Platform SIG February 14, 2023

Attending:

Agenda:

  • Open action items:

    • Damien Duportal:
      • Check Docker image download statistics per platform/version => move it to the backlog, no more open action items
      • Open issue for “merging” docker agent repositories into a single one
  • Docker Images

    • Container image deprecation for the blue ocean container (jenkinsci:blueocean)
      • Damien proposed three meetings ago to update the image a very last time, with a 10 seconds sleep at the very beginning in the entrypoint, then a very informative message giving the status, and then another round of 10 seconds waiting
      • Need to announce the deprecation of the image
        • Update the page on Dockerhub
        • Add to a Jenkins LTS changelog or upgrade guide?
        • Add a disclaimer to one or more pages on www.jenkins.io?
          • Update the 2017 Blue Ocean blog post with deprecation notice?
          • content/blog/2017/01/2017-01-13-blueocean-dev-log-jan.adoc
      • Find a way to communicate the deprecation to users and admins
        • Jenkins administrative monitor that checks for specific container content?
      • Report it on it regularly in Platform SIG meetings
      • Create an issue that proposes the deprecation and the needed steps => who?
      • Not likely to make progress until …
      • Repository: blueocean-plugin/Dockerfile at master · jenkinsci/blueocean-plugin · GitHub
  • Ongoing Work and discussions

    • Centos 7 Jenkins Controller Docker Image
      • While searching information about this image, Damien found the following important informations:

:warning: However, the centos official Docker image (all tags) is deprecated by Docker as per Add deprecation notice for CentOS by tianon · Pull Request #2205 · docker-library/docs · GitHub since the 30 September 2022 (quite recent). The rationale is there are none committed maintainer nor proper monthly update (like all base OSes).
That is a serious and strong argument to deprecate the jenkins/jenkins:centos7 image because it is a dangerous one
Data points: as per DockerHub’s raw data for January 2023:

this image received ~830.000 pulls. It’s ~5% of the pulls.

The unmaintained (since Jenkins 2.306) centos alias received ~100.000 pulls

Alamlinux8 and UBI8-JDK11 have the same order of magnitude of pulls.

Proposal: deprecate the centos images. needs announcement

Need a JEP: proposal to end the Centos7 image earlier than June 2024. The docker container is already not supported anymore.

  • Let’s (re)build a last time, after the LTS, with a echo “IMPORTANT: deprecated image please see… and move to ubi…” && sleep 30 command in the entrypoint.

We would need another JEP before using an administrative monitor:

Consider adding a Jenkins administrative monitor that would inform the user that they are running a deprecated container image. We could use the presence of a flag file in the container image to indicate deprecation, then display the alert in Jenkins in the same way that “you have a new version” or “this plugin is deprecated” messages are shown

  • Done

    • IBM s390x agent maintenance Friday Feb 3, 2023
      • All went fine, downtime (if any) went unnoticed
  • Latest CVE for containers was not fun.

    • Windows controller image is not updated as often as the rest. It’s been more than one year without any update.
      • Should we drop it? Mark thinks so. Makes no sense to keep it as is. Nice for agents, not for controllers. Nobody is complaining, so not many people use that.
    • Wadeck Follonier would prefer to kill everything but one :wink: Just kidding
      • 20 images to check, that’s a lot!
      • Why do we have multiple versions of each image, and why so many OSes?
        • Mark Waite thinks there are two types of users
          • I want something that looks very close to the system I already use (Debian, UBI9, …). It behaves the way they expect it. What about Debian Slim then asks Daniel?
          • Alpine image for the rest of them, because they want something small and efficient
      • AlmaLinux PR: Daniel would like to see a better justification for a new image. What is the advantage compared to UBI8 and UBI9? => topic for discussion
      • Wolfie: Wadeck thinks the approach is interesting
      • What are the images that are used these days?
        • Data is available, Wadeck got a look at them, and lots of tags are used, it’s very much distributed
        • Wadeck proposes to discuss the supply of just one image supported by security, and let Jenkins users build their own images if they want to use another OS base.
1 Like