in-house mirrored update center is not working as expected...

[Jan Seidel]

Hi all,

our build systems are not allowed to connect to the internet.
This gives me always a quite hard time when I have to update Jenkins.

For this reason do I now mirror the update center and adapt the json file in order to customize the plugin manager.
So the sync works and I can access the repository via browser.

The json file attached to this thread is adapted and is originally named update-center.json

I changed the settings in the plugin manager like this:

• First update did not help at all.
• Just to mention I did open the web interface on the machines isolated from Internet just to be sure that I get the in-house stuff instead of referring to jenkins-ci.org
  
• I deleted the proxy.xml as everything now should be in the intranet just to be sure that nothing intervenes and restarted.
  After restart did I let Jenkins check for updates but nothing happened.
• So I deleted default.json in the updates folder and re-ran the check for updates.
• The file did not re-appear as I expected.
• So I made a copy of update-center.json and renamed it to default and placed it into the update folder.
• Even after another restart did no joy occur...
• Every list except of installed plugins is empty.
  

Any ideas what might be going on?

I must have missed something.

Any help is highly appreciated :)

Jan

[Jan Seidel]

I have found one thing that differs...

The json file has a new wrapping length. The lines do not match exactly anymore even if the content still is ok.
But Jenkins log says:

SEVERE: Failed to parse C:\Jenkins_mount_point\Jenkins\updates\default.json
net.sf.json.JSONException: A JSONObject text must begin with '{' at character 1 of updateCenter.post(
{"connectionCheckUrl":"http://www.google.com/","core":

The entry does not give a straight answer but I assume that a special formatting like a fix line length or the like is the cause here

[Jan Seidel]

OK, i figured out that this is connected to the signature check which I want to get rid of anyways.
As I learned was one nifty solution to add a file named init.groovy to JENKINS_HOME with the content:

try
{
  // disable verification of signature of JSON file from update center
  hudson.model.UpdateSite.signatureCheck = false;
  print "Disabled signature check for update site\n";
}
catch (MissingPropertyException e)
{
  // ignore as is if no signature check flag is present, no signature check is done anyway
  print "No flag for signature check present\n";
}

That worked at least until 1.509 but not anymore :(
I'm trying to figure out if there is a new implementation which allows to turn of signature check via boolean value. But no luck so far.
Well, I am no skilled programmer.

Has someone eventually a hint?

Cheers
Jan

[Jonathan Li]

Resurrecting this thread as I'm stuck in a similar situation of running Jenkins in an environment without access to the internet.  I'm using https://github.com/jenkinsci/backend-update-center2 to generate and retrieve the data for the update center, but validation of the json files is causing a bit of a headache.  A minor issue that I'll tackle later (and am scripting around for now) is that the url's for the plugins are wrong for my environment (the json blob that's created for each plugin is pointing at the default update site http://updates.jenkins-ci.org/download/).

It looks like the signatureCheck variable was removed as of 1.502 by this commit.

1.501 https://github.com/jenkinsci/jenkins/blob/jenkins-1.501/core/src/main/java/hudson/model/UpdateSite.java#L736

1.502 https://github.com/jenkinsci/jenkins/blob/jenkins-1.502/core/src/main/java/hudson/model/UpdateSite.java

The tests were updated to use the new updateDirectly() method and are able to bypass signature validation of the update center json file, but it looks like there's no longer an easy way to disable the validation when running Jenkins "normally".  Is there a recommended way to disable signature validation?

I realize the correct approach is to set up the trust chain, but I haven't had a chance to look in detail at how it's built.  At first glance, it seems like it includes the certs distributed in the war and any certs in the update-center-rootCAs directory under JENKINS_HOME.

[jhermann]

See https://github.com/ikedam/backend-update-center2/wiki/How-to-create-your-own-Jenkins-Update-Center for the only method I found so far, which still seems way too complicated.

What would be most useful is a simple tool that just signs a given JSON with a given key.

[Stephen Connolly]

You can just drop the public key you are signing with into a directory in the jenkins home and it should then be seen as a valid bundle... 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Stephen Connolly]

should say "into a magic directory in the jenkins home" and not "into a directory in the jenkins home"