Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Jenkins / Infrastructure Project / 11 May 2021
Jenkins / Infrastructure Project / 11 May 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: 2021 05 11 Jenkins Infra Meeting

Description

Jenkins infrastructure meeting May 11, 2021. Meeting notes at https://hackmd.io/DwlxD9ljRsCY8RxRg88HXA .

Topics included
* LFX Security scanning project
* JEP-229 to increase the security of the Jenkins delivery pipeline

A

Hi everybody welcome for this new jenkins infrastructure meeting. We we have quite a lot of topics to cover this meeting, especially considering that we had um to stop the meeting last week a little bit earlier. So the first one topic that I want to bring here. We started discussing briefly last week, which was: is it the right time to bring by confluence on the jenkins project?

A

I really invite you so we started the discussion on the mailing list, jenkins infrastructure meeting list. I really invite you to join the discussion and to provide inputs.

A

I think here we are trying to solve different things. um So, yes, I'm really looking forward to have your feedback on that topic. The next topic that I also want to talk to cover. Now we had a discussion with, like with the linux foundation, for an opportunity to use a tool named lfx.

A

So lfx is an interface in front of sneak, and so it's a tool that we can use to analyze security issues on the project. So, by default it's enabled on the jenkins ci organization and we have a small group of people who are testing that and we could also enable that on the jenkins infra organization, so we have to approach here either we enable it on every teach repositories that we have on the jenkins infrastructure.

A

Are we identify a small group of repositories that we want to analyze and based on that? um If, if everything goes well, um maybe we could, I mean, extend the usage. I don't know if you have any expectation on this topic, I would be really interested to also hear about them. So oleg started also a discussion on the mailing lists quite recently, so I would be really interested to have your feedback there as well.

A

From my point of view, the next step I will just enable I was maybe thinking to take small kit repositories, maybe just on a docker images or something like that. The.

B

Idea.

A

Is really to try to see? I just don't want to put too much pressure on the on the infra team in the coming weeks. An expectation on this.

B

So so this is the lfx security and what it does is it provides scanning of images so scanning of docker images. Does it also scan source code.

A

Or is it it scan the source code, but my understanding is that we can also use it to scan the docker images published on the github.

A

So I I still have basic knowledge because it does not provide all the features from sneak because it's a layer on top of sneak. So maybe all I can provide more information on that topic.

C

Yeah, I'm here just a second stephen ideal- is also joining uh because.

C

So we were in the hangouts meeting because apparently it has been added to the calendar again.

D

Just.

C

Ignored it, though, okay, so the question is about the effect security right.

A

Yeah, the question was: how can we integrate at fx security with the jenkins infrastructure project? So the idea here is: we have around 100 page repositories. We have different kind of application, we also have docker images, and so the idea here would be to identify a small group of projects that we could use just to understand how the process work and how we use that tool efficiently.

E

Yeah yeah, would you um do you need a overview of kind of what I'm hoping to do to integrate it or if you have, if you could do a quick.

F

Overview here that would be really.

A

Great.

F

Yeah.

A

Yeah.

F

Okay, sure, let me uh is it possible that I could screen share with so you should. Let me just stop share my.

E

Okay sounds good. I will uh do a quick thing here so um yeah I sent uh I've been sort of reaching out to the community members um to discuss kind of what's involved with uh integrating lfx security version. Two uh you guys may have um seen the lfx security um oops should have came up right security here we go. You've probably maybe seen uh the v1 system that we have.

E

This is um our interface for this, and um if we look for you know just the jenkins or other projects they happen to be here, it provides sort of just a roll up of only vulnerability. So this is snick.

E

Data. Snick is one of the two vendors that we're working with this one just looks at dependencies and stuff like that for version two we're actually bringing in a new vendor.

E

This is a tool called blue bracket which does uh uh code secrets. So if I were to log in this is their interface, it's a bit clunky. So please bear with me and it's a bit slow, um but we're going to bring all the data that they collect, as well as the snick data into uh our new portal.

E

So if I go back to snick one of the things that we're gonna inherit we're re-architecting it where previously we were scanning all the repositories, we were collecting all the data and then presenting it for version two we're actually going to have uh snick do the scans um that allows us to yeah their their website's kind of bad. So sorry about that, but uh what we're actually going to do is snick is going to be responsible for scanning the repositories.

E

That means that we're going to inherit all of their new capabilities that they've added recently, which does include the docker images. It includes net projects, things that we haven't um brought in uh to our platform. Yet so we're gonna, let them sort of do all the scanning on their side in their infrastructure and then we're gonna, actually just aggregate those results and present it to everyone in our portal.

