Infrastructure Team Meeting - August 22, 2023

Attendees

• @dduportal (Damien Duportal)
• @MarkEWaite (Mark Waite)
• @smerle33 (Stéphane Merle)
• @kmartens27 (Kevin Martens)
• @hlemeur (Hervé Le Meur)

Announcements

1. Weekly 2.419 - last week
2. Weekly 2.420 - today

• Failure during test phase
• Gotta check if it is infra issue (JDK17/resource limits) or maybe it’s timeout
• Let’s restart the build and see

3. Rebuild the container images of jenkins for all Linux version on 2.401.1, 2.401.2, 2.401.3 and 2.419

• A given tag is atomic (either all OS and platform) and must be rebuilt in the proper order (or at least ensure latest weekly is rebuilt last)
• we can delete tags, but that would create other troubles
• Ideally, weekly in bad shape would be solved by either using 2.419 or upcoming 2.420, or wait for the new LTS 2.414.1
• Filtering by tag is not available in trusted.ci.jenkins.io

4. Java 21 support in Jenkins container image as “early access” lands today for weekly (2.420) and tomorrow for LTS (2.414.1)

• Jenkins Infra will wait for official JDK21 release in Sept. before trying on controllers

Upcoming Calendar

• Next Weekly: 2.421 29 of August
• Next LTS: 2.414.1, the 23 of August
• Next Security Release as per jenkinsci-advisories: N.A.
• Next major event:
  • Jenkins elections start in September
    • Nomination of candidates (September 18 - October 27)
    • Voter registration (September 18 - November 05)
    • Voting (November 06 - December 1)
    • Results announcement (December 11)

Notes

• Done:

  • Unable to release plugin 401
    • Proposal from Hervé: Add a comment on merged PRs to explain what’s next and the time window
  • Switch to JDK17 for Jenkins controllers and agents
  • Archive the azure-dev-spaces-plugin repository
  • Unable to run mvn incrementals command
    • Might be worth a minor doc update
  • Add JDK21 support for developers to pre-built and try
    • As pointed by Tim (for the jenkinsci/docker) we can use weekly with fixed tag name (allowing tracking with updatecli)
  • Not able to login to artifactory
  • CD releases failing (invalid token on trusted.ci.jenkins.io)
  • Kubernetes clusters: define infraciadmin SVC account as code

• Closed as not planned:

  • Account creation mail was not sent
  • username issue
  • The upload to the Maven repository fails with “401 Unauthorized”

• Work In Progress:

  • Assess Artifactory bandwidth reduction options
    • Agreement from Jfrog that if can stop mirroring Maven Central, then their expectations will be meet
    • Next meeting friday with JFrog
    • Need to prepare around the Maven issues
  • [publick8s] Ensure high availability of replicated services
    • Each of the HA services runs 2 or more pods BUT in some cases these pods are scheduled on the same VM
    • ARM64 as higher probability of this, because only 1 node today
    • We can run more nodes: not a problem. But need to specify the anti-affinity rule to pods definitions
    • @smerle Less priority than ARM64 Docker build, but more important than Intel → ARM workload migration
  • [HTTP/401 on repo.jenkins-ci.org] Fix LDAP user configurations in Artifactory to avoid unexpected HTTP/401 when logging in
    • Meeting with the support went well: new users now have proper configuration
    • need to batch-fix existing users once
  • plugin-site build commonly fails on infra.ci when accessing https://plugins.jenkins.io resulting in a 502
    • We did not dive more on the topic except the errors peaking every 3 hours
    • @lemeurherve proposed a retry on the pipeline on short term
  • [INFRA-3100] Migrate updates.jenkins.io to another Cloud
    • azure.updates.jenkins.io is live in publick8s (mirrorbits + apache + empty data storage)
    • this mirrorbits instances fails to scan the mirrors we are adding: rsync or ftp is needed on mirrors today (mirrorbits constraint)
    • As our R2 Cloudflare mirror is only available with S3 or HTTP protocols, we need to setup a rsync server
    • We used to have a “demo mirror” with its rsync server: re-commissioning it somehow to have rsync
    • Challenge: is the rsync reference mandatory to serves the mirror data?
      • Mounting R2 S3 with any s3*fuse is tricky or dangerous
      • Or maybe we can use rsync on reference data (as we control mirror updates)
    • Once solved: let’s update and sync our mirrors + set up htaccess
    • RFE for mirrorbits to support S3 for scanning mirrors
  • plugin-aws-global-configuration permission
  • Migrate cert.ci.jenkins.io from prod-public to the private network
    • TF module OK
    • Gotta spawn a new instance for cert.ci
  • Remove IP restriction on bounce or migrate to VPN
    • Blocked by below issue (cerT.ci)
  • [pkg.jenkins.io] migrate the pkg.origin.jenkins.io service from AWS VM to Azure publick8s
    • Back to backlog (time + UC blocking)
  • VMs: improve command prompts to avoid confusion between services
    • Nothing done (holidays + ARM64) but @smerle still working on it
  • ATH builds commonly become unresponsive
    • @smerle ideas to build ATH on spot on 1st try, and fall back on ondemand if spot error
    • @dduportal takes over but will pair with @smerle
  • LF status page redirect may be cached for too long
    • No request sent to LF yet. Not critical item.
  • Proposal for application in publick8s to migrate to arm64
    • All “easy” workloads already migrated
    • WiP on the pipeline library to allow building container arm64 and x86
    • Docker Bake for Linux to allow arm64
    • Status: working on naming convention (e.g. almost there!)
  • Matomo github/docker repos
    • Nothing done. @dduportal need to set up the MySQL instance
  • Migrate Blue Ocean remaining jobs from ci.blueocean.io to the OSS Infra
    • Back to backlog (Hervé is in holidays)

• New topics/issues: N.A.

• ToDo (next milestone) (infra-team-sync-2023-08-29 Milestone · GitHub)