[JIRA] [workflow-plugin] (JENKINS-31701) workflow-multibranch Jenkinsfile: "Sleep 60" causes "RejectedAccessException: Scripts not permitted to use"

178 views
Skip to first unread message

cleclerc@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 4:51:02 AM11/23/15
to jenkinsc...@googlegroups.com
Cyrille Le Clerc created an issue
 
Jenkins / Bug JENKINS-31701
workflow-multibranch Jenkinsfile: "Sleep 60" causes "RejectedAccessException: Scripts not permitted to use"
Issue Type: Bug Bug
Assignee: Jesse Glick
Attachments: about.md, config-workflow-multibranch.xml
Components: workflow-plugin
Created: 23/Nov/15 9:50 AM
Environment: Jenkins ver. 1.609.14.1 (CloudBees Jenkins Enterprise 15.05)
Labels: plugin
Priority: Minor Minor
Reporter: Cyrille Le Clerc 
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.jenkinsci.plugins.workflow.cps.CpsClosure2 sleep java.lang.Integer)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:155)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:68)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
	at WorkflowScript.run(WorkflowScript:27)
	at Unknown.Unknown(Unknown)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
	at sun.reflect.GeneratedMethodAccessor312.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
	at com.cloudbees.groovy.cps.Next.step(Next.java:58)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:274)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:74)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:183)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:181)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE

https://github.com/cyrille-leclerc/game-of-life/blob/53f279a48de561e3ff95beb10d433c3875a2ad07/Jenkinsfile

docker.withRegistry('', 'dockerhub-credentials-cleclerc') {

    checkout scm
    def mavenSettingsFile = "${pwd()}/.m2/settings.xml"
    writeFile file: mavenSettingsFile, text: "<settings><localRepository>${pwd()}/.m2/repo</localRepository></settings>"
    echo "1. PWD: ${pwd()}"

    stage 'Build Web App'
    docker.image('cloudbees/java-build-tools:0.0.5').inside {
        echo "2. PWD: ${pwd()}"
        sh "mvn -B -V -s ${mavenSettingsFile} clean package"
    }

    // build docker image 'cleclerc/game-of-life' and push it to docker hub
    stage 'Build & Push Docker Image'

    echo 'Build docker image cleclerc/game-of-life...'
    def gameOfLifeImage = docker.build('cleclerc/game-of-life', 'gameoflife-web')

    echo 'Push docker image cleclerc/game-of-life to Docker Hub...'
    gameOfLifeImage.push()

    stage 'Redeploy ECS Service'
    wrap([$class: 'AmazonAwsCliBuildWrapper', credentialsId: 'aws-cleclerc-admin', defaultRegion: 'us-east-1']) {
        // TODO THESE ARE PROBABLY NOT THE BEST ECS CALLS
        sh "aws ecs update-service --service game-of-life --desired-count 0"
        sleep 60
        sh "aws ecs update-service --service game-of-life --desired-count 1"
        sleep 20
    }

    stage 'Web Browser tests'
    mail body: "Start web browser tests on http://gameoflife-ecs.beesshop.org/ ?",subject: "Start web browser tests on http://gameoflife-ecs.beesshop.org/ ?", to: 'clec...@cloudbees.com'

    input "Start web browser tests on http://gameoflife-ecs.beesshop.org/ ?"

    // web browser tests are fragile, test up to 3 times
    retry(3) {
        docker.image('cloudbees/java-build-tools:0.0.5').inside {
            echo "3. PWD: ${pwd()}"
            sh """
               curl http://gameoflife-ecs.beesshop.org/
               cd gameoflife-acceptance-tests
               mvn -B -V -s -s ${mavenSettingsFile} verify -Dwebdriver.driver=remote -Dwebdriver.base.url=http://gameoflife-ecs.beesshop.org/
            """
        }
    }
}
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

jglick@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 11:04:02 AM11/23/15
to jenkinsc...@googlegroups.com
Jesse Glick resolved as Incomplete
 

Can you reproduce from scratch on a clean installation? Typically this kind of error means that you failed to update some of the relevant plugins, such as Script Security, to the versions required by some downstream plugins. (And Jenkins core does not yet enforce plugin dependencies consistently.)
Change By: Jesse Glick
Status: Open Resolved
Resolution: Incomplete

cleclerc@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 1:14:01 PM11/23/15
to jenkinsc...@googlegroups.com
Cyrille Le Clerc commented on Bug JENKINS-31701
 
Re: workflow-multibranch Jenkinsfile: "Sleep 60" causes "RejectedAccessException: Scripts not permitted to use"

can I use:

