-
-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure the public Jenkins server #2108
Comments
I'd personally like to see this bootstrapped via ansible and that we also build a staging server to test out any major pipeline changes, jenkins upgrades, and so forth. |
re: #2108 (comment) - added to the requirements section |
@karianna Since you've been pushing for this and suggesting requirements, are you able to take ownership of this item and progress it? |
I can own it, but I'll be pulling in folks who actually know how to ansible :-). Typical Engineering manager eh ;-) |
https://github.com/jenkins-x/jx is something to explore |
I also think that for security we should disallow jobs from running on the master node unless there's a clear and explicit need for it. |
In addition to Shelley's requirements, I'm also going to add VPN security - this Jenkins should no longer be accessible on the public internet. |
To be absoltely clear here - that statement is about non-HTTPS ports right? |
After further investigation jenkins-x is not a great option as its pipeline implementation and syntax is not compatible with regular Jenkins, forcing us to have a massive rewrite (and forcing jenkins x on other vendors using our scripts). |
By using Ansible we can be fairly hosting provider agnostic. But we do need a provider that hosts a VPN easily and has sufficient disk storage (3-4TB) at a decent price point. |
We'll prototype:
|
As discussed elsewhere while the full set of items descried in the prototype comment above has now been put on pause we should as a priority look at upgrading the OS underneath the jenkins server (ideally to 20.04) after taking a Hetzner snapshot to avoid any problems with the OS upgrade. |
Eclipse WorkGroup finance approval acquired for the snapshot costs |
Jenkins now upgraded to the latest LTS version (2.387.1) and all plugins updated to latest other than |
This has now been installed alongside last week's jenkins upgrade. |
Now all removed other than bethgriggs on the release notes job, and an explicit entry for anonymous on build-pipeline-generator. |
@karianna Are you still planning to own / interesting in persuing looking at moving the jenkins server setup/config to configuration-as-code with ansible as per the earlier comment? |
@karianna I'm also going to suggest we schedule a maintenance window on the first Tuesday of each month to perform jenkins plugin updates and Jenkins LTS updates that are required (and also use that day for patching other infrastructure servers, although jenkins should always be the priority). This should generally us two clear weeks after the upstream openjdk releases. If more time is required due to release issues we can move out to the following Tuesday. Jenkins patch levels for LTS releases will come out every four weeks so we may have a delay in picking up new ones. We should monitor the types of fixes going in and see if delays caused by doing it on the first Tuesday are likely to be problematic from a security perspective. We currently have quarterly listed in the infra readme (although we haven't been adhering to that) but I think that doc should be revised to be monthly. How does that sound? Security updates to the OS are performed via a cron job on Sunday at 5am and recorded in /var/log/apt-security-updates. We should look at storing the |
I ungracefully remove myself from owning that - I'll never get to it I'm afraid. |
Thinbackup plugin has been adjusted to do a full backup on the first of the month and incrementals for the rest of the days as per #1295 (comment) |
On the basis that the original concerns about stability appear to no longer be valid, and this issue is titled as a security one I'm going to revisit the criteria for closing this issue. A backup server would be desirable (or even a way to spin up a docker container with a comparable configuration for local testing) although we would generally not want it be identical as we wouldn't want it to interfere with all of the production machines. I will create a separate issue from this one to determine feasibility and implementation decisions relating to that for the future.
|
Backup verification is going to take a little longer. There are some issues with the restore not quite recovering everything - possibly because the thinbackups are aborting part way through. Will continue to progress it, but the thinbackup does contain enough to recover (re-download) the plugins, although when recovering to another server the GitHub authentication plugin won't work (and actively prevents the server from restarting so you have to remove it from the |
With a successful backup taken ( Alternatively:
[*] - For step 5, nNote: while you can click the "restore plugins" that will download them all again from the internet, which isn't needed if they are included in your backup. If you do make it download and you have them in your backup, then the log will get Note that during the final startup I got a lot of |
The creation of the backups appears to be failing when using the (NFS mounted) backup file system on the server. After about 8 minutes it gives this message: So in order to fix this and produce useful backups we'll need to resolve the performance issue on the backup drive, or backup locally and have something else move them onto the backup drive separately. FYI @karianna |
Hmm,, annoying that we don't see the true underlying cause. I wonder if we can test writing a large file from the O/S |
The (NFS IIRC) filesystem is noticeably slow so that can definitely be reproduced outside Jenkins. It's writing the individual files directly to the filesystem as opposed to a zip file so a lot of individual random wires to open lots of files which won't be helping |
I'm going to close this now. Remaining action items that are explicitly planned can be done in the separate items mentioned elsewhere in this issue but we now have policies in place for keeping the server up to date. |
This issue is to encapsulate the requirements and work needed to replace our existing Jenkins server with a new one:
Existing Jenkins server is suffering from some instability. Recent difficult updates have shown that we need a better disaster recovery plan (this is also related to: #1295) It is also a ubuntu-16.04 machine. For all of these reasons, and likely reasons not yet listed, we should begin the work to replace the existing Jenkins server with a new one.
Requirements:
Please explain what this machine is needed for:
Considerations:
The text was updated successfully, but these errors were encountered: