Page MenuHomePhabricator
Create Task
Maniphest T168644

Upgrade jenkins to 2.73.1 (new lts release)
Closed, ResolvedPublic
Actions

Description

Now that jenkins 2.60.1 has been released, it includes improvements to security including support for hmac-sha2-256 and even edca :) T103351

This also bumps the required java version to 8. All slaves and the master server have to have at least java 8+ now. You can't have the master server as java 8 and the slaves as java 7. So this is blocked on T162828 (only the trusty instances need updating to java 8 which will require either a ppa or we back port it from xenial (if that will work). Jessie+ can be upgraded when ever as java 8 is in the debian repo.

Also a new lts release was released 2.73.1

Changelog at https://jenkins.io/changelog-stable/

We use the upstream Debian package, which can be updated using reprepro as described on https://wikitech.wikimedia.org/wiki/Jenkins#Updating

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+1 -8Jenkins: Install java 8 on debian jessie
Customize query in gerrit

Related Objects
Search...

Event Timeline

Paladox created this task.Jun 22 2017, 3:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 22 2017, 3:06 PM
Paladox added parent tasks: T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms, T100518: Reenable ssh MAC/KEX hardening on beta cluster and integration labs project.Jun 22 2017, 3:07 PM
Paladox added a subtask: T162828: Upgrade jenkins server and jenkins slaves to java 8.
Paladox updated the task description. (Show Details)Jun 22 2017, 5:26 PM
Paladox added a subtask: T166248: Upgrade Analytics Cluster to Java 8.Jun 26 2017, 3:41 PM
Nuria removed a subtask: T166248: Upgrade Analytics Cluster to Java 8.Jun 26 2017, 4:26 PM
gerritbot added a subscriber: gerritbot.Jun 26 2017, 4:32 PM

Change 361482 had a related patch set (by Paladox) published:
[integration/config@master] Migrate analytics tests from java 7 to java 8

https://gerrit.wikimedia.org/r/361482

gerritbot added a project: Patch-For-Review.Jun 26 2017, 4:32 PM
greg edited projects, added Continuous-Integration-Infrastructure; removed Release-Engineering-Team.Jul 6 2017, 6:58 PM
Paladox renamed this task from Upgrade jenkins to 2.60.1 (new lts release) to Upgrade jenkins to 2.73.1 (new lts release).Sep 19 2017, 3:44 PM
Paladox updated the task description. (Show Details)
hashar mentioned this in T166415: Update jenkins to 2.46.3.Oct 4 2017, 4:37 PM
hashar edited projects, added Release-Engineering-Team (Kanban); removed Patch-For-Review.

We have to upgrade Jenkins. It is overdue. There is no more any Trusty instances floating around so we can switch to Java 8 and then upgrade.

Paladox added a comment.Oct 4 2017, 4:38 PM

:)

gerritbot added a comment.Oct 4 2017, 5:14 PM

Change 382188 had a related patch set (by Paladox) published:
[operations/puppet@production] Jenkins: Install java 8 on debian jessie

https://gerrit.wikimedia.org/r/382188

gerritbot added a project: Patch-For-Review.Oct 4 2017, 5:14 PM
hashar triaged this task as High priority.Oct 4 2017, 8:41 PM
hashar updated the task description. (Show Details)Oct 5 2017, 9:47 AM
hashar moved this task from Backlog to In-progress on the Release-Engineering-Team (Kanban) board.Oct 5 2017, 2:56 PM
hashar edited projects, added SRE; removed Patch-For-Review.Oct 5 2017, 2:59 PM

For SRE , we would need the Jenkins 2.73.1 Debian package to be made available on apt.wikimedia.org via reprepro

Some doc https://wikitech.wikimedia.org/wiki/Jenkins#Updating

Package http://pkg.jenkins-ci.org/debian-stable/binary/jenkins_2.73.1_all.deb

Should be added to jessie-wikimedia/thirdparty

There is a security update coming on Wednesday 11st October. I would like to have Jenkins upgraded to the latest LTS on Monday morning.

MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.Oct 5 2017, 3:00 PM

@hashar: I need to finish some other tasks today, but I can help with that tomorrow morning, ping me when you're around

hashar added a comment.Oct 5 2017, 3:08 PM

@MoritzMuehlenhoff definitely. I was planning to poke you about it tomorrow :] The aim is just to have the package around. I will not upgrade on a friday. Danke!

hashar closed subtask T162828: Upgrade jenkins server and jenkins slaves to java 8 as Resolved.Oct 5 2017, 8:48 PM
MoritzMuehlenhoff added a comment.Oct 6 2017, 2:27 PM

apt.wikimedia.org has been updated to 2.73.1. Let me know if I can help with anything for the update on Monday.

gerritbot added a comment.Oct 7 2017, 10:36 AM

Change 382188 abandoned by Paladox:
Jenkins: Install java 8 on debian jessie

https://gerrit.wikimedia.org/r/382188

Paladox added a comment.Oct 9 2017, 11:20 AM
In T168644#3660984, @hashar wrote:

For SRE , we would need the Jenkins 2.73.1 Debian package to be made available on apt.wikimedia.org via reprepro

Some doc https://wikitech.wikimedia.org/wiki/Jenkins#Updating

Package http://pkg.jenkins-ci.org/debian-stable/binary/jenkins_2.73.1_all.deb

Should be added to jessie-wikimedia/thirdparty

There is a security update coming on Wednesday 11st October. I would like to have Jenkins upgraded to the latest LTS on Monday morning.

I wonder is the slaves using dsa to connect or rsa? And using hmac 256 may improve some things :).

Stashbot added a subscriber: Stashbot.Oct 9 2017, 11:42 AM

Mentioned in SAL (#wikimedia-operations) [2017-10-09T11:42:40Z] <hashar> Upgrading Jenkins - T168644

hashar added a comment.Oct 9 2017, 11:45 AM

Got a bunch of:

WARNING: [hudson.plugins.sshslaves.verifiers.TrileadVersionSupportManager getTrileadSupport]
Could not create Trilead support class. Using legacy Trilead features

So I guess the SSH plugin still uses some old Trilead version that lacks the latest SSH algos.

hashar closed this task as Resolved.Oct 9 2017, 11:49 AM
hashar claimed this task.
Phabricator_maintenance edited projects, added RelEng-Archive-FY201718-Q2; removed Release-Engineering-Team (Kanban).Dec 21 2017, 6:56 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL