[Discourse.ros.org] [Buildfarm] Jenkins 2.60.1 and Script Security plugin

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] [Buildfarm] Jenkins 2.60.1 and Script Security plugin

Florian Friesdorf via ros-users


I'd like to avoid having to deploy this farm again, so just to make sure: my jenkins 'got upgraded' to 2.60.1, which runs fine after making sure a java 8 jre/jdk is present on the vm(s).

But just about every job I have now fails with a `org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException` stating that such-and-so method is not approved yet, which then requires me to approve that specific method, re-run the job, repeat, ad infinitum (it seems).

Is this expected with Jenkins 2.60.x, and is this karma for trying to upgrade things,or is this 'fixable' and am I missing a setting somewhere?





---
[Visit Topic](https://discourse.ros.org/t/jenkins-2-60-1-and-script-security-plugin/2094/1) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] [Buildfarm] Jenkins 2.60.1 and Script Security plugin

Florian Friesdorf via ros-users


Yeah, we've done the upgrade and had to click a lot of accepts too.

With the new security restrictions there's two levels of approvals. One for approving methods and the other for approving script content. In our testing we are most of the way to having all the methods explicitly scripted.

Talking with @nuclearsandwich we have a theoretical understanding of how we could use the Jenkins API to automatically whitelist the scripts that are generated, when they are generated. Our useage pattern is not well supported by the tighter security model. So how to do this will take some experimentation.

So in the short term unfortunately there's a lot of manual approvals. :-( The good news is that once you've gotten through the approvals not too many new ones jump up unless there's a change in the generators. And in the long term we definitely want to automate it.





---
[Visit Topic](https://discourse.ros.org/t/jenkins-2-60-1-and-script-security-plugin/2094/2) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] [Buildfarm] Jenkins 2.60.1 and Script Security plugin

Florian Friesdorf via ros-users
In reply to this post by Florian Friesdorf via ros-users


[quote="gavanderhoorn, post:1, topic:2094"]
Is this expected with Jenkins 2.60.x, and is this karma for trying to upgrade things,or is this 'fixable' and am I missing a setting somewhere?
[/quote]


The security advisory and updated versions that introduced the whitelist changes were announced [in April](https://jenkins.io/blog/2017/04/10/security-advisory/). The ROS 1 buildfarm hasn't updated as it's still based on Trusty which lacks Java 8. The buildfarm we're currently using for the next beta of ROS 2 has not upgraded to 2.60 because we're focused on getting the release shipped. From scanning the changelog, I don't believe there's anything new that's security related in this LTS release from the changes in April.

There's a [seed scriptApproval.xml]( https://github.com/nuclearsandwich/buildfarm_deployment/blob/1dba10f358a91598aca43e2eb19e5214006503a8/modules/jenkins_files/files/var/lib/jenkins/scriptApproval.xml) that the new Xenial based buildfarm masters will start with but as far as I recall manual intervention will still be required for a few jobs. I didn't document which jobs specifically as thoroughly as I wish I had.





---
[Visit Topic](https://discourse.ros.org/t/jenkins-2-60-1-and-script-security-plugin/2094/3) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] [Buildfarm] Jenkins 2.60.1 and Script Security plugin

Florian Friesdorf via ros-users
In reply to this post by Florian Friesdorf via ros-users


Since the list of scripts / API to approve only populates incrementally (and some code paths are not utilized often or when no problems are happening) it might be better to start with a full list (copied from the ROS 1 buildfarm): https://gist.github.com/dirk-thomas/808a344462f83bd269f906af0e151b9d





---
[Visit Topic](https://discourse.ros.org/t/jenkins-2-60-1-and-script-security-plugin/2094/4) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] [Buildfarm] Jenkins 2.60.1 and Script Security plugin

Florian Friesdorf via ros-users
In reply to this post by Florian Friesdorf via ros-users


thanks for the replies.

[quote="tfoote, post:2, topic:2094"]
So in the short term unfortunately there's a lot of manual approvals. :frowning: The good news is that once you've gotten through the approvals not too many new ones jump up unless there's a change in the generators. And in the long term we definitely want to automate it.
[/quote]

argh, that must've been a lot of clicking. I was hoping to avoid that.

[quote="nuclearsandwich, post:3, topic:2094"]
The ROS 1 buildfarm [..] on Trusty which lacks Java 8
[/quote]

True. I deliberately installed an Oracle JDK as they seem to be more performant. That was already a version 8, so no problems with the new Jenkins. Or at least, until jobs started to fail ..

[quote="nuclearsandwich, post:3, topic:2094"]
There's a seed scriptApproval.xml that the new Xenial based buildfarm masters will start with but as far as I recall manual intervention will still be required for a few jobs. I didn't document which jobs specifically as thoroughly as I wish I had.
[/quote]

O nice. I'm going to see if that resolves some of the endless clicking.

[quote="dirk-thomas, post:4, topic:2094, full:true"]
Since the list of scripts / API to approve only populates incrementally (and some code paths are not utilized often or when no problems are happening) it might be better to start with a full list (copied from the ROS 1 buildfarm): https://gist.github.com/dirk-thomas/808a344462f83bd269f906af0e151b9d
[/quote]

Is that the same list as @nuclearsandwich linked to?





---
[Visit Topic](https://discourse.ros.org/t/jenkins-2-60-1-and-script-security-plugin/2094/5) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] [Buildfarm] Jenkins 2.60.1 and Script Security plugin

Florian Friesdorf via ros-users
In reply to this post by Florian Friesdorf via ros-users


[quote="gavanderhoorn, post:5, topic:2094"]
Is that the same list as @nuclearsandwich linked to?
[/quote]

I believe that Dirk's is slightly more comprehensive as it is based on a recent version of the current ROS 1 buildfarm.





---
[Visit Topic](https://discourse.ros.org/t/jenkins-2-60-1-and-script-security-plugin/2094/6) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Loading...