Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Jenkins / Platform SIG / 23 Sep 2022
Jenkins / Platform SIG / 23 Sep 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: 2022 09 23 Platform SIG

Description

Jenkins Platform special interest group 23 Sep 2022

A

Welcome this is the Jenkins platform segmenting September 23 2022, that is Right today uh welcome everyone. Thank you for being here Mark. Today we have quite a long list of items to have a look at in the agenda, so we have open action item four Mark, of course, uh a little subject about whisk risk, 5 and Jenkins agents, container image, duplication for the blue, wish him container management for Jenkins agents. We have to talk about that.

A

Of course, we also talk about Java, 11 or newer for Jenkins core, of course, Java 17 support in Jenkins and also Java's 19, which has been released this week next week. We're gonna have uh devops world and Mark and I will be there. So we of course have to talk about that, and the last subject will be the supply and change security. I want to know more about that, because that's something I don't know yet. Mark will address the subject of course. First of all open Action items, Mark agent of CI Jenkins io on ppc64le.

B

So still still, the I saw that the ci.jenkins.io agent actually is still running there, so that part is still functional, but I still have not shared the credentials and I've I've got on my own setup. I've got a problem with it that I need to investigate that I'm, not sure what's going on, so that will that will need further investigation after devops world. So.

A

You have your own ppc64le, actually.

B

I just use the same computer I just have a different user account borrowed the same computer and and.

A

That way, I know when.

B

It's behaving or not: okay,.

A

That's a platform I don't own, yet.

A

We see some of them are difficult to have like so s 390, that's something I will have with me in the office anytime soon um speaking of platform.

A

Next one is a short subject, but um the other day Michael hurt organized a giveaway uh to get a mq pro so that a small, very small SBC, with a risk 5 just one core one gigabyte of ram, but it's a nice board anyhow and believe it or not I put an entry and say that oh I would like to try a Jenkins agent on that and I won, so I should receive by next week.

A

Maybe um at devops wall uh I will maybe get it there or when I come back so that I could, with lots of quotes. You know, uh try along the way to get Jenkins work on that and, of course, to get Jenkins agent working on that. We have to be sure that Java works. There are some GDK available for risk. 5. I will take some time to evaluate if that works or not, and I'd also love to run a Jenkins agent with Docker, so Docker is also available.

A

All of that is very early stage, so don't expect that something will be available in the next week also no way, but anyhow I would be glad if we could have another platform. Another architecture available for Jenkins agents.

A

uh Next topic mark this one will be for you a container image deprecation for the blue ocean container. I know you did a wonderful work with Kevin, um letting everyone know on the Jenkins IO website just about everywhere. You know uh you, maybe you should get rid of blue ocean because it's not it um I mean bugs will be fixed, but that's all you don't. You shouldn't, expect new features or anything like that and, of course, blues and containers will have the same fate one day or the other. So.

B

Well and the containers, it's even a worse story, right we've, whereas blue ocean is being actively maintained, at least for bug, fixes the the blue ocean containers we're lucky that the automation is working that gets them new versions, uh because none of us are doing active work to to care for those the the operating system image underneath it is not being updated. There are all sorts of sort of Legacy problems hiding there and we stopped over a year ago, referencing those so this. This is very valuable.

B

However, it's going to have to wait till after devops world before I make any progress on it, we'll just keep it on the list and continue reminding ourselves.

A

Yes, we definitely have to um so. Yes, we will have to write some documentation on lots of different places and find a way to communicate to users and admin, but this will be a work in progress. It hasn't started yet. But yes, that's something we'll address in the coming platform. Seek meetings now container repository management for Jenkins agent? Yes, I can testify. This is not the simplest process ever I.

A

Remember making some proposals a pull request to change something in the Jenkins agents and well I think we missed a version of a version for specific agents. So it's not easy even for the pros. So yes, definitely we have to do something to simplify the release process right, yeah. Anything.

B

You would add the market just that we'll we we want to discuss it at the contributor Summit or at devops world, because this is one that Tim Jacob has some insights. Damian de portal has some insights and they may have have Notions of how we should do this.

B

That would be better and if we discuss them around a whiteboard in 15 or 20 minutes, things will go well, so we may, for instance, host that discussion in the Jenkins booth at devops world or those kind of places just find a time when we can get together and say, hey. Let's, let's talk about this to see where we think it should go.

A

Yes, that definitely the place in the moment where we should discuss that, because it's difficult to find uh right time to discuss that with the right person and the contributor submit and Devil's World 2020 will be the time and the moment and the place anyhow. Cool next subject uh is required. Java 11 have seen some news uh this week, not really news, but you know amazing that some people were still working on getting rid of the GDK 8 links somehow, because some things are still referencing gdk8. So there are still minor tasks ongoing.

A

So it's written that it's not it's merged, but not yet released for the docker agents am I right actually.

B

And I think I think it's still in progress I'm, not even sure. Oh no, it has it has merged yeah. So so your your Note is correct. I'm impressed I thought that it was yeah. It was actually merged to the review. Yeah. Okay,.

A

Good work- and it's also not um plugins beginning to require Java 11.. Yes, there are so many plugins. We can't require Java 11 for all of them, so, of course, this will take some time depending on the time maintainers have and the emergency or not. Is it monetary to do it as soon as possible? Or can we still wait, but anyway, it's not a good idea to keep working with you yeah eight. Now that GDK 11 is at our door.

A

Okay, yep.

A

Thank you uh now time to talk about GDK 17 support in Jenkins. It's been quite a few weeks or months even now that we are working more and more, with GK 17, even from the infra CI, and for the time being, nothing alarming. Everything seems to be okay, ish.

B

Yes, yeah as far as well so we've had specific reports about specific problems, uh one related to active directory and those problems are being investigated and worked. So it's not nearly as stable as Java 11 is across the whole Suite of plugins, but still making good progress.

A

That's good news. No uh 19 has read that should be good news, but if you like to work more, that's good news. uh I. Think you told me yesterday that The Groovy upgrade required to remove illegal access. Warnings will make Jenkins contributors quite a lot of work.

A

In fact, because that's a message we see more and more in lots of plugins even in Jenkins score, I, guess so, yeah I guess a lot of people will have some tightening to do with the screws in various places to get rid of these illegal access, which will now be errors and not just warnings, am I right.

B

Yeah and- and it at that I'm not sure so I'm going to change the phrasing it's the docker upgrade may be required. Oh okay, because I I don't have an answer to the first question. Is it now blocked and right now don't have time to investigate, to see.

A

We still have time. I was totally a drama queen. We got in that illegal access right, but okay, we'll see that maybe okay I prefer that, let's investigate before being so dramatic. Thank you anyhow. That's the subject. We have to work on uh in the coming months or years we'll see next week is devops world uh 2022 Orlando how how come so early so Tuesday uh we'll have the contributor Jenkins contributors Summit the whole day with lots of contributors.

A

I'm really excited when I saw the list of people who were coming to address and also the agenda, because the subjects are really really interesting and, as I said before in this meeting, uh that's a perfect place and time interviewer to discuss with the right people of the right subject for Jenkins. That would be amazing, I, guess, I'm sure.

A

um One other subject related to platform will be with AWS people talking about ec2 instances of Mac OS. They have published a blog post in jenkins.io last week, I guess regarding the subject that looks pretty.

A

Difficult for QB um for me, it has always been difficult to work with Mac OS in the cloud and it looks like they simplify the process, but it's still kind of complicated. It's not as simple as getting something running Linux you know, but we need that as iOS developers or Mac OS developers. Of course we need to have something exactly working and I hope that it won't be magic anymore after the talk and contributor Summit we'll see, and they will also be from time to time in the AWS Booth.

A

So if ever we still have some question, we will be able to ask them later on during the whole devops world, 2022 anyhow last subject that I know nothing about. Mark is supply chain security, so.

B

So would you tell us a few words about that, so the ins, the the prompting for this one, is that about a year or two ago the US government um issued a some instructions. That said hey. We expect things to improve with regard to software software Supply chains, so that people know with confidence the source of the of the software component, they're they're consuming and one of these.

B

These Concepts was a software bill of materials or s-bomb, and this s-bomb concept is now apparently getting even more attention, and so it's probable that we're going to need to add some Jenkins capabilities to be able to easily and smoothly generate software bills of materials.

A

And okay, hopefully we're not working with npm.

B

Well, you you make a you make a good point, because there are many different systems that manage dependencies right. There's, there's the maven dependency system, there's npm! There's the python pip dependency system, there's the ruby gems dependency system right. Each of them has interesting and useful things in a CI context that may need consideration as part of this kind of effort.

B

Our most immediate is probably the Java infrastructure or the Java Java world and Maven, because that's where the bulk of Jenkins, plugins and core are built, but but it needs more discussion, so software bill of materials is one piece of it.

B

Then there is an additional initiative from the Linux Foundation that is attempting to make it much easier for software for people who are delivering software to sign their components with a a verifiable signature, so that others can assure not just what the software bill of materials might say as to what are the components of this thing, but also here's evidence that the entity that said they were creating. It is actually the entity that did create it.

A

That's unfortunate, you know I'm supposed to give a talk next week, and one of the main thing I want to address is that mobile cicd is very different for other software, because you have to sign it. You know it's mandatory and okay.

A

Well,.

B

And.

A

And not.

B

Anymore, no well, but your point. Your point is very well taken because we've had to sign for many years. Windows installers and the Jenkins Windows installer has been signed for years, but it's managed as a very very carefully administered one-off process, because the signing signing certificate is secret right and we we can't expose it everywhere. This.

B

This signing of components technique, is attempting to make it much much more accessible to mere mortals like me, without requiring that I have to go pay extra money to buy a signing certificate and I have to go through a long credentialing process to prove that I am who I said. I am to the certificate. Authority, though there are all sorts of complexities in these signing experiences that this this Linux Foundation component is trying to remove or reduce the the friction between software developers and the signing process.

A

Okay, because when you someone say signing, you know most of the time, I've got my hair on the neck raising up, but if they remove all the pain points, I'm all for it. Well,.

B

And that's it's it for me, the it's analogous to the kind of initiative that the people who are behind, let's encrypt did when they made SSL security for websites much much more approachable there. It's still non-trivial, but it's very much more approachable and it's not costing thousands of dollars to SSL secure a website anymore, and this is the same kind of initiative. Initiative I, think, let's bring it to the individual developer, the ability that they can with confidence sign a component so that others know. Oh. This was signed by by my authorization.

B

Yeah, there's there's an awful lot to be learned there and I'm the wrong person to talk anymore about it. You we have exhausted my total knowledge up to this point. I've I've, shared everything I know thank.

A

You I, don't know anything about it. So now I know well.

B

And and it'll, that's part of the part of the power of discussing at the contributor Summit or in at devops World in the in the quiet hours is that we can learn from others because, for instance, is quite interested in this and he'll be there, and we can talk with him and see what he knows and I suspect that there are other players in the Jenkins Community, who are also already more aware of it and can guide us on what sorts of things should be considered.

A

I see that was interesting anyhow, any other topics you are thinking of Mark, none from me. Oh, it looks like we're done pretty efficient meeting once more. So if you don't have any other remark or question, let's um make it decide it's done. So the recording should be available from 24 to 48 hours and see you in the next platform, C ready to.