41

We use Jenkins 1.504 on Windows.

We need to have Master and Slave in different sub-networks with firewall in between.
We can't have ANY to ANY port firewall rules, we must specify exact port numbers.

I know the port Master is listening on.

I also see that Slave opens connection to the Master from the arbitrary port dynamically assigned every run, and port on the Master side is also arbitrary.
I can fix Master's port by specifying it in Manage Jenkins > Configure Global Security > TCP port for JNLP slave agents).

How to fix Slave port?


UPDATE: Found Connection Mechanism described here: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI#JenkinsCLI-Connectionmechanism

I think it might work for us, but still would be better to have fixed-2-fixed ports connection.

Ivan
  • 7,084
  • 4
  • 49
  • 65

3 Answers3

41

We had a similar situation, but in our case Infosec agreed to allow any to 1, so we didnt had to fix the slave port, rather fixing the master to high level JNLP port 49187 worked ("Configure Global Security" -> "TCP port for JNLP slave agents"). 

TCP
49187 - Fixed jnlp port
8080 - jenkins http port

Other ports needed to launch slave as a windows service

TCP
135 
139 
445

UDP
137
138
DonBecker
  • 2,324
  • 3
  • 21
  • 42
Ganga
  • 831
  • 10
  • 22
  • I've found that launching the JNLP agent from the node defaults to port 50724. – DonBecker Dec 30 '13 at 21:56
  • 2
    @DonBecker it appears to randomize the port. – Highway of Life Jul 18 '14 at 19:25
  • 4
    I have not found those other ports necessary. Just the JNLP and HTTP port. – metaforge Sep 24 '14 at 17:28
  • @metaforge, were u able to install the jenkins agent as a windows service with just the JNLP port open? I remember, i couldnt and thats why had to figure out the necessary UDP ports. – Ganga Dec 26 '14 at 18:37
  • @user6930 I confirm no need of other ports other than the fixed jnlp and the jenkins http port (tested with CentOS 6.8 master and Windows 7 slaves) – giuspen Aug 10 '16 at 16:08
12

A slave isn't a server, it's a client type application. Network clients (almost) never use a specific port. Instead, they ask the OS for a random free port. This works much better since you usually run clients on many machines where the current configuration isn't known in advance. This prevents thousands of "client wouldn't start because port is already in use" bug reports every day.

You need to tell the security department that the slave isn't a server but a client which connects to the server and you absolutely need to have a rule which says client:ANY -> server:FIXED. The client port number should be >= 1024 (ports 1 to 1023 need special permissions) but I'm not sure if you actually gain anything by adding a rule for this - if an attacker can open privileged ports, they basically already own the machine.

If they argue, then ask them why they don't require the same rule for all the web browsers which people use in your company.

Community
  • 1
  • 1
Aaron Digulla
  • 297,790
  • 101
  • 558
  • 777
  • 1
    Good point, Aaron! Also clients could have arbitrary ports above 1024 as they can be running without admin rights. – Ivan Nov 05 '14 at 11:22
  • You're right, but I'm not sure it's worth to enforce this limit. If an attacker can open privileged ports, they already own the machine. – Aaron Digulla Nov 05 '14 at 14:17
1

I have a similar scenario, and had no problem connecting after setting the JNLP port as you describe, and adding a single firewall rule allowing a connection on the server using that port. Granted it is a randomly selected client port going to a known server port (a host:ANY -> server:1 rule is needed).

From my reading of the source code, I don't see a way to set the local port to use when making the request from the slave. It's unfortunate, it would be a nice feature to have.

Alternatives:

Use a simple proxy on your client that listens on port N and then does forward all data to the actual Jenkins server on the remote host using a constant local port. Connect your slave to this local proxy instead of the real Jenkins server.

Create a custom Jenkins slave build that allows an option to specify the local port to use.

Remember also if you are using HTTPS via a self-signed certificate, you must alter the configuration jenkins-slave.xml file on the slave to specify the -noCertificateCheck option on the command line.

metaforge
  • 881
  • 10
  • 11