Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Jenkins / Platform SIG / 4 Dec 2020
Jenkins / Platform SIG / 4 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: 2020 12 04 Platform SIG

Description

JEP, Windows, Docker, Bugs, and PRs

A

All right welcome everyone. This is the jenkins platform special interest group. uh It's the 4th of december thanks for joining us. So here's what I've got as agenda topics, open action items.

A

And simplified labeling of docker images proposed by jim crowley, then windows, docker, images for ltsc, 2019, gareth, docker image, support idea, official versus unofficial, alex a proposal for me to add gareth as an image maintainer on the docker repository and setting a goal to set get the brand the master branch working on ci.jenkins.io.

A

Any other topics you'd like to.

A

Add.

A

Okay, then, let's go through action items. So, yes, I still have the action item. Yes, I think it's shaping now uh started the process this morning.

A

Last last evaluation checked various images for problems, and we have plenty of them that plenty of examples to use to highlight.

A

Plenty of examples to use as test cases.

A

In the in the jab, like dr debian 9, not end of life,.

A

Open j9, I need some maintainer etc. So I'll include those in that jet and I hope to get it done quickly. I'll send everyone. What I'll do is send everyone a draft privately likely so that we or would you alex, maybe you and gareth can give me insight. Should I submit it as a pull request in draft to the to the jab repository and we just do it in the in the jeff repository or the user. Worry that hey. This is going to be so controversial that we should review it as a group. First.

B

Repository and then like very few people like monitor that um repository, I think so until you send out the jet on like the dev mailing list or something like that, I don't think it's gonna have a lot of um like a lot of people are gonna, have an issue with it.

A

Okay, so you're, okay, with it being a draft pr- and we admit it's draft it it will- it may need radical changes, because I may propose something that is so controversial that we say: that's not acceptable. We've got to throw that idea out. Yeah great okay,.

A

All right next, one was centos option for adopt open, jdk alex anything you want to share there. Yes,.

B

I I have a. I should have a pr soon that um uses the yam repository from adopt adoptium, um so I'll, create the pr, and then we can have discussion on that pr just to see if people really care or not.

A

So- and that was a question I had there, I'm not I'm not confident that I detect signs of life on centos operating system. Docker images. Do we have active maintainers there that you feel like people, other people are interested in it.

B

Well, I know that there is recently some discussion that the centos images are the most secure. They have the they have zero cves when scanned in terms of the image. um So I don't know if that's going to cause more people to start using them or not, I'm not sure, but um it's it's possible that that that more people might use them. Since they have.

B

um You know less security, vulnerability, supposedly.

A

Okay, all right, so I I just haven't seen indications of a maintainer. You were a me who cares about and watches over them, but that's good to know all right.

A

Okay, just so discuss within the in the context of the pr great excellent anything else on adopt. Then.

B

No not right now, I think that's all.

A

Okay, I had a flag on a prepare, a blog post. I think I'm just gonna drop this. The the window of opportunity for me has passed or- or is your feeling that we should do this and use it as the way a chance to announce the deprecation of of install plugins.sh.

B

um

B

I don't know um I mean the other thing we could do is create a shim it like replace the contents of install plugins.sh and shim it to the plugin installation manager, and then people will be using plug-in simulation manager just without knowing it um there. There are some um differences between arguments between install plugins.sh and the plug-in the cli tool, but I think it could be used as a there could be a shim implemented instead of doing any sort of upkeep on that script um and just replace it with the shim.

B

Just just a one option.

A

I like that, I think, that's very attractive. Instead of removing it, we we leave it, but it becomes a simple call to a call directly to the plugin installation manager.

A

Bring people into the new world into the new tool without requiring that they change their scripts.

B

Yeah, so that's just one option: I don't know if it's uh we have a separate script right now, the um that is used as a wrapper around the tool it just. It just passes the options directly though, so it's it's slightly different, so this would be. I don't, and I I don't know if we want to put the effort into doing anything with install plugins.sh instead of just saying, hey move over. So those are just some options.

