[JENKINS-75011] Use Apache Mina as ssh transport layer, remove trilead

[jmdesprez]

PR for JENKINS-75011

Mainly, the changes consist of:

• Create a SshClient where a connection is needed
• Replace Connection by ClientSession
• Replace SCPClient by CloseableScpClient
• use try-with-resource for Closeable resources
• Add ProxyCONNECTListener for the http proxy CONNECT
• Add PEMParser because Mina requires a KeyPair instead of a char[]

Implementation note

I focused on migrating from trilead to mina. I didn't refactor because I didn't want to mix too many things up.

Testing done

I create this in draft mode because I'm still doing manual tests.
Manual testing has been done with the help of @Priya-CB and @mikecirioli.

What is tested:

• Connect to an Unix AMI
  • Using external SSH process
  • Using Mina
    • With a proxy
    • Without a proxy

What is not tested:

• Connect to an Mac AMI
• Connect to an Windows AMI

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[pankajy-dev]

Nit: make the constant all-caps

[pankajy-dev]

I didn't want to publish the comment until it was marked as ready for review, I am still learning GitHub.

[jmdesprez]

No problem 🙂
This should use the timeout from the node anyway: 7680d4e

[pankajy-dev]

Do we need to check the max delay time so that it is always a realistic value?

[jmdesprez]

Although this suggestion may be worth considering (I leave it to the discretion of the maintainer), I have kept the previous implementation: https://github.com/jmdesprez/ec2-plugin/blob/master/src/main/java/hudson/plugins/ec2/ssh/EC2MacLauncher.java#L186
If requested, I can add this to this PR.

[pankajy-dev]

Suggested change

	if (initScript != null
	&& !initScript.trim().isEmpty()
	if (StringUtils.isEmpty(initScript)

Since the project already uses Apache Commons, we can utilize the utility method.

[PereBueno]

I guess you mean

Suggested change

	if (initScript != null
	&& !initScript.trim().isEmpty()
	if (StringUtils.isNotEmpty(initScript)

[jmdesprez]

This is not related to the trilead migration, but I have included it as it is a minor change: fe9a901

[pankajy-dev]

https://corretto.aws/downloads/latest/ Can we have this in constant as it is used in two places? Also, would allowing configuration using system properties be a good idea?

[jmdesprez]

This is not related to the trilead migration, but I have included it as it is a minor change: 9a4fc3b

[jmdesprez]

allowing configuration using system properties be a good idea

Although this suggestion may be worth considering (I leave it to the discretion of the maintainer), I have kept the previous implementation.
If requested, I can add this to this PR.

[pankajy-dev]

Ditto

[pankajy-dev]

Should we log an exception?

[jmdesprez]

Using trilead, there is no logging when the command fails. So I used the FINE level: 7ceaeea

[Priya-CB]

This function is used to execute the remote commands like directory creation, should we consider the warning level?

[jmdesprez]

As that will change the plugin behavior, I would prefer to change that in another PR. Again, if requested, I can add this to this PR.

[pankajy-dev]

Do we need to check the Key length? I assume not, but worth noting.

[PereBueno]

Not as part of apache mina migration, that could be part of some FIPS compatibility ticket.

[pankajy-dev]

Should we refactor the class name as it is no longer implementing the Interface?

[jmdesprez]

I kept the name as this is a public class.

[pankajy-dev]

Same. Should we make a check so that it doesn't wait indefinitely?

[jmdesprez]

Although this suggestion may be worth considering (I leave it to the discretion of the maintainer), I have kept the previous implementation: https://github.com/jmdesprez/ec2-plugin/blob/master/src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java#L188
If requested, I can add this to this PR.

[pankajy-dev]

Are we only supporting two algorithms?

[jmdesprez]

I rewrote it in a more robust way. Anyway, I think that this is not used because we get a PrivateKeyInfo.
4e9d26d

[PereBueno]

nit: how about using non thread blocking

jenkins.util.Timer.get().schedule(() -> {}, bootDelay, TimeUnit.SECONDS);

instead?

[jmdesprez]

Although this suggestion may be worth considering (I leave it to the discretion of the maintainer), I have kept the previous implementation: https://github.com/jmdesprez/ec2-plugin/blob/master/src/main/java/hudson/plugins/ec2/ssh/EC2MacLauncher.java#L186
If requested, I can add this to this PR.

[PereBueno]

I guess you mean

Suggested change

	if (initScript != null
	&& !initScript.trim().isEmpty()
	if (StringUtils.isNotEmpty(initScript)

[PereBueno]

Can we only have unencrypted key pairs? This won't work if we find a PEMEncryptedKeyPair

[jmdesprez]

Why won't this work? If it's related to the empty password, I kept the previous implementation: https://github.com/jmdesprez/ec2-plugin/blob/master/src/main/java/hudson/plugins/ec2/ssh/EC2MacLauncher.java#L410-L411

[PereBueno]

Lack of knowledge from my side about how AWS keys work.

