Page MenuHomePhabricator
Create Task
Maniphest T291425

Rebuild CI images affected by OpenSSL compat issue with new Let's Encrypt issuance chain
Closed, ResolvedPublic
Actions

Description

See parent T283165, Let's Encrypt has changed their chain which affects:

  • OpenSSL < 1.1.0
  • LibreSSL < 3.2.0
  • GnuTLS < 3.6.14

It only affects Debian Stretch.

We need to find CI images in use that might be affected and trigger a rebuild. Should happen before October 1st 2021.

Details

ProjectBranchLines +/-Subject
integration/configmaster+99 -99jjb: update jobs having a Stretch related image
integration/configmaster+8 -8dockerfiles: update apt repo for java8-scala-spark
integration/configmaster+5 -3dockerfiles: fix more java based images
integration/configmaster+5 -1dockerfiles: fix update-alternatives for java8
integration/configmaster+412 -0dockerfiles: update Stretch images for Let'sEncrypt
Customize query in gerrit

Related Objects
Search...

Event Timeline

hashar created this task.Sep 20 2021, 7:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 20 2021, 7:04 PM
MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.Sep 21 2021, 8:13 AM

The expected version numbers are
openssl1.0: 1.0.2u-1~deb9u5
gnutls28: 3.5.8-5+deb9u6

thcipriani edited projects, added Release-Engineering-Team (Done by Wed 06 Oct); removed Release-Engineering-Team.Sep 22 2021, 4:08 PM
gerritbot added a comment.Sep 27 2021, 8:35 AM

Change 723993 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] dockerfiles: update Stretch images for Let'sEncrypt

https://gerrit.wikimedia.org/r/723993

gerritbot added a project: Patch-For-Review.Sep 27 2021, 8:35 AM
gerritbot added a comment.Sep 27 2021, 8:42 AM

Change 723993 merged by jenkins-bot:

[integration/config@master] dockerfiles: update Stretch images for Let'sEncrypt

https://gerrit.wikimedia.org/r/723993

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2021, 9:10 AM
hashar added a comment.Sep 27 2021, 1:26 PM

The java package refuses to install. It fails when updating the debian alternatives for man page:

Setting up openjdk-8-jre-headless:amd64 (8u302-b08-1~deb9u1) ... (image.py:210)
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode (image.py:210)
update-alternatives: error: error creating symbolic link '/usr/share/man/man1/rmid.1.gz.dpkg-tmp': No such file or directory (image.py:210)
dpkg: error processing package openjdk-8-jre-headless:amd64 (--configure):
urned error exit status 2 (image.py:210)
dpkg: dependency problems prevent configuration of default-jre-headless:
 default-jre-headless depends on openjdk-8-jre-headless; however:
  Package openjdk-8-jre-headless:amd64 is not configured yet.

But we have dpkg configured to not install any man page in the images.

Reproducible with:

Dockerfile
FROM docker-registry.wikimedia.org/stretch:latest
RUN apt update
RUN apt install -y openjdk-8-jre-headless

Package has version 8u302-b08-1~deb9u1

gerritbot added a comment.Sep 27 2021, 1:39 PM

Change 724065 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] dockerfiles: fix update-alternatives for java8

https://gerrit.wikimedia.org/r/724065

gerritbot added a project: Patch-For-Review.Sep 27 2021, 1:39 PM
gerritbot added a comment.Sep 27 2021, 1:41 PM

Change 724065 merged by jenkins-bot:

[integration/config@master] dockerfiles: fix update-alternatives for java8

https://gerrit.wikimedia.org/r/724065

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2021, 2:10 PM
gerritbot added a comment.Sep 27 2021, 2:23 PM

Change 724076 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] dockerfiles: fix more java based images

https://gerrit.wikimedia.org/r/724076

gerritbot added a project: Patch-For-Review.Sep 27 2021, 2:23 PM

Change 724076 merged by Hashar:

[integration/config@master] dockerfiles: fix more java based images

https://gerrit.wikimedia.org/r/724076

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2021, 3:10 PM
gerritbot added a comment.Sep 27 2021, 5:16 PM

Change 724132 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] dockerfiles: update apt repo for java8-scala-spark

https://gerrit.wikimedia.org/r/724132

gerritbot added a project: Patch-For-Review.Sep 27 2021, 5:16 PM
gerritbot added a comment.Sep 27 2021, 5:21 PM

Change 724132 merged by jenkins-bot:

[integration/config@master] dockerfiles: update apt repo for java8-scala-spark

https://gerrit.wikimedia.org/r/724132

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2021, 6:11 PM
hashar added a comment.Sep 27 2021, 6:48 PM

That was a not so fun trip but all images should have been updated. Gotta switch the Jenkins jobs to the new versions now which is yet another endeavor.

gerritbot added a comment.Sep 27 2021, 7:14 PM

Change 724156 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] jjb: update jobs having a Stretch related image

https://gerrit.wikimedia.org/r/724156

gerritbot added a project: Patch-For-Review.Sep 27 2021, 7:14 PM
hashar mentioned this in T276417: CI should validate that the pecl tarball contains all the necessary files to build the extension.Sep 27 2021, 7:22 PM
Stashbot added a comment.Sep 27 2021, 7:24 PM

Mentioned in SAL (#wikimedia-releng) [2021-09-27T19:24:45Z] <hashar> Updating Jenkins jobs using a Stretch related image to latest version of the image. https://gerrit.wikimedia.org/r/c/integration/config/+/724156/ # T291425

hashar closed this task as Resolved.Sep 27 2021, 7:25 PM
hashar claimed this task.

Should be good. We shall see whether something ends up being broken on October 1st UTC.

gerritbot added a comment.Sep 27 2021, 7:26 PM

Change 724156 merged by jenkins-bot:

[integration/config@master] jjb: update jobs having a Stretch related image

https://gerrit.wikimedia.org/r/724156

brennen moved this task from Backlog to Done on the Release-Engineering-Team (Done by Wed 06 Oct) board.Oct 4 2021, 11:28 PM
MoritzMuehlenhoff mentioned this in T283165: OpenSSL < 1.1.0 compatibility issues with new LE issuance chain.Oct 5 2021, 4:30 PM
hashar mentioned this in T292485: docker-reporter-releng-images => docker registry: status=3/NOTIMPLEMENTED.Oct 5 2021, 7:56 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL