Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees Jenkins Enterprise - Managed controller
Resolution
This message indicates that the build tried to use a Controlled Agent and wasn’t allowed to because it is not in an approved folder.
This message can appear even if your build is not specifically asking for a Controlled Agent.
For instance, if you are making a pipeline specifying agent any
and that all the agents that Jenkins can find are
Controlled Agents, then the message will be displayed.
Debugging
First thing you need to do is to execute the following script, to list all the folders and their associated grants:
import com.cloudbees.hudson.plugins.folder.Folder import com.cloudbees.jenkins.plugins.foldersplus.SecurityGrantsFolderProperty Jenkins.instance.getAllItems(Folder.class).each { println "Folder name: ${it.fullName}" def sg = ((Folder)it).getProperties().get(SecurityGrantsFolderProperty.class).getSecurityGrants() if (sg.isEmpty()) { println format('No security Grant') } else { sg.each { println format("Security Grant: ${it}") } } } return def format(str) { def padding = ' ' * 4 return "${padding}${str}" }
You should then make sure that at least one security grant exists for one of the folders in the job ancestors.
Next step is to add an additional logger to Jenkins to have a better understanding of the order in which Jenkins explored the folders to find one having rights for a given controlled agent.
The logger should have the following properties:
-
logger:
com.cloudbees.jenkins.plugins.foldersplus
-
log level:
FINEST
Here is an example of log you will get, showing how Jenkins is starting from the most nested folder and going up the hierarchy to find a folder that would be approved for the controlled agent.
[Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Looking for owner Apr 02, 2019 6:37:59 AM FINEST com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake [Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Found owner - Jenkins/Folder1/Folder2/Folder3/job Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake [Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1/Folder2/Folder3 Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake [Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1/Folder2 Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake [Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins/Folder1 Apr 02, 2019 6:37:59 AM FINER com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake [Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: Searching for tokens within Jenkins Apr 02, 2019 6:37:59 AM FINE com.cloudbees.jenkins.plugins.foldersplus.SecurityTokensNodeProperty$QueueTaskDispatcherImpl canTake [Node Controlled-slave] Task Jenkins part of Folder1/Folder2/Folder3/job #150: No valid token found => REJECT
You can find additional troubleshooting steps in the documentation for the feature.