Infrastructure Team Meeting - January 28, 2025

Attendees

• @dduportal (Damien Duportal)
• @MarkEWaite (Mark Waite)
• @smerle33 (Stéphane Merle)
• @poddingue (Bruno Verachten)
• @kmartens27 (Kevin Martens)

Announcements

1. Jenkins Weekly Releases
   • Last week: 2.494 released with no issues
   • This Week: 2.495 started on time today
2. Reminder: no weekly team meeting next week (Feburary 4, 2025). Next one is the 11.
3. Azure Outages impacting Container Instances
   • The Infra/“homemade” ATH has not reported errors on the maven-8-windows since a few days
   • Proposal: revert label to use ACI and close the issue
4. We had a security advisory (plugins only) last week
   • Minor issue with the new UC: the JenSec script was assuming all files have the same “Last-Modified” header which changed.
     • Daniel issued a fix in Generate `timestamp.txt` by daniel-beck · Pull Request #835 · jenkins-infra/update-center2 · GitHub
   • Our runbooks need updates (post mortem with Kevin):
     • Runbook “trusted.ci”:
       • Clarify how to choose why putting the SSH public key in a hieradata or the other
       • Clarify if the group “sudo” is needed or not
       • Clarify that an RSA 4096 or ECDSA key is needed
       • Describe the Windows + WSL “hosts” file to change (both Windows and WSL)
     • Runbook “updates.jenkins.io”
       • Remove SSH access (and any “legacy”) element
     • Runbook “pkg.origin.jenkins.io”
       • Create it!
       • Define the SSH access with “pkg.origin.jenkins.io” as entrypoint
       • Add a note that it “used” to host updates.jio
     • Runbook “Security”:
       • Make it point to the runbook “ci.jenkins.io” to avoid duplicating information
       • Make it point to the new pkg.origin (instead of updates.jio)
       • Use “ci.jenkins.io” for both SSH and HTTP endpoints (instead of private hostnames) to anticipater for AWS migration
5. Artifactory Storage: Jfrog asked us to decrease disk space used
   • Goal: from ~9.8Tb to <5Tb
   • We have only 2 Artifactory admins. We’re going to temporarily grant admin permissions to Darin Pope if JenSec team is ok,so he can lead this process
     • Led by Mark, and executed by Darin
   • 2 phases:
     • Incrementals artifacts (e.g. builds from PR or branches used for early testing) are never deleted today. If we start deleting all of them older than 4 weeks, we should save more than 1Tb of storage.
     • Reducing the “mirror” cache size
       • Deletion of unused cached (e.g. not in “public”)
       • Some of the mirrors (mainly atlassian public mirror) should be shrinked to decrease the usage
   • Mark meets with JFrog tomorrow and will report during the Contributor summit

Upcoming Calendar

• Next Weekly: 2.496, February 4.
• Next LTS: 2.492.1 - (5 Feb 2025) - Jeremie Playout + Mark Waite as release leads
  • Both Damien and Stephane will be available, we can start early (EU timezone)
• Next Security Release as per jenkinsci-advisories: N.A.
• Upcoming credentials expirations (~3 weeks):
  • 2 Feb.: SSL certificate for repo.jenkins-ci.org (see SSL certificate for repo.jenkins-ci.org expires 2 Feb 2025 · Issue #4477 · jenkins-infra/helpdesk · GitHub)
  • 6 Feb.: Artifactory Admin Token for RPU expires (Need an issue => @dduportal)
  • 16 Feb.:
    • Azure SP used to access the Azure Vault when signing a Jenkins release - https://github.com/jenkins-infra/terraform-states/pull/46
      • Issue to create => @dduportal
    • Azure SP used by trusted.ci to spin up VM agents - Azure AD Application password for Azure VM agents in `trusted.ci.jenkins.io` expires on `2025-02-16T00:00:00Z` by jenkins-infra-updatecli[bot] · Pull Request #924 · jenkins-infra/azure · GitHub
      • Issue to create => @smerle
      • Instance identity?
  • 18 Feb.: Digital Ocean PAT used by Terraform
    • Issue to create => @smerle
  • 22 Feb.: VPN CRL expires
    • Issue to create => @smerle
• Next major event:
  • Contributor Summit and FOSDEM, in Brussels, 31 Jan. and 1/2 Feb. 2025

Cloud Budgets

• Azure CDF:
  • October: $4,0k (invoice)
  • November: $4,3k (invoice)
  • December: $4,4k
  • January: $3,816 (forecast at $4.3k)
• Azure Sponsorship (Microsoft Credits) - Remaining: $20,869 until May 2025
  • October: $12,9k consumed
  • November: $13k
  • December: $9,5k
  • January: $11,2k (forecast at $11,8k)
    • Bom, bom, bom
• DigitalOcean - Remaining ~$15k until January 02, 2026
  • October: $195.67 (invoice)
  • November: $146 (invoice)
  • December: $192 (invoice)
  • January: $200 (forecast at $216)
• AWS:
  • CloudBees:
    • October: $6,4k
    • November: $3,9k
    • December: $540
    • January: $465 (forecast at $536)
  • Sponsored account (~$57k credits lefts)
    • October: $178
    • November: $482
    • December: $595
    • January: $1,077 (forecast at $1,212)
      • Bom bom bom

