Platform SIG May 07, 2024

Containers, Java 17, other Java, Spring Security 6.x

Attending:

Agenda:

  • Container image updates for the Jenkins controller
    • :boom: Breaking change: remove deprecated install-plugin.sh script from Linux jdk11 images
    • Bump Debian Bookworm Linux Version to 20240423
    • Bump ubi9/ubi from 9.3-1610 to 9.4-947
    • Bump plugin manager to 2.13.0
    • Add to the changelog that we are providing a jlink JDK for Windows
      • Windows JDK now uses jlink to reduce the size
      • Mark added that note to the controller image changelog
      • Set jlink compression arg to zip-6 for Windows jdk21 image
    • Keep only one Dockerfile per Linux image variant
      • Reminder that almalinux:jdk11 end of life Oct 2024
    • Bump JDK11 version to 11.0.23_9
  • Container image updates for Jenkins agents
    • Two new releases for ssh-agent (5.33.0 and 5.34.0)
    • One new release for docker-agent (3206.vb_15dcf73f6a_9-11)
    • Switch from temurin base images to temurin installer
    • Bump Git version on Windows to 2.45.0.windows.1
    • jlink improvements from jenkinsci/docker
    • Updatecli: Fix Windows targets in jdk manifests
    • :package: Dependency updates
      • Bump JDK21 version to 21.0.3_9
      • Bump JDK17 version to 17.0.11_9
      • Bump JDK11 version to 11.0.23_9
      • Bump Debian Bookworm Linux version to bookworm-20240423
    • Proposed to continue forward, eventually remove duplication from images
  • DockerHub used to send HTTP/429 errors.
    • Failures during deployment of agents (rate limits through their abuse defense)
      • We were building many platforms very rapidly in parallel on a single private subnet
      • Peaked at 2200 requests per minute from a single IP address
      • Spread our outbound requests across multiple IP addresses
        • Using 3 IP addresses instead of 1 IP address on trusted.ci
    • Replaced Eclipse Temurin base image with Eclipse Temurin installer
      • Avoids many layers of download, decrease layer download by ⅓
      • Reduced our requests per minute
    • Action items are done, the issue is solved for infrastructure and left to Platform SIG to complete the container image improvements
    • Using Temurin binaries and not Temurin Docker images is done for the controller and agent images.
      • Confirmed working in Jenkins 2.455 23 Apr 2024
  • The Docker Hub jenkins/agent description was outdated
    • This was solved yesterday
  • Docker-based quickstart tutorials
    • Back to working on the main Jenkins installation thanks to docker.
  • Work in progress on images:
  • Plugin with Java 17 minimum dependencies
  • Adoptium Summit will take place online next September
    • Would anyone like to submit a talk about Jenkins’ use of Temurin?
  • Java 21 support - 2+2+2 Java Support Plan
  • The Spring project made an end of life announcement - JENKINS-68698
    • The last public build of Spring security framework 5.8.x is August 2024
      • Spring security 6.x requires Jetty 11 with Jakarta EE 9 (jakarta.servlet), not Jetty 10 with Jakarta EE 8 (javax.servlet)
      • August 31, 2024 date seems likely to stick
    • The last public build of Spring Framework 5.3.x is August 2024
      • Spring framework 6.1 and later require Java 17
    • Alternatives:
      • Accept that if there is a security vulnerability reported in Spring Security 5.8.x between August 2024 and the end of October 2024, we may need to fork Spring Security and fix it ourselves
      • Mark to start discussions in the mailing list to find alternatives