Page MenuHomePhabricator

Upgrade jenkins to 2.73.1 (new lts release)
Closed, ResolvedPublic

Description

Now that jenkins 2.60.1 has been released, it includes improvements to security including support for hmac-sha2-256 and even edca :) T103351

This also bumps the required java version to 8. All slaves and the master server have to have at least java 8+ now. You can't have the master server as java 8 and the slaves as java 7. So this is blocked on T162828 (only the trusty instances need updating to java 8 which will require either a ppa or we back port it from xenial (if that will work). Jessie+ can be upgraded when ever as java 8 is in the debian repo.

Also a new lts release was released 2.73.1

Changelog at https://jenkins.io/changelog-stable/

We use the upstream Debian package, which can be updated using reprepro as described on https://wikitech.wikimedia.org/wiki/Jenkins#Updating

Event Timeline

Paladox created this task.Jun 22 2017, 3:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 22 2017, 3:06 PM
Paladox updated the task description. (Show Details)Jun 22 2017, 5:26 PM

Change 361482 had a related patch set (by Paladox) published:
[integration/config@master] Migrate analytics tests from java 7 to java 8

https://gerrit.wikimedia.org/r/361482

Paladox renamed this task from Upgrade jenkins to 2.60.1 (new lts release) to Upgrade jenkins to 2.73.1 (new lts release).Sep 19 2017, 3:44 PM
Paladox updated the task description. (Show Details)

We have to upgrade Jenkins. It is overdue. There is no more any Trusty instances floating around so we can switch to Java 8 and then upgrade.

Change 382188 had a related patch set (by Paladox) published:
[operations/puppet@production] Jenkins: Install java 8 on debian jessie

https://gerrit.wikimedia.org/r/382188

hashar triaged this task as High priority.Oct 4 2017, 8:41 PM
hashar updated the task description. (Show Details)Oct 5 2017, 9:47 AM
hashar edited projects, added SRE; removed Patch-For-Review.Oct 5 2017, 2:59 PM

For SRE , we would need the Jenkins 2.73.1 Debian package to be made available on apt.wikimedia.org via reprepro

Some doc https://wikitech.wikimedia.org/wiki/Jenkins#Updating

Package http://pkg.jenkins-ci.org/debian-stable/binary/jenkins_2.73.1_all.deb

Should be added to jessie-wikimedia/thirdparty

There is a security update coming on Wednesday 11st October. I would like to have Jenkins upgraded to the latest LTS on Monday morning.

@hashar: I need to finish some other tasks today, but I can help with that tomorrow morning, ping me when you're around

hashar added a comment.Oct 5 2017, 3:08 PM

@MoritzMuehlenhoff definitely. I was planning to poke you about it tomorrow :] The aim is just to have the package around. I will not upgrade on a friday. Danke!

apt.wikimedia.org has been updated to 2.73.1. Let me know if I can help with anything for the update on Monday.

Change 382188 abandoned by Paladox:
Jenkins: Install java 8 on debian jessie

https://gerrit.wikimedia.org/r/382188

For SRE , we would need the Jenkins 2.73.1 Debian package to be made available on apt.wikimedia.org via reprepro

Some doc https://wikitech.wikimedia.org/wiki/Jenkins#Updating

Package http://pkg.jenkins-ci.org/debian-stable/binary/jenkins_2.73.1_all.deb

Should be added to jessie-wikimedia/thirdparty

There is a security update coming on Wednesday 11st October. I would like to have Jenkins upgraded to the latest LTS on Monday morning.

I wonder is the slaves using dsa to connect or rsa? And using hmac 256 may improve some things :).

Mentioned in SAL (#wikimedia-operations) [2017-10-09T11:42:40Z] <hashar> Upgrading Jenkins - T168644

Got a bunch of:

WARNING: [hudson.plugins.sshslaves.verifiers.TrileadVersionSupportManager getTrileadSupport]
Could not create Trilead support class. Using legacy Trilead features

So I guess the SSH plugin still uses some old Trilead version that lacks the latest SSH algos.

hashar closed this task as Resolved.Oct 9 2017, 11:49 AM
hashar claimed this task.