Issue
- One of my builds is getting stuck with the message ‘No valid security token’
Environment
- CloudBees Core on modern cloud platforms - Managed Master
- CloudBees Core on traditional platforms - Client Master
- CloudBees Jenkins Enterprise - Managed Master
- CloudBees Jenkins Platform - Client Master
- CloudBees Jenkins Distribution
- Jenkins LTS
Resolution
This message indicates that the build tried to use a Controlled Slave and wasn’t allowed to because it is not in an
approved folder.
This message can appear even if your build is not specifically asking for a Controlled Slave.
For instance, if you are making a pipeline specifying agent any and that all the agents that Jenkins can find are
Controlled Slaves, then the message will be displayed.
Debugging
First thing you need to do is to execute the following script, to list all the folders and their associated grants:
import com.cloudbees.hudson.plugins.folder.Folder
import com.cloudbees.jenkins.plugins.foldersplus.SecurityGrantsFolderProperty
Jenkins.instance.getAllItems(Folder.class).each {
println "Folder name: ${it.fullName}"
def sg = ((Folder)it).getProperties().get(SecurityGrantsFolderProperty.class).getSecurityGrants()
if (sg.isEmpty()) {
println format('No security Grant')
} else {
sg.each {
println format("Security Grant: ${it}")
}
}
}
return
def format(str) {
def padding = ' ' * 4
return "${padding}${str}"
}
You should then make sure that at least one security grant exists for one of the folders in the job ancestors.
Next step is to add an additional logger to Jenkins
to have a better understanding of the order in which Jenkins explored the folders to find one having rights for a given controlled slave.
The logger should have the following properties:
- logger:
com.cloudbees.jenkins.plugins.foldersplus - log level:
FINEST
Here is an example of log you will get, showing how Jenkins is starting from the most nested folder and going up the hierarchy to find a folder that would be approved for the slave Controlled-slave.
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Looking for owner
Apr 02, 2019 6:37:59 AM FINEST com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Found owner - Jenkins/Folder1/Folder2/Folder3/job
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1/Folder2/Folder3
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1/Folder2
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1
Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins
Apr 02, 2019 6:37:59 AM FINE com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: No valid token found => REJECT
You can find additional troubleshooting steps in the documentation for the feature.
Opening a support case
In case you open a support case, make sure to attach the output of the previous groovy script, as well as a support bundle generated after the additional logger has been activated.
0 Comments