Notes

• Done:

  • Support
    • Spammer ibra blocked for Jira issue spam
    • jenkins.io SPF fail
    • Email, SPF, jenkins.io for Jenkins CERT bot
    • Add Jeremie Playout as a Jenkins LTS release lead
    • Downgrading a stats.jenkins.io maintainer to having no rights
    • Instability of artifact-caching-proxy
  • Keep platform up to date
    • [usage.jenkins.io] TLS Certificate expires on 2025-01-28
    • [terraform-aws-sponsorship] updatecli manifest for ami_release_version used by eks_managed_node_groups
  • ci.jenkins.io to AWS
    • [ci.jenkins.io] Move ephemeral Linux containers to AWS

• Closed as not planned:

  • Custom Tools Plugin fails to load due to missing Extended Choice Parameter Plugin

• Work in Progress:

  • [AWS] Move ci.jenkins.io from Azure (sponsorship) to AWS (sponsorship)
    • [ci.jenkins.io] Move ephemeral VM agents to AWS
      • Wip: ACP, ATH test and performances
      • EC2 plugin suffers from regression on its last version (trilead → mina)
    • [ci.jenkins.io] Move controller (VM) to AWS
    • ci.jenkins.io: upgrade datadog plugin from 8.x to 9.x
  • Support
    • [Incident] Windows build of plugins don’t start on ci.jenkins.io
      • Let’s retry using ACI for now (no more errors)
    • [trusted.ci.jenkins.io] Crawler fails to publish new tools metadata due to an S3 ↔ Cloudflare R2 error s3:PutObject NotImplemented: STREAMING-UNSIGNED-PAYLOAD-TRAILER not implemented
      • 2 distinct aws CLI installed (latest and 2.22.x for cloudflare) in the upcoming agent template
      • Then we can upgrade crawler
    • Support [skip ci] on default branch
      • There are more plugin doing this: might need exploration?
      • Request is legit and can be done, but not blocking
    • Issues with Gatsby deployment after dependency upgrades via PR for jenkins-infra/stories
      • Kris got infos. from Gavin
      • No action required on infra team for now
    • Infra stats missing since October 2024 data for stats.jenkins.io Plugin Installation Trend feature
      • Kohsuke did upload stats from 28 oct. up to 25 Jan. and fixed his VPN
      • We are now waiting from Andrew
      • We need to find how to retrieve both processes into the infra.
  • Keep platform up to date
    • SSL certificate for repo.jenkins-ci.org expires 2 Feb 2025
      • Waiting from Jfrog support to have Damien’s account allowed to change certificate
    • JDK patch upgrade campaign (January 2025)
      • JDK updated in the agent template (release in coming)
      • Next steps: release and then tools
      • Note: s390x is late on some JDKs. We should track it separately from the others.
    • [terraform-aws-sponsorship] updatecli manifest to track karpenter helm_release version
      • We raised an updatecli issue due to helm in OCI requiring logging out
      • Jay found a trick on short term which works
      • WiP on cleaning up manifest
    • [terraform-aws-sponsorship] updatecli manifest to track AWS Load Balancer helm_release version
      • Same as above
    • Monitor builds on our private instances (trusted.ci.jenkins.io / infra.ci.jenkins.io / release.ci.jenkins.io)
      • Learning Groovy Pipelines and Libraries
  • Artifactory
    • Artifactory outdated maven-metadata.xml for public/com/github/jnr/jnr-posix/
      • atlassian-public mirror
    • Foreign releases in public repository
      • atlassian-public mirror
  • Update Center
    • [INFRA-3100] Migrate updates.jenkins.io to another Cloud
      • Decommission of Apache vhost
    • Monitoring still catch some HTTP/404
      • Looks like it’s in archives.jenkins.io. Need to check datadog integration as no logs
    • Plan TLS enforcement after next LTS (means: clean up of “HTTP-only” yiiiiiah!)

• Stale Issues:

  • [Update Center] HTTP/404 on /current/updates/*.json* links

  • External user struggling to submit story to stories.jenkins.io

  • Add monitoring for CD secrets updates

  • dnf5 update fails with gpgcheck=1

  • build failure with useArtifactCachingProxy=true and dependency with version range

  • Switch agent (java home) to JDK21 default

  • Switch default JDK to 21 for pipeline libraries

  • Switch default JDK to 21 for build tools

  • Move controllers to JDK21 (runtime)

  • Move agents to JDK21 (runtime)

  • [INFRA-2651] Replace accountapp with (keycloak? Go-authentik? Something Else?)

• ToDo (next milestone) (infra-team-sync-2025-02-11 Milestone · GitHub)

  • Move collection of stats out from Kohsuke’s home
    • to be discussed at FOSDEM
  • Deploy jenkins-prototype on Netlify
    • to be discussed at FOSDEM
  • Maven Central artifacts are being downloaded from repo.jenkins-ci.org
    • to Darin and Mark
  • [ci.jenkins.io] Set up an ECR pull through cache
  • [ci.jenkins.io] Move ACI agents to ephemeral Windows containers to AWS
  • Create build for jenkinsci/winp on release ci server
    • to be discussed at FOSDEM (CD in GH? or release.ci.jenkins.io)
  • New repo scoop-bucket for app manifest distribution
    • to be discussed at FOSDEM