B

I think if we do decide to completely remove install plugins.sh at some point, I think I don't know if it necessitates a full blog post, maybe a post on the mailing list, the developer's main list or the user's mailing list. um I don't know if it needs a blog post. Okay,.

A

All right good, so that one I'm going to leave it sitting there and we may not need a blog post.

C

Is using a shim with that? Is that likely to introduce any um differences? I could could sort of downstream users of that er.

B

Yeah.

C

Oh.

B

Sorry there are some behavior between the cli tool and the script, um but I think that some effort has been put in to reduce that so we'd have to see if it was, and that's why I was saying: do we really want to put the effort in there to have some sort of translation layer, implement a translation layer and test it and stuff like that, so that that's kind of the trade-off? I would think.

A

Yeah and that isn't the trade for me, there seems like we're choosing.

A

If we, if we delete it entirely, there will be some portion of the users who the first they see of it is when they attempt to do a docker build and it falls over dead, whereas if we do a replacement with with known incompatibilities, they won't realize that they won't necessarily even detect the change unless they were using one of the incompatible setups.

A

Okay, great right, so that's a that's a decide. If a contributor wants to it is welcome to work on that and decide. Then right. You me whoever, if, if you feel like it'd, be valuable to assume that's a good idea.

A

Okay, anything else on that plug-in installation manager and install plugins.sh topic, no okay great. So we had one topic on jim submitting refinements for parallelization alex. I'm not aware. I haven't been following his his work there anything you want to report there or gareth anything. You've got.

B

I started looking at the pr I I need to um the the it looks pretty good I'll say that the the only question I have is how it fits in with the jenkins file, because that's kind of important how we actually invoke it. So I need that's kind of the part that jim says he doesn't have a lot of experience with, and so um so I need that's kind of what he wanted me to look at. So I that's kind of what I'm going to be looking at to see you know, is it easy?

B

Is it going to be easy to call from the jenkins file in a parallel way and and stuff like that, so that I I have started looking at it? I just haven't had a ton of time to dig deep into it.

D

All right super.

C

It's this because there's the other pr to introduce the declarative pipeline as well.

B

Yeah I was concerned about the declarative, just because we are introducing more of this parallel stuff that may need to be um scripted, um but we can definitely look at that too.

B

There there is the capability of doing parallel in declarative, so we just have to figure out if, if it's going to work with what we need to do.

A

Well, and the parallelism in gyms for multi-arch must be a multi-platform parallel right. It's got to do parallel, arm, 64, parallel z, series, mainframe, parallel powered pc and parallel amd64 or intel.

B

Right, okay- and I have a pr that um that adds those in the the multi-arc stuff, but it would need to be reworked once jim's stuff is integrated, okay got it and we need to have a stable power pc agent.

A

Oh, is it it's, it's not. It's not been holding stable. Well, I.

B

Haven't I haven't, looked and see if it's back up.

A

It is definitely online now inside jenkins., it's it's been been running quite well.

B

Okay, does it still have issues when you know, there's like a kernel upgrade.

A

I don't know that's a good question. I don't know that I've I've done a kernel upgrade since then. Okay,.

B

That's right, that was what I was wondering is is: does the kernel upgrade somehow cause problems every time, so that was just a that was what I.

A

Meant by.

B

Stability.

A

Right and that one I I don't know that I've done an operating system upgrade on it recently. So it's a good question.

A

All right, simplified labeling of docker images. I proposed we'd put that one at the bottom uh since jim's, not here we'll. Let him talk to it when he gets here, if he's here and if he doesn't make it we'll leave it off. The topics. Topic was docker images for ltsc 2019. gareth. You want to give us an overview there.

C

I mean no update really on that. We were holding off merging the pr until after the lts had gone out, um which so I believe um we can merge that one now, um which should give us the windows of coil, ltsc, 2019 jenkins image.

B

That's awesome.

C

I just rebased that with the latest um plugin manager update this morning, so that it should be consistent. I think it's two to zero. It's using across all of the images now.