  • fresh 1.609.14.1through the debian package
  • upgrade all plugins to latests
  • install "CloudBees GitHub Branch Source Plugin"
  • install "Workflow: Multibranch" plugin

then restart

jglick@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 1:16:01 PM11/23/15
to jenkinsc...@googlegroups.com

Just check Script Security and Workflow: Etc. specifically. Should be at 1.15 and 1.11 respectively.

cleclerc@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 1:22:01 PM11/23/15
to jenkinsc...@googlegroups.com

Script security is currently {{script-security:1.15 }} and no upgrade is available
Workflow is currently workflow-aggregator:1.10 and would be upgraded by update manager to workflow-aggregator:1.11

Is this ok for you?

Active Plugins
--------------

  * active-directory:1.41 'Jenkins Active Directory plugin'
  * ant:1.2 'Ant Plugin'
  * antisamy-markup-formatter:1.3 'OWASP Markup Formatter Plugin'
  * async-http-client:1.7.8 'Async Http Client'
  * authentication-tokens:1.1 *(update available)* 'Authentication Tokens API Plugin'
  * build-timeout:1.14.1 *(update available)* 'Jenkins build timeout plugin'
  * build-view-column:0.2 'Build View Column Plugin'
  * cloudbees-aws-cli:1.4 *(update available)* 'CloudBees Amazon AWS CLI Plugin'
  * cloudbees-aws-credentials:1.7 *(update available)* 'CloudBees Amazon Web Services Credentials Plugin'
  * cloudbees-aws-deployer:1.13 *(update available)* 'CloudBees Amazon Web Services Deploy Engine Plugin'
  * cloudbees-folder:4.9 *(update available)* 'CloudBees Folders Plugin'
  * cloudbees-folders-plus:2.12 *(update available)* 'CloudBees Folders Plus Plugin'
  * cloudbees-license:7.12.1 'CloudBees License Manager'
  * cloudbees-monitoring:1.7 *(update available)* 'CloudBees Monitoring Plugin'
  * cloudbees-support:3.4 *(update available)* 'CloudBees Support Plugin'
  * cloudbees-wasted-minutes-tracker:3.7 *(update available)* 'CloudBees Wasted Minutes Tracker Plugin'
  * copyartifact:1.35.1 *(update available)* 'Copy Artifact Plugin'
  * credentials:1.22 *(update available)* 'Credentials Plugin'
  * dashboard-view:2.9.4 *(update available)* 'Dashboard View'
  * deployed-on-column:1.7 'Deployed On Column Plugin'
  * deployer-framework:1.1 'Deployer Framework Plugin'
  * docker-build-publish:1.0 *(update available)* 'CloudBees Docker Build and Publish plugin'
  * docker-commons:1.2 'Docker Commons Plugin'
  * docker-traceability:1.1 'CloudBees Docker Traceability'
  * docker-workflow:1.2 'CloudBees Docker Workflow'
  * dockerhub-notification:1.0.2 'CloudBees Docker Hub Notification'
  * durable-task:1.6 'Durable Task Plugin'
  * external-monitor-job:1.4 'External Monitor Job Type Plugin'
  * git:2.3.5 *(update available)* 'Jenkins GIT plugin'
  * git-client:1.17.1 *(update available)* 'Jenkins GIT client plugin'
  * git-server:1.6 'Git server plugin'
  * git-validated-merge:3.19 *(update available)* 'CloudBees Git Validated Merge Plugin'
  * github:1.11.3 *(update available)* 'GitHub plugin'
  * github-api:1.68 *(update available)* 'GitHub API Plugin'
  * github-pull-request-build:1.6 *(update available)* 'CloudBees Pull Request Builder for GitHub'
  * infradna-backup:3.21 *(update available)* 'CloudBees Back-up Plugin'
  * jackson2-api:2.5.4 'Jackson 2 API Plugin'
  * javadoc:1.3 'Javadoc Plugin'
  * junit:1.6 *(update available)* 'JUnit Plugin'
  * ldap:1.11 'LDAP Plugin'
  * mailer:1.15 *(update available)* 'Jenkins Mailer Plugin'
  * mapdb-api:1.0.6.0 'MapDB API Plugin'
  * matrix-auth:1.2 'Matrix Authorization Strategy Plugin'
  * matrix-project:1.5 *(update available)* 'Matrix Project Plugin'
  * maven-plugin:2.10 *(update available)* 'Maven Integration plugin'
  * mercurial:1.52 *(update available)* 'Jenkins Mercurial plugin'
  * metrics:3.1.2.1 'Metrics Plugin'
  * monitoring:1.56.0 *(update available)* 'Monitoring'
  * nectar-license:7.2 'CloudBees Jenkins Enterprise License Entitlement Check'
  * nectar-rbac:4.16 *(update available)* 'CloudBees Role-Based Access Control Plugin'
  * node-iterator-api:1.5 'Node Iterator API Plugin'
  * openid:2.1.1 'openid'
  * openid4java:0.9.8.0 'OpenID4Java API'
  * operations-center-agent:1.7.2 *(update available)* 'Operations Center Agent'
  * operations-center-analytics-config:1.7.4 *(update available)* 'Operations Center Analytics Configuration'
  * operations-center-analytics-reporter:1.7.4 *(update available)* 'Operations Center Analytics Reporter'
  * operations-center-client:1.7.2 *(update available)* 'Operations Center Client Plugin'
  * operations-center-cloud:1.7.2 *(update available)* 'Operations Center Cloud'
  * operations-center-context:1.7.11 *(update available)* 'Operations Center Context'
  * operations-center-openid-cse:1.7.0 *(update available)* 'Operations Center OpenID Cluster Session Extension'
  * pam-auth:1.2 'PAM Authentication plugin'
  * parameterized-trigger:2.26 *(update available)* 'Jenkins Parameterized Trigger plugin'
  * promoted-builds:2.21 *(update available)* 'Jenkins promoted builds plugin'
  * scm-api:0.2 *(update available)* 'SCM API Plugin'
  * script-security:1.15 'Script Security Plugin'
  * skip-plugin:3.6 *(update available)* 'CloudBees Skip Next Build Plugin'
  * ssh-agent:1.8 'SSH Agent Plugin'
  * ssh-credentials:1.11 'SSH Credentials Plugin'
  * ssh-slaves:1.10 'Jenkins SSH Slaves plugin'
  * support-core:2.27 *(update available)* 'Support Core Plugin'
  * suppress-stack-trace:1.4 'Stack Trace Suppression Plugin'
  * token-macro:1.10 *(update available)* 'Token Macro Plugin'
  * translation:1.12 'Jenkins Translation Assistance plugin'
  * unique-id:2.1.0 *(update available)* 'Unique ID Library Plugin'
  * wikitext:3.6 *(update available)* 'CloudBees WikiText Security Plugin'
  * windows-slaves:1.0 *(update available)* 'Windows Slaves Plugin'
  * workflow-aggregator:1.10 *(update available)* 'Workflow: Aggregator'
  * workflow-api:1.10 *(update available)* 'Workflow: API'
  * workflow-basic-steps:1.10 *(update available)* 'Workflow: Basic Steps'
  * workflow-cps:1.10 *(update available)* 'Workflow: Groovy CPS Execution'
  * workflow-cps-global-lib:1.10 *(update available)* 'Workflow: Global Shared Library for CPS workflow'
  * workflow-durable-task-step:1.10 *(update available)* 'Workflow: Durable Task Step'
  * workflow-job:1.10 *(update available)* 'Workflow: Job'
  * workflow-scm-step:1.10 *(update available)* 'Workflow: SCM Step'
  * workflow-step-api:1.10 *(update available)* 'Workflow: Step API'
  * workflow-support:1.10 *(update available)* 'Workflow: Execution Support'

