Page MenuHomePhabricator
Create Task
Maniphest T151642

Change notification email from jenkins-bot@wikimedia.org to releng internal list
Open, LowPublic
Actions

Description

Cron jobs should send notifications directly to Release-Engineering-Team instead of using the alias jenkins-bot@wikimedia.org which only reach a few people. From our internal discussion:

If it's from a @wikimedia.org email address, [greg has] whitelisted those (for people [outside of releng]).

The list Jenkins sends email to are:

ListStatus of releng@lists.wikimedia.org
betacluster-alerts@lists.wikimedia.orgNon-member, Held for moderation
discovery-alerts@lists.wikimedia.orgDone by @Gehel Non-member, Held for moderation
portals@lists.wikimedia.org?? No bounce and list is private
qa-alerts@lists.wikimedia.orgOK, Non-member, set per user moderation to Accept immediately
releng@lists.wikimedia.orgOK
security-admin-feed@lists.wikimedia.orgNon-member, Held for moderation
wdqs-gui-build@lists.wikimedia.org?? No bounce and list is private

Details

SubjectRepoBranchLines +/-
zuul: use releng list rather than jenkins-bot for emailoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

hashar created this task.Nov 25 2016, 3:51 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 25 2016, 3:51 PM
hashar added a comment.Nov 25 2016, 3:55 PM

For jenkins@contint1001.wikimedia.org the emails will have the header:

From: "Jenkins,,," <jenkins@contint1001.wikimedia.org>

Zppix subscribed.Dec 20 2016, 6:44 PM

Is everything done here or are changes still being made?

hashar added a comment.Dec 21 2016, 3:12 PM

Nothing has been done. It is a random idea I had a couple months ago which I filled as a task to make sure it is not forgotten. I haven't even looked at all places using the jenkins-bot email address.

greg moved this task from INBOX to Backlog on the Release-Engineering-Team board.May 20 2017, 12:10 PM
greg edited projects, added Release-Engineering-Team (Backlog); removed Release-Engineering-Team.
hashar triaged this task as Low priority.Jun 16 2017, 10:47 AM
Phabricator_maintenance edited projects, added Release-Engineering-Team-TODO; removed Release-Engineering-Team (Backlog).Jun 12 2019, 11:53 PM
Phabricator_maintenance moved this task from Should be empty (use Release-Engineering-Team) to Later / Need volunteer on the Release-Engineering-Team-TODO board.Jun 12 2019, 11:55 PM
greg added a project: Release-Engineering-Team.Jun 21 2019, 10:35 PM
greg edited projects, added Release-Engineering-Team (CI & Testing services); removed Release-Engineering-Team.Jul 11 2019, 4:54 PM
thcipriani removed a project: Release-Engineering-Team (CI & Testing services).Apr 20 2021, 1:09 AM
thcipriani edited projects, added Release-Engineering-Team (thcipriani-workboard-fiddling); removed Release-Engineering-Team-TODO.Apr 20 2021, 3:42 AM
thcipriani moved this task from thcipriani-workboard-fiddling to Seen (ARCHIVE) on the Release-Engineering-Team board.Apr 20 2021, 3:58 AM
thcipriani edited projects, added Release-Engineering-Team; removed Release-Engineering-Team (thcipriani-workboard-fiddling).
thcipriani edited projects, added Release-Engineering-Team (Seen); removed Release-Engineering-Team.Apr 20 2021, 3:24 PM
greg added subscribers: Jdforrester-WMF, greg.Jun 4 2021, 11:12 PM

I've recently been getting a few of these (mostly from @Jdforrester-WMF cleaning up portalsbuild?). It's not a major problem, but looking at the list of who's on jenkins-bot@ (https://groups.google.com/a/wikimedia.org/g/jenkins-bot/members ) this seems like an odd setup indeed.

Anyway, still Low priority, just keeping logs for next time this happens and I search phab again :)

Jdforrester-WMF added a comment.Jun 10 2021, 10:06 PM
In T151642#7135831, @greg wrote:

I've recently been getting a few of these (mostly from @Jdforrester-WMF cleaning up portalsbuild?).

Sorry! ;-)

gerritbot added a comment.Oct 22 2021, 1:07 PM

Change 732968 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] zuul: use releng list rather than jenkins-bot for email

https://gerrit.wikimedia.org/r/732968

gerritbot added a project: Patch-For-Review.Oct 22 2021, 1:07 PM
hashar claimed this task.Oct 22 2021, 1:17 PM

Found a few in Puppet though they don't trigger any email.

Icinga got done a couple years ago by https://gerrit.wikimedia.org/r/c/operations/puppet/+/559858

There is no trace of jenkins-bot email in the JJB config

I have updated CI and release Jenkins admin email address to releng@lists.wikimedia.org

Puppet patch https://gerrit.wikimedia.org/r/732968 is the one left to mark this resolved.

hashar updated the task description. (Show Details)Oct 22 2021, 1:18 PM
hashar updated the task description. (Show Details)
hashar edited projects, added Release-Engineering-Team (Doing); removed Release-Engineering-Team (Seen).
gerritbot added a comment.Oct 22 2021, 11:43 PM

Change 732968 merged by Dzahn:

[operations/puppet@production] zuul: use releng list rather than jenkins-bot for email

https://gerrit.wikimedia.org/r/732968

Maintenance_bot removed a project: Patch-For-Review.Oct 23 2021, 12:10 AM
hashar updated the task description. (Show Details)Oct 23 2021, 7:12 AM
hashar added a comment.EditedOct 23 2021, 7:15 AM

After I have updated the CI Jenkins admin address from jenkins-bot to releng, email notifications sent to qa-alerts@lists.wikimedia.org would bounce back:

Your message to the QA-Alerts mailing-list was rejected for the following reasons:

The message is not from a list member

Before changing the system admin email, we should audit all the lists being recipients, make sure releng is a member (and disable mail notification to it).