E

Blue bracket again is the second vendor that we're going to do we're working to pull in information from here. What we're going to get in blue bracket is things like passwords tokens, jwt secrets things like that, so this tool is designed just to identify.

E

You know any mistakes the developers have added to the repository. That includes, like things that are a little suspicious, it might be, might be an aws id might be an aws token. Maybe not maybe it's a you know, credentials for a test environment, so those are going to be uh brought into the console so that the community members and maintainers can review that and then they can make a hard decision. Whether or not you know this information is uh suspect.

E

You know one of the things we're gonna have to work with this vendor is like okay, the zoom password. Is that really like a secret? Is it okay if we share it with the community in a lot of cases like this case here like yeah? It's fine, yeah, just click it and you can come into the zoom other cases where it'll help identify as like.

E

If a developer accidentally included like a terraform state file, which has happened, a lot which happens to have you know aws credentials, so those types of things will be brought in with this tool, um so we're hoping that we get some feedback from. You know our pilot pilot uh projects, so you can kind of see if this tool is useful, is it is it too noisy? Can we maybe tweak how we filter the data such that it brings awareness?

E

um The other thing I want to mention really briefly, and I can pause it ask questions. Is um this tool here goes to the entire get history, so if you you may uncover or unearth a token that was committed like six months ago, perhaps by a developer, who has left the project or left the community.

E

So this will go through all the git history and do that one thing: we're also hoping to get access to for the v2 platform on snick we're going to add sort of a remediation link or a mechanism such that the community members.

E

You can see the vulnerability, uh you can click which will take you and do an sso log in all the way to the slit, the snick console and then from there you can decide if you want to create a pull request to fix it right. So maybe a lot of times the vulnerabilities will have a just diversion bump. That would resolve it. Maybe it's a node.js problem, or you know some javascript library or a java.

E

um You know logger problem or something, and maybe you just need to bump the library so we're going to take you um through the through our console over to snick through sso, so you don't have to log in again and then you can decide uh how to fix it for blue bracket. We're going to work with them on how to fixing like uh passwords that were committed six months ago is a bit of a problem.

E

You have to actually go and rewrite a bunch of uh get history if any of you guys are super familiar with that. That's a pain in the butt. um The last point I want to bring up about lfx security version. 2 is um given that we're um we're sort of pushing a new strategy for uh managing access to your repositories.

E

So, instead of me creating a personal access token, and then me cloning, your project and then me scanning your project with my personal access token and getting details and querying the languages, and you know the commit details and all that stuff we're actually going to be using a github app, which some of you may be familiar with, and if we part of this is to allow us to get do this at scale. So what happens is with the github app approach?

E

We can install a bot into your organization which essentially gives us a finite set of permissions, and I've enumerated the permissions here.

E

These are examples of some of the details that we can access in your org and what we get is like 5, 000 requests per org so that for each of the lf community I can have you know multiple instances of the bots all over the place and it scales a little better and I've enumerated on this one confluence page that we have uh the minimum set of restrictions that we think we need in order for the vendors blue bracket and snick to be able to scan your repositories.

E

um Yeah, so that's this. A big whirlwind of updates on the differences between v1 and v2 security sounds like the jenkins infra project is a smaller subset might be a good candidate. We can choose one or two repos to sort of evaluate this, but we are looking for feedback and early adopters to see if it's. uh If this whole flow works.

C

Are there any particular technologist texts, you're focusing on uh because yeah the infrared repository has so many different technologies due to various historical reasons? So you, if there's something you can feedback for particularly.

E

um What was your question specifically yeah, so.

A

Okay, so the question: let me explain that in different ways, so we have quite a lot of different git repositories. We have a lot of different application, custom application. We have terraform, we have helm, we have communities, we have puppet, we have. I mean we have quite a lot of stuff in the guild repositories, and so the question was: is there a specific project that we should start with.

E

Yeah good great point, good point. um So, let's, let's talk about each uh of our vendors, so one snick is mostly focused on you know software projects not not a lot of ci cd like terraform and puppet and chef.

E

They can probably look at like chef and look at the dependencies. It pulls in and then report. If there's some known vulnerabilities and maybe some network tools or whatever. So it's just going to look for dependencies of those tools. So if they're in a manifest file, then those are good candidates that snick can easily scan for for blue bracket the code secrets.

E

It doesn't matter right, it's just looking for you know, keywords and passwords and and things that may have been committed in your git history, so it'll work regardless of the technology I wanted to mention. Also that we are reaching out. uh We got a demo last week. I think there was a a company or a vendor that specifically um was looking at terraform data, so it was like uh forget the vendor name. It was like tariff terraform state or something, but they actually um were focused on applying policies to terraform to see.

E

If you are complying with best practices, so they had like a list of you know, policies that you could apply to a repository and it would evaluate to see if you're in compliance and of course you can tweak the compliance uh stuff, but it actually had a lot of intelligence on you know. How are you using um ec2, you know and and all the other aws resources and ours is sort of the best way of going, so it make recommendations so longer term.

E

That's what we're also hoping to bring in more ci cd infrastructure tools uh within this platform.

A

Okay, that sounds great, but we also have custom applications. Let's say um you know the accounts app and stuff like that, so we definitely I mean we definitely have um places where we can. We could test and learn a little bit pizza too.

A

um Regarding the gita app app, I think what we can do with for the next step would just be to allow a specific key repository. So not the whole organization, but just let's say five, absolutely yeah. In that case, would it be possible to have access to the documentation that you just show about the permission that you need.

E

Yeah, I have um um so when you, when you click on the app, so what I would probably do is just agree with you like how many repos you want to bring on board um step. One for me is to uh just set it in my. I basically on board it and add some entries in my database step two is: I will give you a link to the github bot. You click on it. You decide if you want all the reposes, like you said, or just a subset.

E

You can review the permissions at that point. I can also give you or share with this group here.

E

I don't know if the links will carry over, but I can drop this in the zoom chat or maybe share it on slack somewhere. uh Those.

A

Are conditions yeah? Otherwise I think where I can have your email address, so maybe that would be fine.

E

Yeah.

A

Yeah exactly exactly so that yeah, I would be really happy to test that in our current workflow.

E

And then um so I I've I've reached out to the vendors and it's like, I think this is the minimum set, so I'm sort of also negotiating with them was like. Can you confirm, like the links I'll share with you, an email? If you give, if we do that I've hyperlinked the exact api calls that are going to be invoked for like reading the email or doing a web hook, there's actually a very specific list of api calls that are. uh Are there so yeah?

E

You can review that and decide if it's uh something that you're comfortable with or not.

A

Okay, but if we can do it, that per repository, that would be okay.

E

Yeah, so you just choose like when you uh set it up, you can just you, can select or do all yeah.

A

Yeah, that's awesome any other question for the other folks on the call, if I mean otherwise thanks thanks david for the presentation and yeah.

E

We're obviously looking for feedback um on the security tool and the experience ideally, um instead of me and you talking you could we would direct you to our console and then you could. uh We would give you permission, you could review it all point. Click point click and just do it yourself, but it's a little early phases we're trying to get the admin console going um yeah for now, we'll just do it this way.

A

And if my understanding is correct, the v2 is not yet available the what's not yet the the the via the v2 version, lfx v2. So.

E

We have our um developers are working on the, for example, the blue bracket uh representation. So all the data that's coming back, uh he's drawn he's taken that api from the blue bracket and displaying it. um So I think in the next coming weeks we're going to be adding that and so for you guys who have onboarded. I want to show that to you at some point and get you to start looking at it and then that's where I think uh you guys can come back and say: oh, this is this is good.

E

This is bad! I don't like this. Maybe you should change it. So you guys being early, you can help influence what it looks like and maybe we need to add filters and that sort of thing. So you can tell me.

A

Okay, thanks thanks a lot for your time.

E

Yeah, so should I uh drop now or should I.

A

Mainly, I think if we don't have another question, you can drop if you like, um otherwise you can stay with us as you wish. um We can. We we just talked about specific topics for the jinkins infrastructure, so um feel free to drop off. If you prefer. Okay, thanks.

C

Bye, thank you so yeah regarding the infrastructure actually wanted to ask what additional permissions agreements we need to start today. I'm understanding that olivier prefers to go ahead and try out uh some repositories and as long as we uh protect confidential content within the jenkins central organization, I think we could do that.

A

So I think yeah definitely. I would like to move forward with that tool. I would just decide on what we want to analyze first and just select a small set of heat repositories. I just don't want to introduce too much noise um because yeah otherwise we'll be just near those.

A

So now the question is what, because my understanding is, the v2 is not really yet um so we only have access to the sneak um yeah, so sneak, and so in that case it sounds to me that uh analyzing docker images is maybe better.

C

So document is a bit complicated because of our architecture.