A

Okay and- and I saw that oled has or that it has 2.3.0- has released, but we would do that consistently along all brands. All all platforms right now 2.2.0 is the the one we're delivering at the mall.

A

Yes, okay, great alex any objections from you on on that as a reasonable plan, and we look at the pr, I'm sure and finalize it ready to go.

B

Yeah, I think we're good okay, I'll I'll, actually I'll merge it, because I'm I'm happy with it.

C

One that one thing it passes first thing in the morning for me and then, if I run it in the afternoon, we get quite a lot of failures on that belt and we think that is down to docker hub rate, limiting.

B

Interesting.

B

Okay, oh because it can't pull or pull images.

C

Yeah, it doesn't give you a um a rate limiting error, but we think that we're doing the docker login too late in the process.

B

The so the it should be any docker command, though, should be using the docker config environment variable, which should have the credentials. That was my understanding. When I read through the information you shouldn't have to explicitly dock or log in. If you have the docker config set up, because it should use those credentials automatically.

B

But maybe we need to look at that in more in depth, because that's how we do it on ci dot jenkinson as we we have a with docker credentials or with credentials, and it provides a zip file that has the um the docker config information, the json file um that has a username and password and so forth or api token or whatever is needed. So my understanding of the docker config environment variable is, it should um do any sort of authentication needed.

B

So it may just be that we, our plan, is not uh we're not on the sponsored plan. Yet.

A

A well but olivier said that we definitely were.

B

Oh did it he. I thought he had said that we may need to change the creds.

A

Oh, oh, I had missed that.

B

But maybe maybe I I can go back and look at the mailing list, but I thought that was what he had said.

A

Interesting! Okay, so that that's certainly a a yeah, an interesting topic that I wasn't aware of. Okay, so.

A

Should already be should be already using the credits that we have because we've got them.

A

But but gareth you're you're absolutely seeing failures and and when we merge this pr, we may likely see another failure on.

C

Well, we'll we will see a failure on the master branch anyway, because that's that hasn't been working for a while, but so this morning, when I rebased the pr uh it it went through all the builds passed. um So I I seem to get more success.

C

I I haven't. I haven't, put this data into a spreadsheet or anything but anecdotally. I feel like I get more success in the morning, my time rather than in the afternoon, um so I'm yeah european time zone. So I wondered whether that was because changes come through a bit faster in the afternoon and yeah. We start hitting a rate limit or something like that.

A

So and what sorts of steps should we be taking there, then so, there's this this docker login pr gareth that you close now um is there something we should do instead or alex? Do you have a recommendation of what we should do? Instead, how should we approach this? Well.

B

The the failures are happening during the build right, not not direct, so so that wouldn't be the docker login stuff. I don't think um because that the the docker build there's, there's never a call to um docker login the make files, don't call that ever right. They just call docker build t whatever.

B

So, if it's failing during that time, then it's not. It has nothing to do with a docker login call.

A

Well, except that I thought that docker build would do a pull if it didn't have a portion of the image and that that that pull could be rate, limited or or blocked.

B

Right, what I'm saying is the the docker login pr that gareth had does not affect that right, because.

A

That.

B

Was that was part of the publishing to um like the experimental um that wasn't part of the build process, so what we need to do is we need to determine and see if there's a way we can figure out, if we're being rate limited via the docker api or something similar and put some debug statements in to figure out.

B

If that's what we're actually hitting, if that's what we're actually hitting, then we can determine how we can solve that problem, but we need to figure out why, if we are actually getting rate limited or if it's something where maybe the docker cleanup is not being um run successfully all the time, and so our the the images or the disks are getting filled up.

B

So we need to figure out why it's it's failing at that point, um I think gareth's uh information about it being related to rate limiting, would be great to investigate and to kind of zero in on that and determine. If that's the actual issue, we're running into.

C

What one of one of jim's prs had um he'd moved some of the some of these sort of docker login commands into like a common functions area, and so it may be worth pulling some of that into a smaller pr, so that we can start to. You know, use the same bits with some debugging in um throughout the scripts.

B

I know we went through kind of an effort previously when published experimental was failing with trying to add docker logins and things like that, and it actually caused problems because we had the docker config because it overwrote the docker config json file, um which.

C

Would make sense yeah.

B

So so that's kind of the reason that we haven't had the docker login in process, because the understanding was that docker config should take care of that. So we, but I think the rate limiting stuff is, would be good to look at and make sure we have the right credentials um that are being used so that it's a non-rate limited um the sponsored plan or whatever that olivier would know.

C

That's something I can invest. I can investigate how if we can pull that, um certainly like where we are, with a rate limiting backup.

B

You should be a trusted um account now on that repository, so you should be able to like make changes to the jenkins file in a par for debug purposes and stuff, like that. So.

A

Yes,.

B

Gareth is a maintainer.

A

Now.

B

On the not on the docker hub side, but he is on the he's been added to the um the github um docker packaging. I think it's docker packaging group.

C

Yeah, I can't merge, but I don't have mode rights, but I um I have noticed that if I change the jenkins file, I think I'm down as a contributor or something oh.

D

Okay, so.

C

So I can change the jenkins file and it does pick up my bills, but I don't have merge rights.

A

Got it? Okay? So so you so jenkins file changes are processed.

B

That's weird: you should be.

B

I'll look into that because mark you're able to merge, aren't you.

A

I am yes, I I definitely am yeah. Let me double.

B

Check gareth you're in the same group as mark on the team, docker packaging, so I'll we'll have to look into that more because that's um yeah! We should figure that out.

A

So here's here's what I definitely have merge permission right. I've got I've got the votes. Let's pick one, that's not got conflicts. uh How about this one? If I were going to merge this, I solemnly promise. I will not merge it, but let's look soon. It also has conflicts. Okay,.

B

uh The java ops, one uh 1025.

A

Oh, oh yeah, that's a good one right. I.

B

Think I don't think that one has any conflicts.

A

And there yes, so I definitely have merged permission. Okay, but but gareth you've confirmed you do not have merge permission.

C

I do now.

A

Oh good, okay, good all right question answered excellent.

C

I'm pretty certain I didn't this morning.

B

So that so that's true of the the github side mark he he does have permissions there. The docker hub side would be something we would need to um uh to look at more if he needs permissions there and.

A

I I haven't had a sense gareth that that you need that side as much right. The work thus far has been in the jenkins ci, slash, docker, github repository, hasn't it.

C

Yeah, so what would be the circumstances where I would need a permission? Would that just be when adding a new repository or something adding.

B

A new repository um deleting tags um stuff like that are you do you have access on the jenkins for eval? I notice there's some of the open, jdk images published there. Are you publishing those or is.

C

uh It's one of the one of the build scripts is publishing.

D

Those.

C

And olivier uh created the repositories for me.

A

Yeah so.

B

So go to um repositories, mark repositories; okay, oh sorry, up at the top, oh up here got it yeah and then there should be a drop down that you can change to the jenkins.

A

Jenkins or jenkins for eval.

B

It depends which one would he want? Would you need access to to these.

A

Well, I'm not sure that gareth do you need access to either of these on the docker hub side.

C

Probably not initially, maybe it's something that I'll request. If it comes to a point that I require access but yeah, I'm happy.

A

I'm happy.

C

Not to have access, you know.

B

I I know what you mean.

A

You have you have full support to that. That comment. Absolutely okay,.

A

All right so so we've got gareth the permission to merge, that's good, okay, anything else we need to discuss then on the windows. Docker images and the docker login topic help me out here. So it's still gareth will you'll. Do some investigation see if we can figure out why the failures are occurring on the on pr's and places. We know that it's failing on master, but this is a different class of failure, not the failure. That's causing the master branch to break.

D

Okay,.

A

Okay, all right next topic: docker image, support idea, official versus unofficial, alex.

B

Yeah, so um daniel beck is very concerned about the number of images that we publish as an official list, because it takes a significant amount of time when doing security releases and so forth that he has to wait until those images are ready before we before he can proceed with his process.

B

So what I wanted to unders to propose is that we adopt a similar method as to what the like adoptium project does, where they have an official set of images and an unofficial set of images, and the proposal would be that we determine which set of images we want to be official and those would be the only ones that daniel would have to worry about um in terms of waiting for a security release and then the unofficial ones.

B

We could add as many images as we want the unofficial list, but that would be a possibly separate build process for those unofficial ones such that daniel didn't need to wait for that right now. We have quite a number of images. We have sentos, we have debian, we have some ubuntu, we have open j9 versus hotspot.

B

uh We have multiple windows variants, uh although we actually reduced that number um jdk8 versus jdk 11.. So um you know, and that can only grow right as we. If people want specific other things like alpine or this or that right, then it just it causes that build to increase in time. So this proposal would be maybe part of your jet mark where we um have two tiers of of support. One is the official list and those are the ones that um that have all the security fixes and stuff like that.

B

The other ones maybe have a a later update for security issues, and things like that, um and you know the official ones may be reduced to just jdk 11 or something like that right, because it is a controller image rather than like an agent or or anything like that, um reducing that to maybe jdk 11 and then one linux variant and one windows variant or something similar, but just reducing that set for the official list versus unofficial and unofficial.

B

We could have amazon, linux and five different jdks and all that stuff, but that's not going to impact the um the security process for daniel.

C

Would you see them going into different docker orgs.

B

That would be a question adoptium does that um you they have the um the adopt open, jdk right now, anyway, that's the official one that has a specific set of tags that are quote unquote official and then they have sub repositories under that for like open, jdk, 8 and open jdk, 11 and other open, jdks and stuff like that, where they have lots of different tags available there. um So that is, that might be.

B

The best way to go is to have a jenkins official or or something like that, where those official images are published- and um you know that's the the stuff that the security fixes will always be in the other stuff will have a delayed um set of things.

B

We'd have to definitely pull in daniel on this, because if there are releases of jenkins docker images that don't have security fixes, is that going to be a problem or not? um But but this is just going to get the ball rolling on what we can, what we could possibly do. He.

A

He.

B

Did have some initial interest in that, when I put it on irc, but we'd have to pull him in to make sure it was um something that he he'd be okay with in the process.

A

And I think that's a very healthy thing to include in the gym, because, because we've we've got, we've got a a big challenge there. Right now, it feels like we've got far more doppler images than we have maintainers to support the images, and so I think, as in good conscience, I feel like we need to reduce the number of officially supported images just because we don't have enough bodies of us to maintain them adequately and and if, if people want want to maintain an image, they should become a maintainer, they should volunteer and come help.

A

Us.

B

Yeah I agree. I.

C

Need to drop off onto another. Thank you.

A

Super I'll.

C

Start I'll start that I'll start that one mark.

A

Say great, thank you all right, so alex anything else. With regard to the the idea on image support. Did I capture your ideas in the notes here adequately, yeah.

B

I think so.

A

Okay, good so, and I think I think this is a a good thing to feed into the our review of a and discussions about. Okay. How should this thing work and why? uh How do we get there? It's it's certainly going to be an interesting challenges.

A

Imagine I I my argument says we should drop sentos, because we should shift centos to unofficial because it doesn't have an active maintainer and I would expect an outcry from the community saying, but that's my preferred image and and they'd be right. Yeah.

B

Yeah and I.

D

Don't know the.

B

Other the other problem we have too is, I don't think, there's a way to for us to really understand which images are, how often images are being pulled meaning or is there.

A

Well, I I think maybe image pulls not I'm not aware of of any no data on which tags are the hottest tags right right, yeah, but I think there is data and I don't think it's publicly visible, but gareth has been granted access to the the stats data that andrew bayer maintains. Okay,.

D

And inside.

A

That stats data- I think there may be things which will hint to us, not not docker specific but just in general. Hey here are these operating system platforms and it really knows operating system.

B

Okay,.