cleclerc@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 1:23:01 PM11/23/15
to jenkinsc...@googlegroups.com
Cyrille Le Clerc edited a comment on Bug JENKINS-31701
Script security is currently {{script-security:1.15 }} and no upgrade is available
Workflow is currently {{workflow-aggregator:1.10}} and would be upgraded by update manager to {{workflow-aggregator:1.11}}

Is this ok for you?


{noformat}
{noformat}

cleclerc@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 2:07:02 PM11/23/15
to jenkinsc...@googlegroups.com
Change By: Cyrille Le Clerc
Resolution: Incomplete
Status: Resolved Reopened

jglick@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 2:19:01 PM11/23/15
to jenkinsc...@googlegroups.com
Jesse Glick started work on Bug JENKINS-31701
 
Change By: Jesse Glick
Status: Open In Progress

jglick@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 2:19:01 PM11/23/15
to jenkinsc...@googlegroups.com
Change By: Jesse Glick
Status: Reopened Open

jglick@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 2:20:02 PM11/23/15
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
Change By: Jesse Glick
Priority: Minor Critical

jglick@cloudbees.com (JIRA)

unread,
Nov 23, 2015, 2:20:02 PM11/23/15
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
Change By: Jesse Glick
Labels: plugin multibranch
Reply all
Reply to author
Forward
0 new messages