IIUTC computer.getCloud().getKeyPair() is returning a KeyPair and then we're adding the public key to the client session with KeyHelper.decodeKeyPair(key.getKeyMaterial(), "").
KeyHelper is checking if the key is encrypted or not https://github.com/jenkinsci/ec2-plugin/pull/1022/files#diff-0a41b9e9dd813646b5762bea12e95c9aca2f70c8387366b1e6e9870add0d0c2aR58 but we're calling this method is always called with empty / null password, so we'll only handle unencrypted keys.

If I have followed the code correctly, this ssh credentials are configured for the cloud, and the should be a username + SSH private key (I gues obtained with aws sts get-access-key-info).

So, the question is, is this ssh key always unencrypted? AFAIK it is, but I wanted to confirm this.

[jmdesprez]

Lack of knowledge from my side about how AWS keys work.

Same here

So, the question is, is this ssh key always unencrypted?

Based on previous implementation, the password is hard coded to ""

[PereBueno]

ditto

[PereBueno]

Not as part of apache mina migration, that could be part of some FIPS compatibility ticket.

[PereBueno]

Might throw a NPE when password is null (e.g.: https://github.com/jenkinsci/ec2-plugin/pull/1022/files#diff-1d5f872d1bd42e798ad1690b14df1b4a4f79926b27a7be424148228e9073ac5aR76) let's add a @NonNull annotation or perform a null check

[jmdesprez]

Added: 9abf818

[Priya-CB]

since the password can be null, it would be better to remove the @NonNull annotation and add a null check?

[Priya-CB]

It would be cleaner to move the initialization of timeout after the null check for node

[jmdesprez]

Moved: abea87f

[Priya-CB]

This function is used to execute the remote commands like directory creation, should we consider the warning level?

[Priya-CB]

since the password can be null, it would be better to remove the @NonNull annotation and add a null check?

[PereBueno]

LGTM

[fcojfernandez]

Hi @res0nance ! We are working on being able to install and use the plugin in a FIPS environment, following https://github.com/jenkinsci/jep/blob/bdc28d03ed3202be3f343a927a247341a64b9156/jep/237/README.adoc

The problem is that trilead is not FIPS compliant, and as external library, we are not confident on making it FIPS compliant, therefore we are proposing to move from trilead to apache-mina as other plugins such as git-client did some time ago. jenkinsci/git-client-plugin#1127 as reference.

It'd be great if you could make a review! Thanks in advance

PS: There's another incoming PR adding some minor validations, but this change is big enough and with enough entity to consider the two of them as separated changes.

[mwebber]

@jmdesprez just a quick note before I open a ticket somewhere appropriate: updating to the release with this change resulted in Agents failing to start.
The error seen in the log was

$ ssh -o StrictHostKeyChecking=accept-new -o "UserKnownHostsFile=/tmp/ec2_3385777490670375639_known_hosts" -o "HostKeyAlgorithms=ecdsa-sha2-nistp256" -i /tmp/ec2_5246766630689733252.pem [email protected] -p 22 /opt/oup/shared/docker_clean.sh &>> /tmp/docker_clean && mv -f /tmp/docker_clean /tmp/docker_clean_old && tail -n 1000 /tmp/docker_clean_old > /tmp/docker_clean;  java  -jar /tmp/remoting.jar -workDir /var/jenkins
Failed to add the host to the list of known hosts (/tmp/ec2_3385777490670375639_known_hosts).
Error: Unable to access jarfile /tmp/remoting.jar
ERROR: Unable to launch the agent for EC2 (TS-DEV_v2) - Standard(x86_64) (i-007c9432e2c2e3b17)
java.io.EOFException: unexpected stream termination
	at hudson.remoting.ChannelBuilder.negotiate(ChannelBuilder.java:478)
	at hudson.remoting.ChannelBuilder.build(ChannelBuilder.java:422)
	at hudson.slaves.SlaveComputer.setChannel(SlaveComputer.java:440)
	at PluginClassLoader for command-launcher//hudson.slaves.CommandLauncher.launch(CommandLauncher.java:188)
	at PluginClassLoader for ec2//hudson.plugins.ec2.ssh.EC2UnixLauncher.launchScript(EC2UnixLauncher.java:392)
	at PluginClassLoader for ec2//hudson.plugins.ec2.EC2ComputerLauncher.launch(EC2ComputerLauncher.java:55)
	at hudson.slaves.SlaveComputer.lambda$_connect$0(SlaveComputer.java:297)
	at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
	at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:80)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)

For comparison, without this change the output looks like this:

$ ssh -o StrictHostKeyChecking=accept-new -o "UserKnownHostsFile=/tmp/ec2_529420978841221409_known_hosts" -o "HostKeyAlgorithms=ssh-ed25519" -i /tmp/ec2_12788628894650662551.pem [email protected] -p 22 /opt/oup/shared/docker_clean.sh &>> /tmp/docker_clean && mv -f /tmp/docker_clean /tmp/docker_clean_old && tail -n 1000 /tmp/docker_clean_old > /tmp/docker_clean;  java  -jar /tmp/remoting.jar -workDir /var/jenkins
Jan 22, 2025 12:34:44 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir

Note: in our Cloud Config, we specify "Connect by SSH Process" (I don't think that is the default).

[jmdesprez]

@mwebber Thanks. I'm investigating the issue.