdk work as expected. TLDR - _only_ *jdk-11* server w/*HTTPS* port SERVER_URL hangs (client jdk doesn't matter in this case).   To get a self-signed cert that google chrome likes, while using docker for mac, and being limited to the 1 server url is a bit tricky. !image-2020-03-02-09-30-13-234.png! When I can I'll try and extract out the simplest setup to reproduce the behavior.

Add Comment

[egutierrez@cloudbees.com (JIRA)]

Evaristo Gutierrez updated an issue

Jenkins / JENKINS-61212

CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Change By: Evaristo Gutierrez Labels: java11-compatibility triaged

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck updated an issue

Jenkins / JENKINS-61212 CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Change By: Daniel Beck Labels: java11-compatibility triaged websocket

Add Comment

[peterl@standingwave.org (JIRA)]

Peter Loron commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11 Has there been any movement on this? We can't run JDK-8 and must use TLS for the traffic between agent and server. Forcing people to use an old JDK or NOT use encryption doesn't seem like a minor bug. It's a security issue. It's a hard blocker for us.

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Peter Loron - I haven't gotten around around to creating a github repo with a small reproducible case yet. Once we have that - the Jenkins core contributors devs are fairly responsive. I can take stab at this later today.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

I have no immediate plans to work on this—Java 11 support in Jenkins remains more or less experimental. I would recommend running on Java 8 unless you have a particular reason you must run on 11. (In which case you can continue to use TCP inbound agents.)

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Jesse Glick

Java 11 support in Jenkins remains more or less experimental

More or less experimental than remoting over websocket? FWIW we announced full Java 11 support more than a year ago, so even if there are some kinks due to very low usage numbers relative to Java 8, admins have a reasonable expectation of it working.

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

Jesse Glick, Daniel Beck, Peter Loron - Ok, I did put together a "minimal" Github repo to help reproduce the issue. https://github.com/fred-vogt/jenkins-websockets-tester However it doesn't exhibit the hanging issue. Hmm. This setup uses local HTTPS, with default host browser. Jenkins server, agent running in docker. NOTE: I didn't test this setup on a Mac yet. Docker for Mac and single Jenkins server URL required for websockets don't mix well. The agent container CANNOT use the same URL to access the server as the host browser in that case due to the Mac running a docker host xhyve VM.

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt edited a comment on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

[~jglick], [~danielbeck], [~peterloron] - Ok, I did put together a "minimal" Github repo to help reproduce the issue.

https://github.com/fred-vogt/jenkins-websockets-tester However it doesn't exhibit the hanging issue.  Hmm.

This setup uses local HTTPS, with default host web browser.

Jenkins server, agent running in docker. NOTE:

{code}

I didn't test this setup on a Mac yet.

Docker for Mac and single Single Jenkins server URL ( required for websockets don ) doesn 't mix well . The agent container CANNOT use with the same URL to access the server as the host browser in that case due to the Docker for Mac running a docker host xhyve VM. {code}

Add Comment

[fred.vogt@gmail.com (JIRA)]

Fred Vogt edited a comment on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

[~jglick], [~danielbeck], [~peterloron] - Ok, I did put together a "minimal" Github repo to help reproduce the issue. https://github.com/fred-vogt/jenkins-websockets-tester However it doesn't exhibit the hanging issue.  Hmm.

One config item missing in the sample here is global security. I'll add that in and retest when I get a chance and report back.

This setup uses local HTTPS, with default host web browser. Jenkins server, agent running in docker.

NOTE: {code} I didn't test this setup on a Mac yet.

Single Jenkins server URL (required for websockets) doesn't mix well with the Docker for Mac docker host VM. {code}

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-61212

Re: CLI, Agent -websockets DeploymentException: Handshake response not received on jdk-11

I should add that the motivating use case for JEP-222 is Jenkins running behind a reverse proxy (such as Kubernetes ingress), in which case TLS is typically terminated at the proxy. If the problem involves some sort of incompatibility between the TLS implementation in Tyrus (or whatever library it is using for that) on the client side vs. the TLS implementation in Jetty running on Java 11 on the server side, then it would presumably not affect this environment.

Add Comment