C

Again, I'm not sure you will be able to use a standard github integration there, because we mesh multiple docker images within the same repository particular manager that are using our pipelines.

C

So I'm not sure whether it will work uh same for the most of them jenkins organization. We are waiting for way to specify, allow lists and analysis for cvs before that uh it doesn't make sense to adopt security in the main organization and we are waiting for sneak to deliver the future protesting.

C

So that's why we talked about infrastructure, because it seems to be one of the most straightforward ways to evaluate something. If you want to start now,.

B

Oh, like to be sure, did you, I think you said that they're, assuming that we don't have more than a single single docker file, for instance, in a repository that it's repository per so our docker docker, our docker repository, but.

C

Yeah in sync, there are two ways: one is github integration, which is relatively simple, and you can also use apis for any each case you may have, and the specific software effects security in the current state that you have no access to this apis and until they expose that full of execute to, for example, here what we're gonna do is, for example, submitting a plugin urgent is called bill of materials for analysis instead of standard maximal.

G

And what do you think about doing that in two times that first trying with the github integration on the.

A

Simple.

G

Docker image we have a bunch of docker dash something on the ntc which repository are public, so.

C

Will be try.

G

One and see the output from the tool before jumping ahead and integrating.

A

Yeah.

G

Maybe.

C

It's.

G

Misunderstood.

C

Because I already interpreted this junk.

B

You interpreted exactly what I was asking, so you you understood my question, but I think damian's got a very good insight that that there may be narrow, narrowly focused repositories. We could use first before we use the broad repositories.

G

For instance, this one this is the image we use internally, so that would be the first step, the the final target to be on the jenkins score and agent image is clear, but as a first step, I propose that we try, like the one. I've put that's an image that we use to run terraform on the ci.

G

It's one image, one repo one docker file.

A

And if we want to go one step further, we could also analyze the jenkins cell test or the jenkins weekly docker image, because it's a simple docker file and we have a double advantage there, because we may catch a horse from the jenkins upstream that we maintain as well. So I think, by carefully taking uh selecting the right hip repositories, um we could also have that could also benefit to the jki organization.

G

I can take the that task that initial tasks on the both to repository targeting the github integration. If someone can just point me the instruction or credential or whatever requirement on the helix edit fix stuff, if it's a cafe, unless someone else wants to take it.

C

Yeah david is ready to create a new organization for us because of the specifics of standard integration that you can have one github integration to one single organization, and basically it means just having one uh hot work. Of course, I do not think that it's any kind of concern, because there will be little to no overlap between central engineering ti in terms of configurations, so I think that we could start drinking some translucents and then figure out the rest later.

A

And something that I'm wondering, if it would benefit is to analyze um repositories like the plugin site, api or jenkins website, because in those git repositories my understanding is. We are more interested by our credentials that we would like, or something like that.

A

I'm just wondering the benefit of using such a tools.

C

Well, hypothetically, for example, pluginsight there might be xss somewhere in a component. We use yeah. I know that it's a long shot, but in theory it could be, and for us again it's evaluation for now.

C

So for me, it would be useful to just to get as many projects as we can relatively safely and get some results to see whether it produces complete crop or whether it produces something potentially feasible for this type of repositories and then iterate based on that, because, for example, if uh it produces, let's say uh five warnings for plug inside and this warnings are reasonable. Just for dependable to pick up. Okay, great, this tool works, let's keep it if it produces. Ten thousand uh fails positives so like for junkies plugins.

C

So then probably we shouldn't keep that doing, but it was trying.

A

So it sounds like we have kind of an agreement that we are all interested to move forward. Another question is: who will drive that project? We don't have to take a decision right now, but I think that would be a nice opportunity if someone is interested to know it a bit more. Obviously because of the topic, I would prefer to have someone familiar with the jenkins project, but I think that would be a great opportunity to delegate a little bit.

C

Tim, what do you think about this project? Euro, silent uh using the discussion? It's important.

D

I know I've just been burnt by snack multiple times before that, I'm interested to see how this goes, but I don't want to be too involved. I've had one very.

G

Painful interaction.

D

Recently and tried evaluating before and it just didn't fit for us, I logged into it basically and it opened 200 pull requests under my account and just completely spammed my inbox. I had to write a script to close them all it was. It was horrible. Well, I didn't literally write java code to do it, so I couldn't find any bulk way. There's no bulk way to close pull requests and getting notifications constantly.

C

Have a t-shirt about false positive stock, I believe from sneak or maybe from somebody else so next meeting I will be wearing this t-shirt. There guys.

