[Ci-users] Jenkins SafeRestart to add extra CSRF Protection 19-Apr-2016 14h30 UTC (09h30 EDT) - Full Restart 00h UTC (20h EDT)
trown at redhat.com
Wed Apr 20 12:01:44 UTC 2016
On 04/20/2016 07:39 AM, John Trowbridge wrote:
> On 04/19/2016 10:56 PM, Brian Stinson wrote:
>> Hi All,
>> This is finally finished up. We had a long quiet period while a few jobs
>> finished up and it looks like everything got queued up for re-execution
>> once we restarted.
>> We'll be checking in with the JJB folks and others using the Jenkins
>> REST API to see how they're affected by the new CSRF settings.
> I tested a JJB push for RDO, and it worked fine. However, I have a very
> odd issue that correlates timing wise with this restart.
> The image building jobs in the RDO promotion pipelines are all
> failing the first time they try to get an image via a 'file://' URL. The
> first occurrence of this was in the middle of the night last night,
> and there have been no code or CI changes in that time frame. I dont
> have a good explanation of how this could be related to the jenkins
> restart, as that image building is happening on a duffy node. On the
> other hand, it seems suspicious timing given that no code or CI changes
Sorry for the noise. correlation!=causation. Looks like ansible released
2.0.2 last night as well, which makes much more sense as a root cause.
>  https://ci.centos.org/view/rdo/view/promotion-pipeline/
>> On Apr 19 10:03, Brian Stinson wrote:
>>> The first part of this maintenance has been done. We will need to
>>> schedule a full restart for tonight (00h UTC). We'll be monitoring
>>> running jobs throughout the day.
>>> On Apr 19 08:54, Brian Stinson wrote:
>>>> Hi Folks,
>>>> In response to news of directed attacks against public Jenkins
>>>> instances, we are enabling some of the CSRF protections in ci.centos.org
>>>> To do this we will issue a SafeRestart at 14:30 UTC Today! Running jobs
>>>> will be given a chance to clear and new jobs should be queued up and
>>>> will execute as soon as the restart finishes.
>>>> Potential Impact:
>>>> - If you are using the Jenkins REST interface you may need to modify
>>>> your scripts to send the appropriate headers
>>>> - Jenkins Job Builder is tracking an issue to enable CSRF support.
>>>> Some basic tests were performed on our side, and simple jobs were
>>>> configured correctly, but you may notice strange behavior if you are
>>>> using JJB.
>>>> : https://groups.google.com/d/topic/jenkinsci-advisories/lJfvDs5s6bk
>>>> : https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API#RemoteaccessAPI-CSRFProtection
>>>> : https://storyboard.openstack.org/#!/story/2000556
>>>> If you have any questions or comments, let us know here or find one of
>>>> us in #centos-devel on Freenode.
>>>> Brian Stinson
>>>> CentOS CI Infrastructure Team
>>>> Ci-users mailing list
>>>> Ci-users at centos.org
>>> Ci-users mailing list
>>> Ci-users at centos.org
>> Ci-users mailing list
>> Ci-users at centos.org
> Ci-users mailing list
> Ci-users at centos.org
More information about the Ci-users