A

Okay, so requesting stats data to confirm which uh configurations are most interesting.

A

Sorry, do you need to drop off no.

B

I don't I I'm good until whenever the meeting is done, I just had a text come in so.

A

Okay, all right.

A

Okay, I think the image support topic is settled. My topic on new docker image. Maintainer. I think we you we already proved. We got that gareth's got access.

A

The next one was that the jenkin, the master branch- has been broken for a number of months. Help me out alex. I don't remember what the break is right now. Is it? Is it something that is it's biased.

B

It's just the publish experimental and I think that jim's pr is supposed to help with that. So we merged in a previous pr from jim to do some parallelization stuff and um there was not a jenkins file update associated with it, and so the wrong thing is being called right now in the the jenkins file. I can look at that. uh You can assign an action item to me to look at that um and I'll I'll try and figure it out.

A

Okay, are you sure I mean I don't want to pile things on you in this exercise for me that that feels like we can. We can ask others to help out with that, if, if that would if that would be okay for you,.

B

Sure yeah, if someone else is available, I'm I'm happy to let them uh take a look at it. I'm also happy to help so either way. I'm good.

A

All right, great so for alex or gareth or mark investigate.

A

And submit the pr to fix the master branch.

B

And we may need to involve jim just to if there's any question about what we actually need to be calling right. Okay,.

A

And now, if, if we turned off publish experimental, would that be an acceptable condition there not really right? Because we're I mean, but this is not publishing.

B

Yeah I mean we could disable it for now and then just have a pr that has it enabled that um that we do the debug in that would make it pass you're not going to have images actually published to jenkins for eval, but they're not being published right now anyway. So it's kind of a six dozen one halftone is the other six of one half to the dozen of the other.

D

Right: okay, if.

B

We want the the good feelings of it being green or blue, whichever it is on seat.jacobs.org right, then you know just disabling it. For now is fine.

B

I don't know how many people are actually using those images and at some point we would want to make it so that the multi-arc images are not um experimental anyway.

A

Right and that's that's- that's a different in order to make the multi-arch images non-experimental. That means trusted will need to also have access to the to the to the multiple platforms right and right now, I'm pretty sure it does not so so that that would be an extra step for later.

A

Okay,.

A

All right last topic I had then was on simplified labeling of docker images. Jim's not here are there other. Is there anything you wanted to share there on that alex.

B

um No, I'm I'm that's kind of the part of the pr too um that we talked about earlier. So it's just something I need to review.

A

Okay, all right- and I think I understood from the mailing list that or from a comment that jim's proposal is reasonably well aligned with the labeling you're already using on windows for the jenkins free val windows images. That's.

B

Correct yeah, okay,.

B

I did have one other topic.

D

Oh go ahead.

B

um We should probably do a bug scrub on the various docker repositories like there are 96 issues on jenkins, ci docker.

B

Some of them are from like 2017, that's the oldest, so some of them are related directly to install plugins.sh. So we can, I think, close those as that script is deprecated.

B

um You use plugin manager, so we just need to do a bug scrub of of all the docker repos. I think okay.

A

And maybe that's worth another note of pull request scrub on the on the docker repositories as well, because there are a number of of those which are older and and may no longer be viable, correct.

B

And that's not a top priority, it's just kind of something we should probably look at.

A

Right yeah sure, well, one of the things that's helped me in the past is: should we show some graphs once a month from the linux foundation's uh tracking system, they've got a system that watches our repositories for us, we use it in the doc sig and it it it produces some interesting data to show hey. How are we doing or not doing to investigate bring it to the next? That's.

B

A good idea.

A

Just just it it doesn't give much hope because truthfully in the dark cig most of the time, it's oh geez, shame on me. That's not we're not removing things as often as we should, but at least it tells us the truth right.

A

All right, oh press f10, when I shouldn't have just what we need is a javascript debugger.

A

Okay, anything else.

B

No, that's! That's all for me.

A

All right, thank you very much, alex recording will be posted separately. Recording is now off.