Page MenuHomePhabricator
Create Task
Maniphest T291458

Rebuild production Stretch images with GNUTLS/OpenSSL updates for LE issue chain update
Closed, ResolvedPublic
Actions

Description

T283165 updated the production servers, but if we still run production images on Stretch we need to rebuild/redeploy them with latest Stretch:

The expected version numbers are
openssl1.0: 1.0.2u-1~deb9u5
gnutls28: 3.5.8-5+deb9u6

Details

ProjectBranchLines +/-Subject
wikimedia/portalsmaster+1 -1pipeline: switch to newer, buster-based image
wikimedia/portalsmaster+2 -2Update blubberfile to avoid specific versions of parent images
operations/docker-images/production-imagesmaster+4 -3Fix openjdk8 images build
operations/docker-images/production-imagesmaster+24 -0Update a few stretch-based images for openssl / gnutls updates
Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Sep 21 2021, 8:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 21 2021, 8:12 AM
Joe changed the task status from Open to In Progress.Sep 21 2021, 9:01 AM
Joe claimed this task.
Joe added a comment.Sep 21 2021, 9:25 AM

The debmonitor query for libssl 1.0.2 tells us it's mostly images under the /releng prefix.

In addition, we have the following images:

  • graphoid Decommissioned
  • fluentd Decommissioned
  • nodejs-slim old stretch-based nodejs image, needs updating
  • ruby which is still stretch-based, should probably be bumped at least to use buster, and is apparently unused by releng or anything else.
  • wikimedia-portals just needs to have its blubberfile to be updated not to pin specific versions of the images.
Joe added a comment.EditedSep 21 2021, 9:36 AM

The debmonitor query for | libgnutls30 tells us again it's mostly releng images, plus:

gerritbot added a comment.Sep 21 2021, 9:42 AM

Change 722565 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/docker-images/production-images@master] Update a few stretch-based images for openssl / gnutls updates

https://gerrit.wikimedia.org/r/722565

gerritbot added a project: Patch-For-Review.Sep 21 2021, 9:42 AM
Stashbot added a comment.Sep 21 2021, 9:44 AM

Mentioned in SAL (#wikimedia-operations) [2021-09-21T09:44:58Z] <_joe_> deleting images for graphoid, T291458

Stashbot added a comment.Sep 21 2021, 9:46 AM

Mentioned in SAL (#wikimedia-operations) [2021-09-21T09:46:08Z] <_joe_> deneb:~# docker-registryctl delete-tags docker-registry.wikimedia.org/fluentd T291458

gerritbot added a comment.Sep 21 2021, 9:58 AM

Change 722565 merged by Giuseppe Lavagetto:

[operations/docker-images/production-images@master] Update a few stretch-based images for openssl / gnutls updates

https://gerrit.wikimedia.org/r/722565

Stashbot added a comment.Sep 21 2021, 9:59 AM

Mentioned in SAL (#wikimedia-operations) [2021-09-21T09:59:27Z] <_joe_> rebuilding openjdk8* image, ruby, nodejs-slim for T291458

Maintenance_bot removed a project: Patch-For-Review.Sep 21 2021, 10:10 AM
gerritbot added a comment.Sep 21 2021, 10:11 AM

Change 722572 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/docker-images/production-images@master] Fix openjdk8 images build

https://gerrit.wikimedia.org/r/722572

gerritbot added a project: Patch-For-Review.Sep 21 2021, 10:11 AM
gerritbot added a comment.Sep 21 2021, 10:20 AM

Change 722572 merged by Giuseppe Lavagetto:

[operations/docker-images/production-images@master] Fix openjdk8 images build

https://gerrit.wikimedia.org/r/722572

Maintenance_bot removed a project: Patch-For-Review.Sep 21 2021, 11:10 AM
gerritbot added a comment.Sep 21 2021, 12:59 PM

Change 722606 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[wikimedia/portals@master] Update blubberfile to avoid specific versions of parent images

https://gerrit.wikimedia.org/r/722606

gerritbot added a project: Patch-For-Review.Sep 21 2021, 12:59 PM
gerritbot added a comment.Sep 28 2021, 4:25 PM

Change 722606 merged by jenkins-bot:

[wikimedia/portals@master] Update blubberfile to avoid specific versions of parent images

https://gerrit.wikimedia.org/r/722606

Maintenance_bot removed a project: Patch-For-Review.Sep 28 2021, 5:10 PM
gerritbot added a comment.Oct 4 2021, 10:01 AM

Change 725765 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[wikimedia/portals@master] pipeline: switch to newer, buster-based image

https://gerrit.wikimedia.org/r/725765

gerritbot added a project: Patch-For-Review.Oct 4 2021, 10:01 AM
gerritbot added a comment.Oct 4 2021, 10:05 AM

Change 725765 merged by jenkins-bot:

[wikimedia/portals@master] pipeline: switch to newer, buster-based image

https://gerrit.wikimedia.org/r/725765

Joe closed this task as Resolved.Oct 5 2021, 6:45 AM
akosiaris mentioned this in T283165: OpenSSL < 1.1.0 compatibility issues with new LE issuance chain.Oct 5 2021, 4:23 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL