Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ci.jenkins.io] ATH builds failing due to denied outbound requests during tests #3664

Closed
dduportal opened this issue Jul 12, 2023 · 1 comment
Closed

[ci.jenkins.io] ATH builds failing due to denied outbound requests during tests #3664

dduportal opened this issue Jul 12, 2023 · 1 comment
Labels
ci.jenkins.io
Milestone
infra-team-sync-2...

Comments

@dduportal
Copy link
Contributor

Service(s)

ci.jenkins.io

Summary

As pointed by @timja in jenkinsci/acceptance-test-harness#1278 (comment), since the #3535 (and the change of subnets for agents), only outbound HTTP and HTTPS (ot the internet) is allowed for builds.

The goal is to apply the least principle privilege: there is no need to keep everything open and instead have an exhaustive list of destinations outside HTTP/HTTPS. It's not an absolute but more an additional layer ("defence in depth").

We (infra team) have to allow the legit requests mentionned in jenkinsci/acceptance-test-harness#1278 (comment) to unblock the ATH runs.

The failing command is apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5. The PR's change forces to use the hkp protocol using the 80/TCP port (ref. https://github.com/jenkinsci/acceptance-test-harness/pull/1278/files#diff-9a88da89c38917d277edaa43cfa6cf511136d6b33a597f88ff290197c33b6bbcR13).

But we should allow the hkp protocol to the APT keyservers of the ATH (ref. http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=hkp).

Reproduction steps

No response
@dduportal dduportal added the triage Incoming issues that need review label Jul 12, 2023
@dduportal dduportal added this to the infra-team-sync-2023-07-25 milestone Jul 12, 2023
@dduportal dduportal mentioned this issue Jul 12, 2023
Merged
@dduportal dduportal removed the triage Incoming issues that need review label Jul 12, 2023
@dduportal dduportal mentioned this issue Jul 12, 2023
Merged
dduportal added a commit to jenkins-infra/azure that referenced this issue Jul 12, 2023
@dduportal @lemeurherve
feat(ci.jenkins.io) allow agents egress with HKP protocol (#436)
ae4637b 
This PR allows ci.jenkins.io agents to reach OpenPGP keyserver using the
[HKP](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=hkp)
protocol.

The destination servers are restricted to the know usages:

- Ideally we should embed GPG keys in the repositories such as
https://github.com/jenkins-infra/packer-images/tree/main/gpg-keys
- We want an ehxaustive list of destination to limit the tentatives of
retrieving bad keys

It's used by some containers in the jenkinsci/acceptance-test-harness
(ATH) builds.

Related to jenkins-infra/helpdesk#3664

---------

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
Co-authored-by: Hervé Le Meur <lemeurherve.jenkins@gmail.com>
@dduportal
Copy link
Contributor Author

Builds are back in order since jenkins-infra/azure#436 is merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ci.jenkins.io
Projects
None yet
Milestone
infra-team-sync-2023-08-01
Development

No branches or pull requests
1 participant
@dduportal