A

On that, on that, on that noise topic, where I'm really afraid, I'm really afraid that um it analyzed the old history of the jenkins infrastructure to detect passwords that were leaked and stuff. Like that, I mean we modified that yeah. We.

D

Have had tools find stuff in ours before because of that, like that, wasn't in the current history, so we we opened up one get repo and it had like an old slack token in it and um get heart detected. It yeah tends to be really good for these things.

C

Request me to install git secrets on my laptop so that my chicken takes 100 times longer to complete I'm fine yeah. There are no finger pointing at all.

A

Yeah, okay,.

D

For.

A

Us, but no one wants to do. It sounds like we we still have. I mean the meeting is over in two minutes. Basically, so we won't have the time to cover the other topic. So is there a specific one that you want to briefly cover now.

C

So brief update on aws sponsorship, we might have good news on aws sponsorship, but it still needs to be concluded.

A

Okay, I was keeping that news for uh once we have more information. You.

C

Asked for a really quick update and it's exactly what.

A

I can say: okay thanks thanks alec um for starting, so alex oleg contacted amazon to see if we could renew the sponsoring program and um it seems to be um good but yeah we still have to to solve and to to fill some paper.

D

On the one note on the egypt 229, I've got a progress on jenkins.io documenting and recommending the jet 229 process for automating the plugin releases, moving away from people releasing from their laptops. um I think daniel raised a concern that it's more pressure on infrastructure um and I kind of documented two processes where, if different levels of infrastructure are down, you can work around it see any concerns about the recommendation.

C

I do have concerns. We still have a problem with releasing jenkins components, not from jenkins. So basically we say that if you use want to do continuous delivery for components, we would rather use github actions than jenkins. I understand that it's not exactly what we say, but it can be perceived that way and before we recommend the job 229 process. I think that we need to explicitly agree on that. So we had discussions at the contributor summit, but I believe they were inconclusive so far.

A

My understanding is that would be difficult to use jenkins instead of getting action, so I definitely share your concern. um I would also prefer to jenkins instead of get action.

C

Okay,.

A

But we have.

C

Multiple ways we can keep, let's say, jump to 9 in preview for now, until we totally upgrade that it's something we want to wider the adult. In this case, we keep this topic down the road. At the same time, we don't get quite adoption of the process for now or we do opposite. We say that now. Github actions is the future for continuous delivery of jenkins components and and yeah. Probably it gets a wider adoption but yeah. It sounds a bit weird to be honest,.

A

What I find weird is, I don't think, that's a topic that we should cover um in the jenkins super meeting, because it I mean it.

C

Was a governance making.

A

Decision yeah, I agree, definitely because what we can do in the jenkins enforcer infrastructure meeting is to identify ways to improve and to help. So if you want to move forward and implement a reuse, chep 209 and we have dependencies on infrastructure, maybe we can improve it in the monitoring house, I mean those are kind of things that we should discuss on the jenkins infra. um I definitely not about to definitely get the documentation.

C

From him merged uh to put a work in progress, preview notice for now um to have it listed from the navigation as preview, but not to switch it to the default recommendation for now until we reach the agreement. Thank you.

D

I don't know, um I don't think it's a government support thing. It's a part of the jet process and mailing in the mailing list, thing um yeah. So it's not governance.

C

Board this idea it's jenkins community deciding we have pending update to jab one uh but uh yeah. I think that we should explicitly reach a consensus in the community on this topic and once we reach that, then it can be applied.

D

um Did you want to erase that since you're the one raising the concern or.

C

I'm happy to be a little bit cooperate if needed.

D

Yeah I mean for me, the process is there and it is so much better than the process that we currently have. It's so much easier. um Nobody argues.

C

With that and whatever we do, we need to keep this automation.

C

The question is whether you want to keep it in github actions as a final implementation or whether we just use it as a prototype and then applying some magic passes and get it running. Conjunctions.

A

Again again, I don't think that we should take. I mean discuss much about that here, because it's definitely the best place, um so I just proposed to ibm.

A

So I just purpose that we continue that specific discussion on the mailing lists, so we have more people.

C

Yeah just trying to explain that I am not trying to say track job two to nine uh but yeah. I would like to ensure that we have consensus before we make it a default recommendation for users.

A

So yeah um on my side, I just prefer to move step by step. So if we already have something working, we could also improve the situation later, um but yeah again, I propose that we because we are forming over the meeting. So I propose, as you stop the meeting here and that we continue the discussion on the mailing list.

A

Thanks everybody for your time and see you on rc, bye,.