Cannot Start Jenkins Service due to Firewall

[Forest Handford]

Hello,

This may be a dumb question.  I can't get a Jenkins Windows service to start because of our corporate firewall.  I've had no luck finding a resource to indicate what ports and web addresses are needed for Jenkins to start the service.  Could somebody point me in the right direction so I can tell our networking group how to update the firewall?

Here are things I have reviewed thus far:

• Turning Off Updates - Even with updates disabled I cannot get Jenkins to start with the firewall in place.
• Use a proxy - We currently have no proxy servers and the hardware group rejected the request.
• Google Firewall Search - All the hits were related to slave jobs on other machines, I only have one Jenkins machine so the issue is unrelated.
• Code Review - I don't code in Java, but I found getConnectionCheckUrl() in UpdateCenter.java.  The comment says it has been deprecated in favor of update-center.json.  
• json Files - I know even less about json than I do about Java.  I looked at the the files in the update folder and they appear to contain a list of update web addresses.
• I tried deleting these files hoping the code would not try to check the internet, but the service still did not start.
• I replaced all of the URLs in the default file with "", but the service did not start.
• If I give this giant list of URLs to our system administrators to add exceptions I imagine they will not be happy and I don't even know if adding exceptions for all of those URLs will work (temporarily or permanently)
• Wireshark - I ran a trace with the firewall in place but did not see any activity between the machine with Jenkins and computers beyond the network.  I can get a temporary exception to have internet access for the server and then run a trace but I'm afraid that Jenkins isn't always using the same internet addresses.

My options appear to be:

• Get a range of addresses and ports for firewall exceptions (but I'm worried this changes and will cause problems with our system administrators).
  
• Find a way to get Jenkins to truly ignore the internet.
• Find a replacement for Jenkins (possibly Apache Continuum).

My group has invested a lot of time into our use of Jenkins, and we have been able to get it to work once started, but we cannot be asking the system administrators to open access to the firewall anytime the machine or service is restarted.  Any ideas?

Thanks,

Forest  

[Baptiste MATHUS]

Hi,

Jenkins can run without accessing Internet. You want to double check your server. 

What's actually the error displayed in the logs?

Maybe the port is already used by some other service?

Cheers

2012/10/18 Forest Handford <fhan...@meditech.com>

--
Baptiste <Batmat> MATHUS - http://batmat.net
Sauvez un arbre,
Mangez un castor !

[Forest Handford]

Hi,

Thank you for replying.  The event viewer says:

The Jenkins service failed to start due to the following error: 

The service did not respond to the start or control request in a timely fashion.

Jenkins.exe has been getting stuck here:

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a89de19fa6975d25 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

Thanks,

Forest

--
Forest Handford, Supervisor Development, 781-774-5148
Medical Information Technology, Inc.
Mailstop: S4W186W, MEDITECH Circle, Westwood, MA 02090

[Forest Handford]

Hello Again,

I found out that I can also launch it from the command line:

java -jar jenkins.war

This is still not an ideal approach though.  

Thanks,

Forest

[Paul]

We had the same problem starting Jenkins as a windows service. The
following link describes how to stop Jenkins accessing the internet on
startup - its to do with it being a signed executable.

http://groups.google.com/group/jenkinsci-dev/browse_thread/thread/227ff66141d85438/02c004b9704dc5a4?show_docid=02c004b9704dc5a4

Cheers,
Paul

On Oct 18, 10:05 pm, Forest Handford <fhandf...@meditech.com> wrote:
> Hello Again,
>
> I found out that I can also launch it from the command line:
>
> java -jar jenkins.war
>
> This is still not an ideal approach though.
>
> Thanks,
>
> Forest
>

