Platform SIG May 21, 2024

Community
, , , ,
1

Containers, Java 17, other Java, Spring Security 6.x

Attending:

Agenda:

  • Container image updates for the Jenkins controller
    • New LTS (2.452.1)
      • Switch from Temurin base images to Temurin JDK binaries
      • Bump Debian Bookworm Linux Version to 20240513
      • Bump ubi8/ubi 8.9-1160.1715068735
      • Bump ubi9/ubi to 9.4-947
      • Oracle CPU (critical patch update) lead to:
        • Bump JDK11 version to 11.0.23_9
        • Bump JDK17 version to 17.0.11_9
        • Bump JDK21 version to 21.0.3_9
      • Bump plugin manager to 2.13.0 in #1874
      • Adoptium updates
        • Check the validity of releases thanks to the Adoptium API
        • Adapt manifests to unique Dockerfile per Linux variant
        • Use correct Dockerfiles in dependabot
        • chore: keep only one Dockerfile per Linux image variant
        • Check for Windows JDK releases, same as Linux
        • Set jlink compression arg to zip-6 for Windows jdk21 image
        • Track Java versions for Windows with updatecli
      • :boom: Breaking change: Remove deprecated install-plugin.sh script from Linux jdk11 images
      • Verify SHA256 checksum of plugin installation manager tool
      • Remove unused .ci/common-functions.sh script
    • Weeklies (2.458 and 2.459)
      • Adapt manifests to unique Dockerfile per Linux variant
      • Use correct Dockerfiles in dependabot
      • Bump updatecli/updatecli-action from 2.57.0 to 2.58.0
      • Bump Debian Bookworm Linux Version to 20240513
  • Container image updates for Jenkins agents
    • Three new releases for ssh-agent (5.35.0, 5.36.0, and 5.37.0)
    • Three new releases for docker-agent (3206.vb_15dcf73f6a_9-12, 3248.v65ecb_254c298-1, and 248.v65ecb_254c298-2)
    • Introduce REMOTING_OPTS to pass arbitrary options to remoting on startup via an environment variable (#809)
    • Bump the Jenkins remoting version to 3248.v65ecb_254c298
    • Rename jdk scripts and add updatecli manifest
    • Update adoptium-install-jdk.sh script content
    • Update adoptium-get-jdk-link.sh script content
    • Bump Git version on Windows to 2.45.1.windows.1
    • Bump Debian Bookworm Linux version to bookworm-20240513
    • Bump updatecli/updatecli-action from 2.57.0 to 2.58.0
  • Docker-based quickstart tutorials
    • Switched to the latest LTS version last week
    • Now also using the latest agent image
    • Back to working on the main Jenkins installation thanks to docker.
      • Blocked because of a stupid problem, but user longkang solved it for me
      • Now we’re unblocked, I have to switch the two sections to get the one using the wizard first
  • Work in progress on images:
  • Adoptium Summit will take place online next September
  • Java 21 support - 2+2+2 Java Support Plan
    • Jenkins enhancement proposal by Mark Waite submitted and being reviewed
      • Needs more details before it is merged
      • Mark needs to do more research
      • Will transition to Java 17 on June 18 for the weekly, less than one month from now
      • Need a list of tasks to do before that change happens
  • The Spring project made an end of life announcement - JENKINS-68698
    • Key milestones in the Spring Security 6.x upgrade
      • File upload 2.x in Jenkins weekly today
      • Require Java 17 in Jenkins weekly June 18, 2024 (see dev list)
      • Jetty 12 + EE 8 in Jenkins weekly June 26 or July 3
      • Jetty 12 + EE 9 + Spring Security 6.x in Jenkins weekly - TBD
    • The last public build of Spring security framework 5.8.x is August 2024
      • Spring security 6.x requires Jetty 11 with Jakarta EE 9 (jakarta.servlet), not Jetty 10 with Jakarta EE 8 (javax.servlet)
      • August 31, 2024 date seems likely to stick
    • The last public build of Spring Framework 5.3.x is August 21, 2024
      • Spring framework 6.1 and later require Java 17
    • Special thanks to Basil Crow and Adrien Lecharpentier for their involvement.
      • They’re working on the first steps to get this done (FileUpload, then JDK 17, and then 1 to 2 weeks later Jetty 10 with EE8 to Jetty 12 with EE9).
    • Alternatives:
      • Accept that if there is a security vulnerability reported in Spring Security 5.8.x between August 2024 and the end of October 2024, we may need to fork Spring Security and fix it ourselves
      • Mark to start discussions in the mailing list to find alternatives
    • We’ll choose the next LTS baseline Jun 26, 2024. The baseline release for the next LTS will be something prior to the requirement of JDK17.
    • 12 weeks from June 26 (18th September 2024), we’ll choose an LTS baseline that requires Java 17. Most of the work prior to the switch to Spring 6.x should be ready by then.
    • 4 tasks in Jira that could be done by anyone that could help us with the June 18th and 25th.