Team or Managed controllers shows Unlock Jenkins or Registration screen on first startup

2 minute read
On this page

Issue

  • A new team / managed controller does not come up on start up and is stuck on the "Registration" screen

  • A new team / managed controller does not come up on start up and is stuck on the "Unlock Jenkins" screen

Environment

Explanation

There are 2 potential causes:

  • Operations Center Single Sign-on is not enabled for the controller: In that case, the "Unlock Jenkins" screen will show up as for the startup of any fresh unsecured Jenkins instance. This is the expected behavior.

  • Operations Center is not responding to the controller’s request on time: If Operations Center is not responsive or slow to respond to the controller on its first startup, the controller may be stuck on registration or asking for the admin password. This is a timing issue due to the non responsiveness of the CJOC over the network.

Depending on how far the startup went, you may see the "Registration" screen or the "Unlock Jenkins" screen.

Solution

Single Sign-on

In Operations Center, ensure that a "Single Sign-on" option is selected under Manage Jenkins -> Configure Global Security  Client controller security  Security Setting Enforcement:

oc global security enforcement

In Operations Center, if client controllers are allowed to opt-out the security enforcement check that Security Setting Enforcement  Opt-out is disabled in the configuration of the Managed controller item.

controller security enforcement
Timing issue

The 10 seconds timeout is actually generous. The CJOC should not take 10 seconds to respond to an HTTP requests from the controllers. If the workaround fixes this, then it is most likely a problem problem of performance on the CJOC or the network. In that case, open a ticket with CloudBees Support and attach a support bundle of the controller and the CJOC.

Workaround

The registration state uses two timeout to register a controller on first startup. Each of them default to 10s. The workaround is to raise those timeouts by setting the following system properties to the configuration of the controller:

hudson.license.RegistrationState.CJOCConnectionTimeoutSeconds=<value in seconds>
hudson.license.RegistrationState.CJOCLicensePushTiemoutSeconds=<value in seconds>

The properties must be added to the Provisioning  System Properties section of the controller’s item configuration. Replace the <value in seconds> by 60 for a 60 seconds timeout for example.

the properties may be added to the Manage Jenkins  Configure System  Kubernetes controller Provisioning  Advanced  Global System Properties to apply to any new controller (including a team controller)