> On Thu, Oct 18, 2012 at 4:02 PM, Forest Handford <fhandf...@meditech.com>wrote:
>
>
>
>
>
>
>
>
>
> > Hi,
>
> > Thank you for replying.  The event viewer says:
>
> > The Jenkins service failed to start due to the following error:
> > The service did not respond to the start or control request in a timely
> > fashion.
>
> > Jenkins.exe has been getting stuck here:
>
> > GET
> > /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a89de19fa6975d25
> > HTTP/1.1
>
> > Connection: Keep-Alive
>
> > Accept: */*
>
> > User-Agent: Microsoft-CryptoAPI/6.1
>
> > Host: ctldl.windowsupdate.com
>
> > Thanks,
> > Forest
>

> > On Thu, Oct 18, 2012 at 3:11 PM, Baptiste MATHUS <bmat...@batmat.net>wrote:
>
> >> Hi,
>
> >> Jenkins can run without accessing Internet. You want to double check your
> >> server.
> >> What's actually the error displayed in the logs?
>
> >> Maybe the port is already used by some other service?
>
> >> Cheers
>

> >> 2012/10/18 Forest Handford <fhandf...@meditech.com>

>
> >>> Hello,
>
> >>> This may be a dumb question.  I can't get a Jenkins Windows service to
> >>> start because of our corporate firewall.  I've had no luck finding a
> >>> resource to indicate what ports and web addresses are needed for Jenkins to
> >>> start the service.  Could somebody point me in the right direction so I can
> >>> tell our networking group how to update the firewall?
>
> >>> Here are things I have reviewed thus far:
>

> >>>    - Turning Off Updates - Even with updates disabled I cannot get

> >>>    Jenkins to start with the firewall in place.

> >>>    - Use a proxy - We currently have no proxy servers and the hardware
> >>>    group rejected the request.
> >>>    - Google Firewall Search - All the hits were related to slave jobs

> >>>    on other machines, I only have one Jenkins machine so the issue is
> >>>    unrelated.

> >>>    - Code Review - I don't code in Java, but I

> >>>    found getConnectionCheckUrl() in UpdateCenter.java.  The comment says it
> >>>    has been deprecated in favor of update-center.json.

> >>>    - json Files - I know even less about json than I do about Java.  I

> >>>    looked at the the files in the update folder and they appear to contain a
> >>>    list of update web addresses.

> >>>       - I tried deleting these files hoping the code would not try to

> >>>       check the internet, but the service still did not start.

> >>>       - I replaced all of the URLs in the default file with "", but the
> >>>       service did not start.
> >>>       - If I give this giant list of URLs to our system administrators

> >>>       to add exceptions I imagine they will not be happy and I don't even know if
> >>>       adding exceptions for all of those URLs will work (temporarily or
> >>>       permanently)

> >>>    - Wireshark - I ran a trace with the firewall in place but did not

> >>>    see any activity between the machine with Jenkins and computers beyond the
> >>>    network.  I can get a temporary exception to have internet access for the
> >>>    server and then run a trace but I'm afraid that Jenkins isn't always using
> >>>    the same internet addresses.
>
> >>> My options appear to be:
>

> >>>    - Get a range of addresses and ports for firewall exceptions (but

> >>>    I'm worried this changes and will cause problems with our system
> >>>    administrators).

> >>>    - Find a way to get Jenkins to truly ignore the internet.
> >>>    - Find a replacement for Jenkins (possibly Apache Continuum).

>
> >>> My group has invested a lot of time into our use of Jenkins, and we have
> >>> been able to get it to work once started, but we cannot be asking the
> >>> system administrators to open access to the firewall anytime the machine or
> >>> service is restarted.  Any ideas?
>
> >>> Thanks,
> >>> Forest
>
> >> --

> >> Baptiste <Batmat> MATHUS -http://batmat.net

[Baptiste MATHUS]

OK, so that's a Windows thing. We don't use the jenkins.exe wrapper, even on our windows slaves.

Cheers

2012/10/19 Paul <paulj...@gmail.com>

--
Baptiste <Batmat> MATHUS - http://batmat.net

[Forest Handford]

That worked (creating jenkins.exe.config)!  Thank you both so much for the help, I really appreciate it!