TeamCity Server - TeamCity Agent communication

Hi,

I followed the discussion in thread:
"How does an agen communicate with the TC server?"
http://www.intellij.net/forums/thread.jspa?threadID=277315

I followed those instructions. In general it worked. Thanks a lot.


But what about the reverse connection Server - Agent (on Agent host port 9090 (default)).
What is the protocol there, what is communicated there, who is triggering this communication, is this connection safe?
Can this connection be made safe and how?

Regards,
Dirk

5 comments
Comment actions Permalink

Dirk,

For the time being the connection from server to agent is plain HTTP and it cannot be easily secured. Please watch/vote for the corresponding feature request.

What is the protocol there

The same as Agent->Server. HTTP

What is communicated there

Commands form the server to agent to start/stop a build and some others. The settings of the build are traveling here, but the sources for the build are downloaded by the agent itself in Agent->Server requests.

who is triggering this communication

Server

is this connection safe?

It is plain HTTP, so no.

Can this connection be made safe and how?


For the time being you can try to configure a secured tunnel between agent and the server, thus organizing the security by the means external to TeamCity.

--
Best regards,

Yegor Yarko
Project Manager (TeamCity)
JetBrains, Inc
http://www.jetbrains.com
"Develop with pleasure!"

0
Comment actions Permalink

Since I am in the process of architecting a distributed model using TC, this is important to me. My question is, what type of information is being sent from the BS to the BAs? Is it something I need to worry about encrypting with stunnel? Or can I just not worry...

0
Comment actions Permalink

Schley Andrew Kutz wrote:

Since I am in the process of architecting a distributed model using TC, this is important to me. My question is, what type of information is being sent from the BS to the BAs? Is it something I need to worry about encrypting with stunnel? Or can I just not worry...

---
Original message URL: http://www.jetbrains.net/devnet/message/5228732#5228732


Well, everything used in build goes to agent, and all results are sent back.

Server sends initial authorization token and build commands, and whole
source code if server-side checkout is used.

Agent sends its status and properties, downloads build dependencies,
streams build log events to server and uploads artifacts.

Also please consider that the amount of this traffic can be VERY
significant. It may be not wise to have agent farm outside of the
company intranet from the point of performance and/or cost.

--
Alexey Gopachenko
JetBrains Inc.
http://www.intellij.com
"Develop with pleasure!"

0
Comment actions Permalink

Thanks for the warning. In the meantime I've set up the build server as an OpenVPN client to the various locations the build agents are hosted and created a secure tunnel for them to communicate on. The annoying thing about the ownPort variable is that the build agent advertises it to the build server, and it isn't something that you can change on the server about the client. That is, I can't tell the build server that ba-win01's port is 9091 and then have 9091 port forward to 9090 over an SSH tunnel because if I change the build agent's port to 9091 then it will change on the server in tandem

0
Comment actions Permalink

You can submit this issue as a feature request to our tracker. Right now you probably could use insecure connection for commands from the server to agent. These commands are:
- ping (nothing sensible is sent to an agent)
- run build (some sensible data can be sent, for example, temporary access code to artifacts and VCS roots passwords, however in TC 4.0 passwords are sent in the scrambled form)
- obtaining information about agent like its operating system and supported build runners

Obtaining of the patch and sending of build results is initiated by the agent itself and can be sent via HTTPs protocol (this protocol should be enabled on server).

Hope this helps.

--
Pavel Sher

0

Please sign in to leave a comment.