Jenkins in non internet connected environment
31 views
Skip to first unread message
John Gornowich
Jan 7, 2014, 9:26:06 PM1/7/14
to jenkins...@googlegroups.com
I am currently trying to deploy Jenkins in an environment that will never have a connection to the internet. We have a DNS server on the network that handles all the internal traffic. After installing Jenkins I have noticed that this DNS server is bombarded with requests for resolving things like wiki.jenkins-ci.org and updates.jenkins-ci.org. Additionally I have to manually install plugins which each add another layer of requests seen. These request happen whenever an action is preformed in the web application or upon page refresh. And from what I can tell they are all being received by the DNS server on port 53.
I don't think that configuring a HTTP Proxy is the solution in this case, as the internet will never be accessible. Is there some way to stop these requests from Jenkins internally? Or should I be looking at some other solution, like adding a rule to the firewall somewhere? All the machines on the network are running various versions of CentOS. I am using Jenkins version 1.545.
I have to admit that I am a newbie to Jenkins and if this answer exists somewhere else I have not seen it. Any help would be greatly appreciated. If I need to provide more information please let me know.
John
JonathanRRogers
Jan 8, 2014, 1:11:05 PM1/8/14
to jenkins...@googlegroups.com
What exactly is the problem you're trying to solve? Is something in Jenkins not working as expected? Is the DNS server dying because it's overloaded? If the problem is just that logs are noisy, it doesn't seem worth a lot of effort to change.
John G
Jan 8, 2014, 3:32:28 PM1/8/14
to jenkins...@googlegroups.com
Jenkins does preform as expected as far as I can tell, but I have not been using it that long. The DNS is certainly getting bursts of requests, which appear to overload it but not to the point of it dying. I can't pinpoint an exact problem elsewhere on the network that is having problems, but my fear is that if we do use it full scale that it will start to cause problems with other services on the network.
So as of right now its mostly just a logging issue. We have a requirement to maintain log information on the network for administrative purposes and I see the logging daemon reporting the imuxsock is dropping hundreds of messages while Jenkins is being operated. Maybe the answer is nothing can be done about it, but I want to be able to say I tried.
So as of right now its mostly just a logging issue. We have a requirement to maintain log information on the network for administrative purposes and I see the logging daemon reporting the imuxsock is dropping hundreds of messages while Jenkins is being operated. Maybe the answer is nothing can be done about it, but I want to be able to say I tried.
Daniel Beck
Jan 8, 2014, 3:48:21 PM1/8/14
to jenkins...@googlegroups.com
On 08.01.2014, at 03:26, John Gornowich <softwa...@gmail.com> wrote:
> updates.jenkins-ci.org.
For a start, try setting -Dhudson.model.UpdateCenter.never=true
Documentation: https://wiki.jenkins-ci.org/display/JENKINS/Features+controlled+by+system+properties
If it's only these two hosts accessed from Jenkins, I'd consider looking into creating a custom SocketImplFactory like described here:
http://stackoverflow.com/questions/4893129/disable-network-connection
(Of course, there's the question of cost/benefit ratio…)
But, AFAICT, at least some of the requests are sent by the client (update center populates even when the necessary proxy is not configured in Jenkins, for example), so it'd be interesting to investigate which requests are sent by the Jenkins server, and which are sent by client web browsers. Maybe it's as simple as defining custom Adblock rules...
> updates.jenkins-ci.org.
For a start, try setting -Dhudson.model.UpdateCenter.never=true
Documentation: https://wiki.jenkins-ci.org/display/JENKINS/Features+controlled+by+system+properties
If it's only these two hosts accessed from Jenkins, I'd consider looking into creating a custom SocketImplFactory like described here:
http://stackoverflow.com/questions/4893129/disable-network-connection
(Of course, there's the question of cost/benefit ratio…)
But, AFAICT, at least some of the requests are sent by the client (update center populates even when the necessary proxy is not configured in Jenkins, for example), so it'd be interesting to investigate which requests are sent by the Jenkins server, and which are sent by client web browsers. Maybe it's as simple as defining custom Adblock rules...
John Gornowich
Jan 9, 2014, 12:45:36 PM1/9/14
to jenkins...@googlegroups.com
I must have missed that system property when I was looking through the list. Turning off this update center has alleviated a good portion but not all of the log issues I am seeing.
As far as creating a custom SocketImplFactory, I think you are right in terms of cost/benefit. Its a good idea, but I am going to look into the AdBlock suggesting or even modifying the setting on the DNS server somehow.If I ever stumble upon the perfect solution for our case, I will be sure to share, but until then I am just going to run it and hope there are no issues.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/azEJNngmm2A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Les Mikesell
Jan 9, 2014, 12:51:49 PM1/9/14
to jenkinsci-users
On Thu, Jan 9, 2014 at 11:45 AM, John Gornowich <softwa...@gmail.com> wrote:
> I must have missed that system property when I was looking through the list.
> Turning off this update center has alleviated a good portion but not all of
> the log issues I am seeing.
>
> As far as creating a custom SocketImplFactory, I think you are right in
> terms of cost/benefit. Its a good idea, but I am going to look into the
> AdBlock suggesting or even modifying the setting on the DNS server somehow.
>
> If I ever stumble upon the perfect solution for our case, I will be sure to
> share, but until then I am just going to run it and hope there are no
> issues.
You should be able to eliminate DNS lookups for a few specific names
> I must have missed that system property when I was looking through the list.
> Turning off this update center has alleviated a good portion but not all of
> the log issues I am seeing.
>
> As far as creating a custom SocketImplFactory, I think you are right in
> terms of cost/benefit. Its a good idea, but I am going to look into the
> AdBlock suggesting or even modifying the setting on the DNS server somehow.
>
> If I ever stumble upon the perfect solution for our case, I will be sure to
> share, but until then I am just going to run it and hope there are no
> issues.
by adding /etc/hosts entries for them. Or more drastically, run your
own DNS server with authoritative but dummy zones for the domains you
want to short-circuit, forwarding other queries to your upstream
resolvers.
--
Les Mikesell
lesmi...@gmail.com
Reply all
Reply to author
Forward
0 new messages