(I have rolled back the change on CI Jenkins which is now back to using the jenkins-bot email)

hashar added a comment.Oct 25 2021, 1:26 PM

I have created a jenkins-bot account on lists.wikimedia.org and stored its credentials in releng secrets store.

Whenever Jenkins emits an email from jenkins-bot@lists.wikimedia.org it might get bounced by the recipient mailing list, over time the email has been added to the target lists and we would need to do the same for releng@lists.wikimedia.org.

From integration/config.git we can retrieve all the emails Jenkins jobs send email too with git grep -hoP '[\w-]+@lists.wikimedia.org'|sort|uniq.

In a job?List member ?ListDescription
YESYESbetacluster-alerts@lists.wikimedia.org
YESYESdiscovery-alerts@lists.wikimedia.orgAutomated notifications to search platform team
NOYESmultimedia-alerts@lists.wikimedia.orgAutomated Multimedia Alerts
YESYESportals@lists.wikimedia.orgWMF Portal Updates
YESYESqa-alerts@lists.wikimedia.orgMailing list for Quality Assurance alerts
YESNOreleng@lists.wikimedia.orgRelease engineering list
YESYESsecurity-admin-feed@lists.wikimedia.orgAutomated messages from security related tooling.
YESNOwdqs-gui-build@lists.wikimedia.org

The jobs sending to multimedia-alerts have been removed a while back.

hashar added a comment.EditedOct 25 2021, 1:30 PM

I tried to create an account on mailman for releng@lists.wikimedia.org and that results in a server side error, I guess cause it is a list.

hashar added a comment.Oct 25 2021, 2:12 PM

So in the end, we need releng@lists.wikimedia.org to be allowed to post on the list, which in mailman 3 can be granted even if the email is not an account nor a member of the list. But that requires each list owners to set the preference.

Example for qa-alerts for which I am a owner. Looking at https://lists.wikimedia.org/postorius/lists/qa-alerts.lists.wikimedia.org/members/nonmember/?q=releng gives:

releng_non-member_qa-alerts.png (412×819 px, 38 KB)

Since I am a list owner, I have access Non-members Options for that email which let me change the Delivery Status (none for a non member) or more importantly how the list react when it receives an email from that email:

qa-alerts-releng-moderation.png (227×947 px, 42 KB)

And it shows List default which depends on the list. I could not find the default setting for the list, but I guess that for each recipient list we can set it this non member to either Accept or Default Processing (which does "additional checks" whatever it can mean).

The list Jenkins sends email to are:

List
betacluster-alerts@lists.wikimedia.org
discovery-alerts@lists.wikimedia.org
portals@lists.wikimedia.org
qa-alerts@lists.wikimedia.org
releng@lists.wikimedia.org
security-admin-feed@lists.wikimedia.org
wdqs-gui-build@lists.wikimedia.org
zeljkofilipin subscribed.Oct 25 2021, 2:22 PM
hashar updated the task description. (Show Details)Oct 25 2021, 2:50 PM
Legoktm subscribed.Oct 25 2021, 4:15 PM
In T151642#7454987, @hashar wrote:

So in the end, we need releng@lists.wikimedia.org to be allowed to post on the list, which in mailman 3 can be granted even if the email is not an account nor a member of the list. But that requires each list owners to set the preference.
<snip>

List
betacluster-alerts@lists.wikimedia.org
discovery-alerts@lists.wikimedia.org
portals@lists.wikimedia.org
qa-alerts@lists.wikimedia.org
releng@lists.wikimedia.org
security-admin-feed@lists.wikimedia.org
wdqs-gui-build@lists.wikimedia.org

Done for all of these lists.

hashar added a comment.Oct 25 2021, 4:19 PM

Thank you so much @Legoktm for proposing your help and fixing the rights. I will switch Jenkins to emit emails from releng@ tomorrow \o/

hashar mentioned this in T294270: Delete "releng" mailman account.Oct 25 2021, 4:24 PM
Gehel subscribed.Oct 28 2021, 1:52 PM

discovery-alerts@lists.wikimedia.org is now accepting emails from releng@

hashar updated the task description. (Show Details)Nov 12 2021, 9:39 AM
hashar added a comment.Nov 12 2021, 10:01 AM

Thank you @Gehel.

I have send an email to each mailing lists owners with the detailed instructions.

hashar added a project: Continuous-Integration-Infrastructure.Nov 12 2021, 10:01 AM
Lucas_Werkmeister_WMDE subscribed.Nov 12 2021, 11:01 AM

I received the email, but it doesn’t look like there’s anything left to be done for wdqs-gui-build, releng@ is already set to “accept immediately” there. (I guess that’s what @Legoktm did, but then I’m not sure why the email was sent.)

thcipriani edited projects, added Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team (Doing).Sep 7 2022, 3:51 PM
Aklapper removed hashar as the assignee of this task.May 16 2024, 5:06 PM

@hashar: Removing task assignee as this open task has been assigned for more than two years - see the email sent to all task assignees on 2024-04-15.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome! :)
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits