Details
-
Type:
Story
-
Status: Done
-
Resolution: Done
-
Fix Version/s: None
-
Component/s: Continuous Integration, Developer Infrastructure
-
Labels:None
-
Story Points:6.75
-
Epic Link:
-
Team:SQuaRE
Description
Jenkins LTS 2.32.2 has been released which includes fixes for a number of security issues that are present in 2.19.4 (current production release) https://jenkins.io/security/advisory/2017-02-01/
We were unable to upgrade past 2.19.4 due to the swarm plugin not being forward compatible. However, a new release of the swarm plugin (3.3) was made last Friday, that should be compatible with the current LTS release.
Updating the swarm client made resolve/improve the the segv's in DM-8915.
Attachments
Issue Links
Activity
Jenkins 2.60.3 |
===
|
|
|
Plugins
|
---
|
|
|
### General tightening down on plugins are execute groovy:
|
|
|
https://jenkins.io/security/advisory/2017-04-10/ |
|
|
|
|
### slack job-dsl autogenerated bindings have changed
|
|
|
Atleast this accessor is gone: |
|
|
buildServerUrl(null) |
|
|
|
|
### warning about Scriptler being insecure
|
|
|
Stuck with this plugin until ActiveChoices can be removed. |
|
|
|
|
### warning about ssh slaves not checking host key
|
|
|
Ignoring this for now as we can live with "KnownHosts" verification. |
|
|
|
|
### warning about post-build plugin allowing groovy script to run with elevated persmissions
|
|
|
This is used by:
|
|
|
* validate_drp.groovy
|
* stack_os_matrix.groovy
|
|
|
The plugin can be dropped after these jobs are migrated to pipeline.
|
|
|
### slack plugin can now credenitals for its auth token |
|
|
Configuration migrated from injected plain-text to using the credentials facility.
|
|
|
|
|
### job-dsl groovy sandbox
|
|
|
Now enabled by default -- breaks libraries completely by disabling classpath |
and requires all scripts to be approved by admin without configuring the per
|
project auth plugin.
|
|
|
In configureSecurity -- uncheck
|
|
|
Enable script security for Job DSL scripts |
|
|
```
|
import jenkins.model.* |
|
|
Jenkins.getInstance().getDescriptor("javaposse.jobdsl.plugin.GlobalJobDslSecurityConfiguration").setUseScriptSecurity(false) |
println Jenkins.getInstance().getDescriptor("javaposse.jobdsl.plugin.GlobalJobDslSecurityConfiguration").getUseScriptSecurity() |
```
|
|
|
|
|
### swarm 3.4 is broken |
|
|
swarm 3.3 appears to be functional |
|
|
|
|
### workflow-job not compatilble with 2.60 (current LTS) |
|
|
2.14.1 causes the jenkins startup process to fail with a cascade of plugin loading failures |
|
|
|
|
SEVERE: Failed Loading plugin Pipeline v2.5 (workflow-aggregator) |
java.io.IOException: Pipeline v2.5 failed to load. |
- Pipeline: Job v2.14.1 failed to load. Fix this plugin first. |
at hudson.PluginWrapper.resolvePluginDependencies(PluginWrap
|
|
|
|
|
### activeChoice warning
|
|
|
https://wiki.jenkins.io/display/JENKINS/Active+Choices+Plugin |
|
|
Warning: (stack.groovy, line 15) activeChoiceParam is deprecated |
|
|
|
|
Puppet
|
---
|
|
|
* update to puppet-jenkins to handle changes with the CLI.jar
|
* multiplate bug fixes including properly handling plugin version upgrades
|
|
The Jenkins master + swarm clients were updated and the service appears to be functioning normally.
Remaining tasks on this issue:
verify that ssh "agent" plugin is workingverify that the new version of the swarm agent is working on el6update openjdkAdd a summary of significant changes to this ticket