Platform SIG March 28, 2023

Attending:

Agenda:

  • Open Action Items:
    • Ppc64le: Bruno Verachten will get in touch with the security team to discuss getting ppc64le back to the Jenkins docker controller image => done, no feedback for the time being
      • Wadeck and Damien will have a discussion about images and security tomorrow
    • Docker Images
      • Container image deprecation for the blue ocean container (jenkinsci:blueocean)
        • https://hub.docker.com/r/jenkins/blueocean - no tags
        • Docker - has
        • Need to announce the deprecation of the image
          • Update the page on Dockerhub
          • Add to a Jenkins LTS changelog or upgrade guide?
          • Add a disclaimer to one or more pages on www.jenkins.io?
        • Find a way to communicate the deprecation to users and admins
          • Jenkins administrative monitor that checks for specific container content?
        • Report it on it regularly in Platform SIG meetings
        • Create an issue that proposes the deprecation and the needed steps => Mark Waite?
  • Ongoing:
    • Jenkins 2.397 and 2.387.2: new Linux repository signing keys
      • Why? Intentionally configured the PGP key to expire, because it’s dangerous to keep it forever. Damien Duportal then created a new key.
      • Great article by Mark Waite
      • Anything to do for Jenkins Docker installation? I guess not? Will we see new versions of the controller with the right key installed?
        • Key not required for container installations
        • We manage the service ourselves in container, no systemd
    • Docker end of OSS images (Docker announcement with later changes)
      • Old jenkinsci handle may go away as not protected by OSS organization
      • Jenkins4Eval may go, as it is dangerous and not really needed
        • Very niche use
      • See the Jenkins infra ticket for details
    • Ppc64le: nice progress. Thank you so much for your contribution Kenneth!
      • docker-agent: PR reviewed, checks have passed.
      • docker-ssh-agent : PR reviewed, checks have passed too.
      • Nothing on inbound-agent yet, because it is derived from Kenneth’s own docker-agent
      • Controller PR done too
    • Alpine aarch64 images issue
      • Temurin needs help
    • Asked informally to Scaleway for arm32 & aarch64 machines
    • Digicert code signing for MSI installer and jar file
      • Windows users expect their installers to be signed/secured (because of malwares and so on). Certificate expires a few days from now. Next week’s LTS may not be signed because we did not get the certificate yet.
        Hope is a good thing to have, it may still work on time.
  • What’s done?
    • Latest updates on the agent images:
      • Ssh-agent release 4.13.0
        • chore(deps): bump debian from bullseye-20230227 to bullseye-20230320 in /8/11/17bullseye (#222) @dependabot
      • Docker-agent release 3107.v665000b_51092-6
        • chore(deps): bump archlinux from base-20230226 to base-20230319.0.135218 in /11/archlinux (#393) @dependabot
        • chore(deps): bump debian from bullseye-20230227 to bullseye-20230320 in /11/17/bullseye (#394) @dependabot
      • Releases · jenkinsci/docker · GitHub
        • It has been like that forever, but the process is a script that will check 3 versions, parses the docker bake, and if it’s not published it will build and publish all the images.
        • 10% less cases will lead to rebuild all the images of the 3 past versions
        • Shell script that does not work for Windows
        • A JEP (and help) would be welcome: defining a new versioning scheme that would use a package number