You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The goal is to apply the least principle privilege: there is no need to keep everything open and instead have an exhaustive list of destinations outside HTTP/HTTPS. It's not an absolute but more an additional layer ("defence in depth").
Service(s)
ci.jenkins.io
Summary
As pointed by @timja in jenkinsci/acceptance-test-harness#1278 (comment), since the #3535 (and the change of subnets for agents), only outbound HTTP and HTTPS (ot the internet) is allowed for builds.
The goal is to apply the least principle privilege: there is no need to keep everything open and instead have an exhaustive list of destinations outside HTTP/HTTPS. It's not an absolute but more an additional layer ("defence in depth").
We (infra team) have to allow the legit requests mentionned in jenkinsci/acceptance-test-harness#1278 (comment) to unblock the ATH runs.
The failing command is
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
. The PR's change forces to use thehkp
protocol using the 80/TCP port (ref. https://github.com/jenkinsci/acceptance-test-harness/pull/1278/files#diff-9a88da89c38917d277edaa43cfa6cf511136d6b33a597f88ff290197c33b6bbcR13).But we should allow the hkp protocol to the APT keyservers of the ATH (ref. http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=hkp).
Reproduction steps
No response
The text was updated successfully, but these errors were encountered: