Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-15866

jenkins 2018-09-25 2018-12-05 security vulnerabilties (DM)

    Details

      Description

      A laundry list of jenkins plugin security issues were announced today:

      https://jenkins.io/security/advisory/2018-09-25/

      It looks like most of them aren't applicable for us due to restrictive permissions, not in use, etc.

      The junit plugin issue does appear relevant:

      [another round of security issues, which appear more urgent]
      https://jenkins.io/security/advisory/2018-12-05/

        Attachments

          Issue Links

            Activity

            Hide
            jhoblitt Joshua Hoblitt added a comment -

            The sw.lsstcorp.org cert issue has been "resolved" in the sense that the NCSA provider cert, instead of *.lssst.codes, is in place. However, this cert has now be rejected by most browsers because of the CA. At some point this needs to either be replaced with a letsencrypt cert or the redirect service simply required but that is beyond the scope of this ticket.

            Show
            jhoblitt Joshua Hoblitt added a comment - The sw.lsstcorp.org cert issue has been "resolved" in the sense that the NCSA provider cert, instead of *.lssst.codes , is in place. However, this cert has now be rejected by most browsers because of the CA. At some point this needs to either be replaced with a letsencrypt cert or the redirect service simply required but that is beyond the scope of this ticket.
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            The s3 sync completed around 2155 UTC. I'm re-triggering the nightly release.

            Show
            jhoblitt Joshua Hoblitt added a comment - The s3 sync completed around 2155 UTC. I'm re-triggering the nightly release.
            Show
            jhoblitt Joshua Hoblitt added a comment - The nightly is still running: https://ci.lsst.codes/blue/organizations/jenkins/release%2Fnightly-release/detail/nightly-release/544/pipeline
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            The re-build of d.2019.01.14 succeeded and last night's build of d.2019.01.15 completed without incident.

            Show
            jhoblitt Joshua Hoblitt added a comment - The re-build of d.2019.01.14 succeeded and last night's build of d.2019.01.15 completed without incident.
            Hide
            jhoblitt Joshua Hoblitt added a comment -

            Summary of work:

            • jenkins core updated to 2.150.1
            • bulk update of jenkins plugins including updated blueocean to 1.10.1
            • bulk of jenkins deployment puppet modules
            • updated swarm to 3.15
            • updated docker to 18.09.1
            • updated kernel to 3.10.0-957.1.3
            • updated nginx to 1.14.2-1
            • resolved recent centos openjdk 1.8 versions breaking jenkins; attempted to get jenkins experimental java 11 support to work (failed with odd exceptions in jenkins log); resorted to using the yum versionlock plugin, enabling the old/removed from mirrors centos 7.5.1804 updates repo from the centos yum vault, and explicitly pinning the java-1.8.0-openjdk-*-1.8.0.181-3.b13.el7_5.x86_64 java package versions.
            • added a new "group" layer to the hiera hierarchy (prep-work for DM-17230)
            • resolved versiondb base url being incorrect in jenkins test envs using a fork of versiondb (issue was non-prod only)
            • resolved suppression of slack notification related groovy security sandbox exceptions
            • update of various travis CI driven linters across multiple jenkins/tf associated repos
            • partial modernization of jenkins deployment tf code
            • renamed lsst-sqre/deploy-publish-release -> lsst-sqre/terraform-scipipe-publish and did a partial tf modernization
            • modified terraform-scipipe-publish to be easily usable under terragrunt
            • redeployed deploy-publish-release-prod as scipipe-publish-prod, now driven by terragrunt (per comments on this ticket, this was went poorly for still unknown reasons)
            • partial modernization of lsst-sqre/terraform-pkgroot-redirect
            • made lsst-sqre/terraform-gke-std less aggressive about recreating gke clusters.
            • revised nagios configuration to make notification behavior consistent 24x7
            Show
            jhoblitt Joshua Hoblitt added a comment - Summary of work: jenkins core updated to 2.150.1 bulk update of jenkins plugins including updated blueocean to 1.10.1 bulk of jenkins deployment puppet modules updated swarm to 3.15 updated docker to 18.09.1 updated kernel to 3.10.0-957.1.3 updated nginx to 1.14.2-1 resolved recent centos openjdk 1.8 versions breaking jenkins; attempted to get jenkins experimental java 11 support to work (failed with odd exceptions in jenkins log); resorted to using the yum versionlock plugin, enabling the old/removed from mirrors centos 7.5.1804 updates repo from the centos yum vault, and explicitly pinning the java-1.8.0-openjdk-*-1.8.0.181-3.b13.el7_5.x86_64 java package versions. added a new "group" layer to the hiera hierarchy (prep-work for DM-17230 ) resolved versiondb base url being incorrect in jenkins test envs using a fork of versiondb (issue was non-prod only) resolved suppression of slack notification related groovy security sandbox exceptions update of various travis CI driven linters across multiple jenkins/tf associated repos partial modernization of jenkins deployment tf code renamed lsst-sqre/deploy-publish-release -> lsst-sqre/terraform-scipipe-publish and did a partial tf modernization modified terraform-scipipe-publish to be easily usable under terragrunt redeployed deploy-publish-release-prod as scipipe-publish-prod , now driven by terragrunt (per comments on this ticket, this was went poorly for still unknown reasons) partial modernization of lsst-sqre/terraform-pkgroot-redirect made lsst-sqre/terraform-gke-std less aggressive about recreating gke clusters. revised nagios configuration to make notification behavior consistent 24x7

              People

              • Assignee:
                jhoblitt Joshua Hoblitt
                Reporter:
                jhoblitt Joshua Hoblitt
                Watchers:
                Andy Clements, Gabriele Comoretto, Joshua Hoblitt, Kian-Tat Lim
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel