Client master cannot connect to Operation Center

Symptoms

For the first time or suddenly, a Client master (CM) cannot be connected to the Operation Center (OC) instance.

Diagnostic/Treatment

Pre-condition: CM and OC instances you wish to connect are up and running.

These are the steps you should follow to understand why your client master doesn’t connect correctly with the OC instance.

[OC] Ensure that Jenkins URL is correctly set-up

In the OC instance ensure that under Manage Jenkins -> Configure System the Jenkins URL is the right one. In case OC is accessible from a F5 or an ha-proxy ensure that this is correctly configure to forward the packages to OC from an external machine.

[OC] Ensure that a JNLP port is configured

In the OC instance ensure that under Manage Jenkins -> Configure Global security a JNLP port is configured. If your OC instance is running behind a F5 or ha-proxy then a fixed port is required. In any case, a fixed JNLP port is recommended.

[CM] Ensure that the JNLP port is different

In the CM instance ensure that under Manage Jenkins -> Configure Global security if a JNLP port is configured, it is different from the one configured in OC. In any case, a fixed JNLP port is recommended.
Note: Use a different JNLP port for each of the CM instances connected to the OC.

[CM] Check the HTTP Proxy configuration

Go to $CM_URL > Manage Jenkins > Plugin Manager > Advanced tab > HTTP Proxy Configuration section and check if there is any Server and Port configured. In the case they have been set up, FQN of the URL (without the port) must be included into No Proxy Host field (e.g: cjoc.jenkins.example.com)

Note: Alternatively, No Proxy Host can be configured by the JAVA property -Dhttp.nonProxyHosts in the CM instance.

[CM] Check if OC instance is reachable through HTTP/(S)

In case you have access to the Script Console run the following script replacing (e.g: https://ops-center.example.com)

def url = new URL("<OC_URL>");
def connection = url.openConnection();
println("Response Headers");
println("================");
for (def e in connection.getHeaderFields()) {
  println("${e.key}: ${e.value}");
}
println("\nResponse status: HTTP/${connection.responseCode}\n");

Note: Possible expected responses status are:

  • Response status: HTTP/200 (OK)
  • Response status: HTTP/403 (*Forbidden*) is due to the OC Security Option is enabled and it is also expected.

That gives hints as to what the JVM proxy config is doing

In case you don’t have access to the Script Console, curl command is an alternative to validate if the JNLP port is exposed (header X-Jenkins-CLI-Port) as explained on the sub-sections below, replacing (e.g. ops-center.unicorn.beescloud.com )

CM is not a TLS end-point

From the CM instance perform curl -I -v http://<OC_FQN>/

CM is a TLS end-point

From the CM instance perform curl -I -v --insecure https://<OC_FQN>/

[CM] Check if OC instance JNLP port is open for CM

From the CM instance perform telnet <OC_IP_ADDRESS> <OC_JNLP_PORT>, replacing (e.g. 10.0.0.209) and the obtained by curl in the previous step (e.g. 10000).

Expected output would be similar to:

Trying 10.0.0.209…
Connected to 10.0.0.209.

[CM] Check if OC can answer to CM instance through jenkins-cli

In the CM instance download <OC_URL>/jnlpJars/jenkins-cli.jar. Then, on the client master execute the following command to see if it is correctly executed.
As an example, for Linux OS: wget <OC_URL>/jnlpJars/jenkins-cli.jar

For the following sections the expected output would be the same: a list and description of all the available commands for Jenkins CLI

[CM] OC is not a TLS end-point

From client master execute:

java -jar jenkins-cli.jar -s http://<OC_FQN>/ help --username=<USERNAME> --password=<PASSWORD> 

[CM] OC is a TLS end-point

From client master execute:

java -Djavax.net.ssl.trustStore=<PATH_TO_CACERTS> -jar jenkins-cli.jar -s https://<OC_FQN>/ help --username=<USERNAME> --password=<PASSWORD> 

In case you are running behind a F5 or an ha-proxy

Ensure that:

  1. The F5 is using raw tcp mode for the CLI port
  2. The F5 is not doing any funky keep-alive stuff on the F5
  3. the F5 is not doing any round robin on the CLI port

[OC] In case your OC instance is a TLS end-point

If the OC instance is deployed on a TLS end-point, you must import the SSL certificate in the Java Keystore of the Client Master. In case the Client Master is deployed on a Tomcat web container, you might need to tell what keystore Jenkins is using. This should verify that Tomcat is using the correct keystore.

Check the following KB articles:

Tested product/plugin versions

The latest update of this article has been tested/validated with

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.