Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49868

Disable tool installers entirely

    XMLWordPrintable

Details

    • Evergreen - Milestone 1

    Description

      This feature is really problematic and requires a bunch of additional work to make it work, such as creating an Oracle account to get JDKs (lol).

      Disabling this feature, and strongly encouraging the use of containers is the right path forward for new users

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          rtyler R. Tyler Croy created issue -
          rtyler R. Tyler Croy made changes -
          Field Original Value New Value
          Epic Link JENKINS-49845 [ 188829 ]
          rtyler R. Tyler Croy made changes -
          Rank Ranked higher
          rtyler R. Tyler Croy made changes -
          Assignee R. Tyler Croy [ rtyler ]
          rtyler R. Tyler Croy made changes -
          Sprint Essentials - Milestone 2 [ 516 ]
          rtyler R. Tyler Croy made changes -
          Rank Ranked lower
          rtyler R. Tyler Croy made changes -
          Rank Ranked higher
          rtyler R. Tyler Croy added a comment -

          This came up in relation to JENKINS-53190 since rsandell was also unable to configure a Maven tool installer:

          09:13 ( rsandell ) So, how to build a maven project on evergreen? The tool installer breaks due to
          certificate validation and the default docker agent doesn't support docker in docker
          09:13 ( rsandell ) for the DinD the agent is basically missing the docker command, and probably some
          other stuff to make it work
          09:15 ( rsandell ) Tool installer: sun.security.provider.certpath.SunCertPathBuilderException: unable
          to find valid certification path to requested target

          This error is basically due to how the certificate store is locked down to prevent forgeries of evergreen.jenkins.io's trust chain. A mechanism I'm loathe to change.

          I think the ideal solution is to encourage the heavy use of Pipeline and Docker in Evergreen rather than support half-baked features like Tool Installers.

          rtyler R. Tyler Croy added a comment - This came up in relation to JENKINS-53190 since rsandell was also unable to configure a Maven tool installer: 09:13 ( rsandell ) So, how to build a maven project on evergreen? The tool installer breaks due to certificate validation and the default docker agent doesn't support docker in docker 09:13 ( rsandell ) for the DinD the agent is basically missing the docker command, and probably some other stuff to make it work 09:15 ( rsandell ) Tool installer: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target This error is basically due to how the certificate store is locked down to prevent forgeries of evergreen.jenkins.io's trust chain. A mechanism I'm loathe to change. I think the ideal solution is to encourage the heavy use of Pipeline and Docker in Evergreen rather than support half-baked features like Tool Installers.
          rtyler R. Tyler Croy made changes -
          Component/s evergreen-plugin [ 23546 ]
          Component/s evergreen [ 23457 ]
          Sprint Evergreen - Milestone 2 [ 516 ] Evergreen - Milestone 1 [ 511 ]
          Assignee Baptiste Mathus [ batmat ]
          jglick Jesse Glick added a comment -

          creating an Oracle account to get JDKs

          jdk-tool should anyway be amended to use anonymous OpenJDK downloads by default. CC dnusbaum

          the certificate store is locked down

          In the Jenkins JVM? I thought this was only used in the evergreen-client (client.js acc. to code search)? FWIW this seems like it is guaranteed to cause all kinds of mayhem, not just for tool downloads. Surely you can find some better mechanism, such as restricting certificate customizations to the actual code contacting this server.

          encourage the heavy use of Pipeline and Docker in Evergreen rather than support half-baked features like Tool Installers

          Well, tools and tool installers are supported by Pipeline, and (writing as a principal author of it!) the Pipeline Docker plugin is one of the least baked features in Jenkins and IMO should not be included in Essentials^H^H^H^H^H^H^H^H^H^HEvergreen at all.

          At any rate, to the subject of the issue, I certainly agree with the notion that we should discourage use of tools.

          jglick Jesse Glick added a comment - creating an Oracle account to get JDKs jdk-tool should anyway be amended to use anonymous OpenJDK downloads by default. CC dnusbaum the certificate store is locked down In the Jenkins JVM? I thought this was only used in the evergreen-client ( client.js acc. to code search)? FWIW this seems like it is guaranteed to cause all kinds of mayhem, not just for tool downloads. Surely you can find some better mechanism, such as restricting certificate customizations to the actual code contacting this server. encourage the heavy use of Pipeline and Docker in Evergreen rather than support half-baked features like Tool Installers Well, tools and tool installers are supported by Pipeline, and (writing as a principal author of it!) the Pipeline Docker plugin is one of the least baked features in Jenkins and IMO should not be included in Essentials^H^H^H^H^H^H^H^H^H^HEvergreen at all. At any rate, to the subject of the issue, I certainly agree with the notion that we should discourage use of tools.
          dnusbaum Devin Nusbaum added a comment -

          jdk-tool should anyway be amended to use anonymous OpenJDK downloads by default. CC Devin Nusbaum

          Yes, I think it would make sense to update https://github.com/jenkins-infra/crawler and jdk-tool to use anonymous downloads from http://jdk.java.net/archive/ for Java 9 and newer, and once Java 8 is officially EOL'd by Oracle (currently planned for January 2019) then I think we could totally remove the code that works with Oracle's website and requires an Oracle account to downloads old versions.

          dnusbaum Devin Nusbaum added a comment - jdk-tool should anyway be amended to use anonymous OpenJDK downloads by default. CC Devin Nusbaum Yes, I think it would make sense to update https://github.com/jenkins-infra/crawler and jdk-tool to use anonymous downloads from http://jdk.java.net/archive/ for Java 9 and newer, and once Java 8 is officially EOL'd by Oracle (currently planned for January 2019) then I think we could totally remove the code that works with Oracle's website and requires an Oracle account to downloads old versions.

          People

            batmat Baptiste Mathus
            rtyler R. Tyler Croy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: