[INFRA-3100] Migrate updates.jenkins.io to another Cloud

[jenkins-infra-bot]

Why

Read the EPIC (aws cost decrease: https://github.com/jenkins-infra/helpdesk/issues/2646)

What

• updates.jenkins.io serves the JSON of the update center, but it is not behind a CDN (need to be updated regularly) causing a lot of outbound data transfer (2.4 Mb for a JSON download, esitmation around 300 Gb of data sent daily, estimation around 10 Tb per month which costs some $$$.

• The VM pkg.origin.jenkins.io is managing multiple services and separting them could be a great help.

How

Different paths can be taken here: to be discussed in infra meeting + validated by the board as it's an important service.

• Migrating the service to Oracle Cloud:
  • the first 10 Tb of outbound data is free, and if the worst case, 50 Tb of outbound would cost less than 3k $ per month - https://www.oracle.com/be/cloud/networking/networking-pricing.html
  • ARM machines: cheaper and better performance for a simple webserver + SSH + data
  • Block storage: close to archives.jenkins.io
  • Risk: Oracle sponsoring program is only 1 year, and is not easily secured for paiment as other account

• Migrating to Azure
  • Easily in AKS: easier management
  • Safer paiment process
  • Risk: cost of outbound to be evaluated

---

Originally reported by dduportal, imported from: Migrate updates.ci.jenkins.io to another Cloud

• status: Open
• priority: Major
• resolution: Unresolved
• imported: 2022/01/10

[note]

• Check that https://github.com/jenkins-infra/helpdesk/issues/3017 is not happening once migration is finished.
• The error curl: (16) Error in the HTTP2 framing layer should not happen anymore with the latest Apache versions

[dduportal]

Requires setting up the Oracle Terraform project, like #2682

Todo list:

• [x] Specify a new infra (VM + data storage of the same size as the actual pkg.origin.jenkins.io machine + any other Oracle infra requirements). Implies checking the pricing to get an overall idea
• [ ] Once VM is created, add it to puppet management: new node, with the role / profiles associated to "update.jenkins.io"
• [ ] Rsync the data one time
• [ ] Update the jenkins-infra/update-center2 's associated job in trusted.ci to update both "pkg.origin.jenkins.io" VM and the new one (⚠️ inline pipeline, don't search for a Jenkinsfile as code)
• [ ] Validate the new instance (including checking with Daniel, Tim and other contributors)
• [ ] Communicate about the upcoming change
• [ ] As proposed by Stephane, use a round-robin DNS record value to split traffic between old/new during some time and check for error

[dduportal]

Blocked by #2973

[smerle33]

actual machine size is : 32Gb RAM 8cpu 1,2Tb data disk (372Gb free)

about half of the power is used currently (checked with the local SAR probe)

[smerle33]

Infra to specify :

• 1 VM (similar to archive.jenkins.io)
• 1 network ("mirrors") + 1 subnet ("20210630-1531")
• 1 volume 1,2Tb
• 1 set of security groups to restrict network access
• 1 ssh key pair

[smerle33]

VM specifications :

• 4vCPU/16Gb RAM : half of actual machine
• proposal to use ARM like archive.jenkins.io --> 4ocpu (VM Type Standard A1 Flex)
• Image Ubuntu 20.04 (FULL [non minimal]) --> upgrade from ubuntu 18.04 for actual machine
  • option for 22.04 but need testing for puppet agent (+ openssl v3)

[dduportal]

Side note: once you'll be working on the terraform project for these resource, please note that the network and sub-network would have to be datasources while the other would be resources (at least until we work on #2682 that will manage the networks)

[timja]

https://github.com/jenkinsci/acceptance-test-harness/pull/973/checks?check_run_id=11028552907 failed because of the reported error Error in the HTTP2 framing layer

[ekohl]

The Foreman project is sponsored by Fastly, I believe via the Fast Forward program (though someone else arranged it, so not sure). Given Jenkins is an open source project, it may qualify as well. See https://www.fastly.com/fast-forward

[dduportal]

The Foreman project is sponsored by Fastly, I believe via the Fast Forward program (though someone else arranged it, so not sure). Given Jenkins is an open source project, it may qualify as well. See https://www.fastly.com/fast-forward

Thanks for sharing! Fastly is already sponsoring us and used for existing jenkins.io websites, including the package distribution (see our setup here: https://github.com/jenkins-infra/fastly).

At first sight (from memory: I could be wrong or missing something), the main issue to put the update center distribution in Fastly was the uncaching challenge (time and steps): am I correct @daniel-beck @olblak @timja ?

Seconde concern is the amount of data served could make our sponsored program to cross the allowed threshold. For this one, we could discuss with Fastly.

Anyway, we have both Oracle and DigitalOcean cloud which provides an outbound bandwidth really cheap. As DigitalOcean is already used, the partnership is really dynamic (see #3487 for instance), we are thinking moving the update center from AWS to DigitalOcean (better infra as code API, better support, and already used by the infra).

[timja]

I think the issue is that fastly doesn’t sponsor the project enough credit to make it work although a CDN would be great.

[lemeurherveCB]

Another alternative could be https://www.cloudflare.com/en-gb/products/r2/

[dduportal]

Another alternative could be https://www.cloudflare.com/en-gb/products/r2/

Good point!

Only for the updates.jenkins.io / updates.jenkins-ci.org service (which serves the Update Center JSON files):

• https://developers.cloudflare.com/r2/buckets/public-buckets/ shows we can expose their buckets publicly with a custom domain
• Pricing is really appealing: https://developers.cloudflare.com/r2/pricing/ as no egress bandwidth costs, and 4,50 $ per millions requests => nice catch @lemeurherve !
• Fine tuning:
  • We can use CORS: https://developers.cloudflare.com/r2/buckets/cors/#use-cors-with-a-public-bucket
  • We might have to tune the lifecycle of the objects though: https://developers.cloudflare.com/r2/buckets/object-lifecycles/ (given we update the JSON once a week after a weekly release)
  • We should be able to manage partially or totally the service using Terraform (ref. https://developers.cloudflare.com/r2/examples/terraform-aws/)

For pkg.jenkins.io: already cached using fastly and pricing depends on amount of storage (ever growing) so not sure if it is that easy (but should be checked)

[dduportal]

Another alternative could be https://www.cloudflare.com/en-gb/products/r2/

Good point!

Only for the updates.jenkins.io / updates.jenkins-ci.org service (which serves the Update Center JSON files):

* https://developers.cloudflare.com/r2/buckets/public-buckets/ shows we can expose their buckets publicly with a custom domain

* Pricing is really appealing: https://developers.cloudflare.com/r2/pricing/ as no egress bandwidth costs, and 4,50 $ per millions requests => nice catch @lemeurherve !

* Fine tuning:

  * We can use CORS: https://developers.cloudflare.com/r2/buckets/cors/#use-cors-with-a-public-bucket
  * We might have to tune the lifecycle of the objects though: https://developers.cloudflare.com/r2/buckets/object-lifecycles/ (given we update the JSON once a week after a weekly release)
  * We should be able to manage partially or totally the service using Terraform (ref. https://developers.cloudflare.com/r2/examples/terraform-aws/)

For pkg.jenkins.io: already cached using fastly and pricing depends on amount of storage (ever growing) so not sure if it is that easy (but should be checked)

Ping @dbeck @olblak @Wadeck if you have thought on this (e.g. using a bucket storage system such as AWS, Azure or CloudFlare R2 in this case to host the Update Center site, instead of using a not highly-available VM with Apache)

[lemeurherve]

Here is what I've came with for updates.jenkins.io:

• Create a docker image of an HTTP redirector based on Apache2
• Deploy this on publick8s cluster with a PV for storing update-center2 htaccess files updated from trusted.ci.jenkins.io related builds, and with htdocs in read-only
• Add an HTTP redirect to the content uploaded by trusted.ci.jenkins.io in R2 bucket (HTML and miscellaneous update-center.json files)

Note: we can have R2 buckets in China with CloudFlare 🎉

we can expose their buckets publicly with a custom domain

Unfortunately this requires the custom domain to be registered by CloudFlare.

[lemeurherve]

We'll setup this HTTP redirector service using our mirrorbits chart to get the HTTP server and the mirrorring system included.

• [ ] Experimentation
  • [ ] Use mirrorbits as helm chart (Apache2 HTTP server + mirroring system): https://github.com/jenkins-infra/kubernetes-management/pull/4211
  • [x] Create a redis database: redis-uc-r2 (deleted in favor of https://github.com/jenkins-infra/azure/pull/445)
  • [x] Create a storage account: testhlmucr2helpdesk2649 (deleted in favor of https://github.com/jenkins-infra/azure
  • [x] Create azure.updates CNAME record in jenkins.io DNS zone: https://github.com/jenkins-infra/azure/pull/445
  • [x] Create a CloudFlare personal account
  • [x] Create a R2 bucket /pull/445)
  • [ ] Create an API token
  • [ ] Use aws-cli to interract with this test bucket
• [ ] Preparation
  • [ ] Create jenkins-infra-team account (need payment information, can be paypal)
  • [ ] Create repo jenkins-infra/cloudflare
  • [ ] Create terraform state
  • [ ] Create credentials
  • [ ] Ensure aws-cli is installed on trusted permanent agent
• [ ] Implementation
  • [ ] Use aws-cli instead/in parallel of rsync in publish.sh
  • [ ] Use a credentials
  • [ ] Specify the cloudflare endpoint as flag
  • [ ] Serve the bucket content (only the updates.jenkins.io part)
  • [ ] mirrorbits
  • [ ] public bucket
  • [ ] CORS?
  • [ ] Location hint (bonus)
  • [ ] Lifecycle policies

[lemeurherve]

Good news, we can use delegated domains for public R2 buckets 🎉 (I didn't wait long enough in my initial tests with a delegated personal domain)

I'll create a sub DNS zone cloudflare.jenkins.io then delegate this sub zone to CloudFlare so we could use it for R2.

[lemeurherve]

Too bad we can't use a sub domain for CloudFlare delegation:

At least we'll be able to register a new domain name with the same provider we're already using instead of registering it with another provider.

[lemeurherve]

Update: the base of the service has been deployed to publick8s cluster: https://github.com/jenkins-infra/kubernetes-management/pull/4211, I've tested adding a mirror with success.

Currently working on adding R2 bucket as mirror, then on .htacess redirections.

[lemeurherve]

The R2 dev bucket address has been added as a mirror, with the same files and folder as the ones on the azure file share.

Currently mirrorbits has a lot of errors in its logs:

UTC [r2dev] parsing trace file failed: "<!DOCTYPE" is not a valid timestamp

[lemeurherve]

Currently mirrorbits has a lot of errors in its logs:

UTC [r2dev] parsing trace file failed: "<!DOCTYPE" is not a valid timestamp

Found the culprit, mirrors need to be able to respond either to FTP or RSYNC requests: https://github.com/etix/mirrorbits//blob/24df0bc7ca40d397290f7713254973a04bb48d99/rpc/rpc.go#L550-L569

See also the corresponding error variable at https://github.com/etix/mirrorbits/blob/master/scan/scan.go#L31

Hopping mirrorbits accepts different domains for mirror URL and mirror rsync address, I'm currently transplanting the rsyncd part of the deleted mirror chart which was used for azure.mirror.jenkins.io decomissionned mirror service (https://github.com/jenkins-infra/helm-charts/pull/607) in the mirrorbits chart, see https://github.com/jenkins-infra/helm-charts/pull/609

With this rsyncd service using the same local reference volume of mirrorbits, we should then be able to add the R2 bucket mirror, associated with this rsyncd service address.

It implies updating both the azure storage account and the R2 bucket content.

FTR, I've also tried to find a way to mount the R2 bucket content as volume for a rsyncd service running in EKS, hopping there would be a CSI driver for that by AWS. Unfortunately, their FSx file system solution seems to require permission access to the bucket, forbidding the use of S3 compatible buckets from other providers: https://docs.aws.amazon.com/fsx/latest/LustreGuide/setting-up.html#fsx-adding-permissions-s3 Every other solution seems to resolve around s3fs solution or equivalent, which are a no-go as their required privileged context execution, too risky.

[lemeurherve]

After splitting mirrorbits helm chart into 3 distinct charts (mirrorbits-lite, httpd and rsyncd) regrouped as subchart in mirrorbits-parent for greater velocity and configurability, our updates.jenkins.io POC has been deployed on publick8s with this new chart in https://github.com/jenkins-infra/kubernetes-management/pull/4320

Adding a mirror with (for example) the R2 bucket URL with the local kubernetes service URL of the rsyncd service is working, the next steps are:

• Get another updates.jenkins.io mirror in DigitalOcean (read only). As DO Space product isn't POSIX, we'll need a block storage.
• Ensure a synchronized copy of updates.jenkins.io content (the JSON files) into the different storages
• Copy generated .htaccess files into the storages. At first they'll be present everywhere but will be used only on the "main" updates.jenkins.io entry point, which will redirect requests to other *.updates.jenkins.io

[lemeurherve]

Excellent news, CloudFlare is sponsoring us 🎉 🥳

Refocusing on R2 buckets and the availability of a new updates.jenkins.io as soon as possible, we'll work on mirrors in parallel.

I've created a cloudflare.jenkins.io NS record, allowing us to delegate it to CloudFlare ✅

The next steps are the last two points of my previous comment.

[daniel-beck]

Copy generated .htaccess files into the storages

Do these support mod_rewrite rules? I would expect only Apache to support this enough…

[dduportal]

Copy generated .htaccess files into the storages

Do these support mod_rewrite rules? I would expect only Apache to support this enough…

In the new architecture, the Apache rewrite rules are handled by the Apache in Azure which receives all requests by default. Only the exact requests to JSON files will be sent to the mirror redirector.

The storage mentionned by @lemeurherve is the storage shared by both mirror redirector and Apache in azure.

[lemeurherve]

I've created a (for now empty) terraform state dedicated to CloudFlare, stored in Azure: https://github.com/jenkins-infra/terraform-states/tree/main/cloudflare (private repository)

I've also initialized the https://github.com/jenkins-infra/cloudflare repository, and before merging https://github.com/jenkins-infra/cloudflare/pull/1 we need to:

• Create staging (read-only) an prod (write) API tokens from the jenkins-infra-team member via CloudFlare UI
• Add these tokens and the terraform backend config to infra.ci.jenkins.io credentials
• Create a corresponding job in infra.ci.jenkins.io
• Configure repository team and branch protection

Then we'll start an initial job on empty state from the main branch.

We'll finally be able to add CloudFlare resources via terraform to continue our work on updates.jenkins.io:

• R2 buckets in several regions (Western North America, Eastern North America, Western Europe, Eastern Europe & Asia-Pacific)
• The corresponding (CloudFlare) "zones" (ie NS records for each of these regions, ex: westeurope.cloudflare.jenkins.io)

[lemeurherve]

[...] we need to:

* Create staging (read-only) an prod (write) API tokens from the jenkins-infra-team member via CloudFlare UI
* Add these tokens and the terraform backend config to infra.ci.jenkins.io credentials
* Create a corresponding job in infra.ci.jenkins.io
* Configure repository team and branch protection

Then we'll start an initial job on empty state from the main branch.

We'll finally be able to add CloudFlare resources via terraform to continue our work on updates.jenkins.io:

* R2 buckets in several regions (Western North America, Eastern North America, Western Europe, Eastern Europe & Asia-Pacific)
* The corresponding (CloudFlare) "zones" (ie NS records for each of these regions, ex: `westeurope.cloudflare.jenkins.io`)

All of this has been done, currently recreating the westeurope zone as its edge SSL certificate seems stuck in "pending validation", probably due to a collusion with cloudflare.jenkins.io own certificate validation for *.cloudflare.jenkins.io.

This cloudflare.jenkins.io has been since deleted, and we'll store westeurope.cloudflare.jenkins.io NS records inside Azure instead of CloudFlare.

[smerle33]

to have a better view on the impact of the code (aka parallelization) here is a graph of the cpu and memory as for now (with hervé PR tries during those last 24h on a specific folder on the current VM pkg.origin.jenkins.io):

[dduportal]

to have a better view on the impact of the code (aka parallelization) here is a graph of the cpu and memory as for now (with hervé PR tries during those last 24h on a specific folder on the current VM pkg.origin.jenkins.io):

thanks! do you mind also checking the other CPU usages (I/O, sys and free)? CPU contention is not always at the user process level so better be safe than sorry ;)

[smerle33]

[dduportal]

Update after pairing session (and async work) with @smerle33 and @lemeurherve during the past 10 days:

• Parallelization of the update-center2 script can be achieved with GNU parallel installed in the trusted agent for update-center generation (Ref. https://github.com/jenkins-infra/jenkins-infra/pull/3121)

  • Verified the timing in https://github.com/jenkins-infra/update-center2/blob/pr-745/site/publish.sh and associated manual tests are valid
  • Most notable probable was around the performance when dereferencing symlinks and to ignore the json files produced by jenkins-infra/crawler (which are duplicated when dereferenced...). Problem solved by a rsync preparation step

• Work around the "trigger mirrorbits scan once files are copied everywhere":

  • kubectl is installed in the agent to allow update center script to reach the mirrorbits instance: https://github.com/jenkins-infra/jenkins-infra/pull/3137
  • mirrorbits is now having and SVC account with the minimalistic set of permission to run an exec command on the instance:
  • https://github.com/jenkins-infra/helm-charts/pull/897
  • https://github.com/jenkins-infra/kubernetes-management/pull/4596

• The issue with the mirrorbits-parent ingress not working as expected is fixed by https://github.com/jenkins-infra/kubernetes-management/pull/4598

TODO:

• Ensure that the .htaccess files are not copied to R2 cloudflare mirrors (aws s3 sync exclude flag for this) as it is only needed by Apache
  • warning: we might need to tell mirrorbits to ignore these when scanning through rsync
• Setup the command to trigger mirrorbits scan -all through kubernetes on the trusted agent
  • Manual test with the token of the svcaccount and check connectivity
  • insert token in trusted.ci credentials
  • update the publish.sh script and check the timings
• Remove aws cedentials and config from puppet and switch to full env vars from credentials (cleanup)
• Run an end to end test : if the timing is good: then go back to update-center2 PR

[dduportal]

Update:

• Ingress initial fix for updates.jenkins.io mirrorbit deployment: https://github.com/jenkins-infra/kubernetes-management/pull/4598

TODO:

• (new) Adapt the ingress path pattern list to UC content (I mean .deb is a copy and paste from get.jenkins.io)
• Ensure that the .htaccess files are not copied to R2 cloudflare mirrors (aws s3 sync exclude flag for this) as it is only needed by Apache
  • warning: we might need to tell mirrorbits to ignore these when scanning through rsync
• Setup the command to trigger mirrorbits scan -all through kubernetes on the trusted agent
  • Manual test with the token of the svcaccount and check connectivity
  • insert token in trusted.ci credentials
  • update the publish.sh script and check the timings
• Remove aws cedentials and config from puppet and switch to full env vars from credentials (cleanup)
• Run an end to end test : if the timing is good: then go back to update-center2 PR

[dduportal]

Update:

• WiP on "Setup the command to trigger mirrorbits scan -all through kubernetes on the trusted agent":
  • kubeconfig with the svcaccount token tested on my machine (authentication ✅ ). Protip: kubectl -n updates-jenkins-io get secret mirrorbits-token -o jsonpath={.data.token} | base64 -d is our friend.
  • Authorization needs a patch: the get permission on pod is missing (and required). Tested manually and work: incoming chart PR fix
  • TODO:
  • test the same setup from agent VM to verify connectivity (will need to add IP to allow-list for control plane)
  • then, test the setup from the freestyle job (with kube config as a credential)

[dduportal]

Update on the "Setup the command to trigger mirrorbits scan -all through kubernetes on the trusted agent":

• Authorization patched by https://github.com/jenkins-infra/helm-charts/pull/906 (deployed in https://github.com/jenkins-infra/kubernetes-management/pull/4614)
• Connectivity from the trusted agent needs https://github.com/jenkins-infra/azure/pull/503 to be deployed (allows network access through AKS control plane IP allow-list). Verified manually with success
• Added the kubeconfig as a trusted.ci.jenkins.io credentials which ID is kubeconfig-publick8s-updatesjenkinsio

# With $HOME/.kube/config setup with the same content as the credential
$ dduportal@agent:~$ kubectl --namespace=updates-jenkins-io exec updates-jenkins-io-mirrorbits-lite-67577f5bd4-fffwt --container=mirrorbits-lite -- echo OK
OK

TODO:

• Test the setup from the freestyle job (with kube config as a credential)

[dduportal]

Update:

• Ensure that the .htaccess files are not copied to R2 cloudflare mirrors (aws s3 sync exclude flag for this) as it is only needed by Apache => done by @smerle33 last week
• "Setup the command to trigger mirrorbits scan -all through kubernetes on the trusted agent"
  • mirrorbits scan works very well from the script using the embeded credential
  • Script publish.sh updated and working (tested end to end). The scan takes from 20s to 1m45s. It was timeboxed to 120s as a "top-level" time (and then will fail).
  • Please note that, the script fails if another scan is already in progress: not a nominal case for now though

TODO:

• Fix Apache HTTP/500 errors on https://azure.updates.jenkins.io/
• Fine tune ingress
• Remove aws credentials and config from puppet and switch to full env vars from credentials (cleanup)

[dduportal]

Update:

• HTTP/500 errors are fixed (https://github.com/jenkins-infra/kubernetes-management/pull/4632). https://azure.updates.jenkins.io/ shows the HTML page 🥳
• Another test of the update-center JSON "sync" (without generation) ran in 1min50, with the current production data (e.g. a diff of 4 days since last attempt).

TODO:

• Fine tune ingress (Nginx)
• Crawler
• Remove aws credentials and config from puppet and switch to full env vars from credentials (cleanup)
• Test "end to end" (generation + copy)

[dduportal]

Update:

• Added 2 new credentials on trusted.ci: aws-access-key-id-updatesjenkinsio and aws-secret-access-key-updatesjenkinsio with the proper values
• Moved /home/jenkins/.aws to /home/jenkins/aws-to-delete on the trusted agent
• Changed the update_center_test_lemeurherve_helpdesk2649 job to specify AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from credentials
• Updated the publish.sh script to set AWS_DEFAULT_REGION to auto

Result: AWS S3 sync work: we can proceed to remove it from puppet (along with rclone)

Note: New error to investigate: Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:updates-jenkins-io:mirrorbits" cannot list resource "pods" in API group "" in the namespace "updates-jenkins-io" (on the helm chart size I believe)

[dduportal]

Update:

• Cleaned up and pinned tooling versions on the trusted agent - https://github.com/jenkins-infra/jenkins-infra/pull/3172, https://github.com/jenkins-infra/jenkins-infra/pull/3173, https://github.com/jenkins-infra/jenkins-infra/pull/3174
  • aws CLI is now in v2
• Fixed the (new) error message related to permissions for mirrorbits in https://github.com/jenkins-infra/helm-charts/pull/936
• Last build of the update-center2 "test" is 1min 32: still success and no time changes \o/

[dduportal]

WiP:

• crawler update by @lemeurherve
• Fine tune ingress by @dduportal

TODO:

• Test azure.updates.jenkins with a controller in Docker (@lemeurherve @dduportal)
• PR update-center2 to update and set to review

Then

• JEP
• Performance testing

[dduportal]

Update:

• crawler: requires azcopy and aws CLIs to be installed in our VM templates as the job uses ephemeral agent (different behavior than jenkins-infra/update-center2)

  • Released https://github.com/jenkins-infra/packer-images/releases/tag/1.39.0 with https://github.com/jenkins-infra/packer-images/pull/898 to install azcopy (as aws is already present)
  • Deployment to trusted.ci.jenkins.io: https://github.com/jenkins-infra/jenkins-infra/pull/3177

• Fine tune ingress:

  • The current update center site (updates.jenkins.io on the PKG VM) has the following file extensions:

$ for f in $(find /var/www/updates.jenkins.io -type f); do filename="$(basename "$f")"; echo "${filename##*.}" ;done  | sort -u
htaccess
html
json
txt

• Per type analysis for the ingress rules:
  • htaccess => Do not map to an URL, served by httpd, no mirror
  • html => Map to an URL (such as index pages). Either the ingress send to httpd (outbound bandwidth on Azure but reference) or we copy HTML files to mirror
  • txt => same as HTML. Either httpd or we copy to mirrors
  • json => always send to mirrorbits

[dduportal]

Update:

  * Deployment to trusted.ci.jenkins.io: [Bump Packer Agent Templates (All-In-One) Version to 1.39.0 jenkins-infra#3177](https://github.com/jenkins-infra/jenkins-infra/pull/3177)

* Fine tune ingress:

  * The current update center site (updates.jenkins.io on the PKG VM) has the following file extensions:

$ for f in $(find /var/www/updates.jenkins.io -type f); do filename="$(basename "$f")"; echo "${filename##*.}" ;done  | sort -u
htaccess
html
json
txt

* Per type analysis for the ingress rules:

  * `htaccess` => Do not map to an URL, served by httpd, no mirror
  * `html` => Map to an URL (such as index pages). Either the ingress send to httpd (outbound bandwidth on Azure but reference) or we copy HTML files to mirror
  * `txt` => same as HTML. Either httpd or we copy to mirrors
  * `json` => **always** send to mirrorbits

Opened https://github.com/jenkins-infra/kubernetes-management/pull/4672 to fine tune the ingress. All requests ending in .html, .json and .txt are sent to mirrorbits

[lemeurherve]

WiP:

• crawler update by @lemeurherve

The crawler is now uploading the update/ folder content to the file share and R2 buckets from trusted.ci.jenkins.io: https://github.com/jenkins-infra/crawler/blob/5b0906afe4850efe8ab3f7d9b5562829ba74d6ef/Jenkinsfile#L71-L93

As this job is using a linux agent and not the permanent agent like the update-center2 job, we had to add azcopy to the provisioning of the Linux packer images used by these agents. (aws-cli was already provisioned)

• https://github.com/jenkins-infra/packer-images/pull/898

[lemeurherve]

Update:

The content on azure.updates.jenkins.io has been restored from a copy of updates.jenkins.io content.

We had to ensure that the content was synchronized in the correct destination folder, extracting the SAS token query string from the existing credentials to its own credentials so we can set the destination folder in the R2 bucket URL:

• https://github.com/jenkins-infra/crawler/pull/130

I've updated UC2 publish.sh script in the pull request and in the test branch pr-745 accordingly. As the updates-jenkins-io-file-share-url-with-sas-token credentials is still set on update-center2 job on trusted.ci.jenkins.io, I haven't deleted it yet.

As noted by @daniel-beck in https://github.com/jenkins-infra/crawler/pull/130#issuecomment-1812350610 (thanks btw, we totally missed that!):

Some crawlers don't work, but the existing files will ensure continued operation of the plugins relying of them. They'll just slowly become outdated.

The content from the FlywayInstaller and PerlInstaller crawlers isn't generated and thus synchronized anymore. We have to ensure we copy their JSONs from from pkg.origin.jenkins.io into the File Share and the R2 bucket.

Note: I've experimentally replaced updates.jenkins.io by azure.updates.jenkins.io in every .htaccess and *.html files of this copy with sed so all links and htaccess redirections point to azure.updates.jenkins.io This won't have any use in production as there won't be any azure.updates.jenkins.io anymore so it won't be carried over.

I'm now testing azure.updates.jenkins with a controller and https://github.com/jenkinsci/plugin-installation-manager-tool/ in Docker.

[lemeurherve]

We'll have to ensure .hpi links on plugin download pages like https://updates.jenkins.io/download/plugins/zos-connector/ are correctly redirected by Apache to get.jenkins.io:

$ curl --silent --show-error --output /dev/null --fail --write-out '%{redirect_url}' https://updates.jenkins.io/download/plugins/zos-connector/3.257.v41e144167971/zos-connector.hpi 
https://get.jenkins.io/plugins/zos-connector/3.257.v41e144167971/zos-connector.hpi

We should add/adapt datadog monitor on this kind of redirection.

[lemeurherve]

Local testing of azure.updates.jenkins.io with Docker and plugin-installation-manager-tool:

Running plugin-installation-manager-tool with default settings (updates.jenkins.io)

```console $ docker run -it jenkins/jenkins jenkins-plugin-cli --verbose -p ansicolor No .txt or .yaml file containing list of plugins to be downloaded entered. No directory to download plugins entered. Will use default of /usr/share/jenkins/ref/plugins Using update center https://updates.jenkins.io/update-center.json from JENKINS_UC environment variable Using experimental update center https://updates.jenkins.io/experimental/update-center.json from JENKINS_UC_EXPERIMENTAL environment variable Using incrementals mirror https://repo.jenkins-ci.org/incrementals from JENKINS_INCREMENTALS_REPO_MIRROR environment variable No CLI option or environment variable set for plugin info, using default of https://updates.jenkins.io/plugin-versions.json No war entered. Will use default of /usr/share/jenkins/jenkins.war Retrieving update center information Created cache at: /var/jenkins_home/.cache/jenkins-plugin-management-cli Update center URL: https://updates.jenkins.io/update-center.json?version=2.432 Cache miss for: update-center-2.432 Downloaded update-center-2.432 from https://updates.jenkins.io/dynamic-2.427/update-center.json (attempt 1 of 3) Cache miss for: experimental-update-center-2.432 Cache miss for: plugin-versions Downloaded plugin-versions from https://updates.jenkins.io/current/plugin-versions.json (attempt 1 of 3) Couldn't find checksum for ansicolor at version: latest ansicolor depends on: workflow-api 1215.v2b_ee3e1b_dd39 workflow-step-api 639.v6eca_cd8c04a_a_ Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8= Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8= Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8= Will install new plugin ansicolor 1.0.4 Will use url: https://updates.jenkins.io/download/plugins/ansicolor/1.0.4/ansicolor.hpi to download ansicolor plugin Downloaded ansicolor from https://ftp.belnet.be/mirror/jenkins/plugins/ansicolor/1.0.4/ansicolor.hpi (attempt 1 of 3) Downloaded and validated plugin ansicolor Checksum valid for: ansicolor Done ```

Running plugin-installation-manager-tool with custom settings (azure.updates.jenkins.io)

```console $ docker run -it \ --env JENKINS_UC="https://azure.updates.jenkins.io" \ --env JENKINS_UC_EXPERIMENTAL="https://azure.updates.jenkins.io/experimental" \ --env JENKINS_PLUGIN_INFO="https://azure.updates.jenkins.io/update-center.json" \ jenkins/jenkins jenkins-plugin-cli --verbose -p ansicolor No .txt or .yaml file containing list of plugins to be downloaded entered. No directory to download plugins entered. Will use default of /usr/share/jenkins/ref/plugins Using update center https://azure.updates.jenkins.io/update-center.json from JENKINS_UC environment variable Using experimental update center https://azure.updates.jenkins.io/experimental/update-center.json from JENKINS_UC_EXPERIMENTAL environment variable Using incrementals mirror https://repo.jenkins-ci.org/incrementals from JENKINS_INCREMENTALS_REPO_MIRROR environment variable Using plugin info https://azure.updates.jenkins.io/update-center.json from JENKINS_PLUGIN_INFO environment variable No war entered. Will use default of /usr/share/jenkins/jenkins.war Retrieving update center information Created cache at: /var/jenkins_home/.cache/jenkins-plugin-management-cli Update center URL: https://azure.updates.jenkins.io/update-center.json?version=2.432 Cache miss for: update-center-2.432 Downloaded update-center-2.432 from https://westeurope.cloudflare.jenkins.io/update-center.json (attempt 1 of 3) Cache miss for: experimental-update-center-2.432 Downloaded experimental-update-center-2.432 from https://westeurope.cloudflare.jenkins.io/experimental/update-center.json (attempt 1 of 3) Cache miss for: plugin-versions Downloaded plugin-versions from https://westeurope.cloudflare.jenkins.io/update-center.json (attempt 1 of 3) Couldn't find checksum for ansicolor at version: latest ansicolor depends on: workflow-api 1215.v2b_ee3e1b_dd39 workflow-step-api 639.v6eca_cd8c04a_a_ Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8= Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8= Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8= Will install new plugin ansicolor 1.0.4 Will use url: https://azure.updates.jenkins.io/download/plugins/ansicolor/1.0.4/ansicolor.hpi to download ansicolor plugin Downloaded ansicolor from https://ftp.belnet.be/mirror/jenkins/plugins/ansicolor/1.0.4/ansicolor.hpi (attempt 1 of 3) Downloaded and validated plugin ansicolor Checksum valid for: ansicolor Done ```

Diff

--- default settings (updates.jenkins.io)
+++ custom settings (azure.updates.jenkins.io)
@@ -1,19 +1,20 @@
 No .txt or .yaml file containing list of plugins to be downloaded entered.
 No directory to download plugins entered. Will use default of /usr/share/jenkins/ref/plugins
-Using update center https://updates.jenkins.io/update-center.json from JENKINS_UC environment variable
+Using update center https://azure.updates.jenkins.io/update-center.json from JENKINS_UC environment variable
-Using experimental update center https://updates.jenkins.io/experimental/update-center.json from JENKINS_UC_EXPERIMENTAL environment variable
+Using experimental update center https://azure.updates.jenkins.io/experimental/update-center.json from JENKINS_UC_EXPERIMENTAL environment variable
 Using incrementals mirror https://repo.jenkins-ci.org/incrementals from JENKINS_INCREMENTALS_REPO_MIRROR environment variable
-No CLI option or environment variable set for plugin info, using default of https://updates.jenkins.io/plugin-versions.json
+Using plugin info https://azure.updates.jenkins.io/update-center.json from JENKINS_PLUGIN_INFO environment variable
 No war entered. Will use default of /usr/share/jenkins/jenkins.war

 Retrieving update center information
 Created cache at: /var/jenkins_home/.cache/jenkins-plugin-management-cli
-Update center URL: https://updates.jenkins.io/update-center.json?version=2.432
+Update center URL: https://azure.updates.jenkins.io/update-center.json?version=2.432
 Cache miss for: update-center-2.432
-Downloaded update-center-2.432 from https://updates.jenkins.io/dynamic-2.427/update-center.json (attempt 1 of 3)
+Downloaded update-center-2.432 from https://westeurope.cloudflare.jenkins.io/update-center.json (attempt 1 of 3)
 Cache miss for: experimental-update-center-2.432
+Downloaded experimental-update-center-2.432 from https://westeurope.cloudflare.jenkins.io/experimental/update-center.json (attempt 1 of 3)
 Cache miss for: plugin-versions
-Downloaded plugin-versions from https://updates.jenkins.io/current/plugin-versions.json (attempt 1 of 3)
+Downloaded plugin-versions from https://westeurope.cloudflare.jenkins.io/update-center.json (attempt 1 of 3)
 Couldn't find checksum for ansicolor at version: latest

 ansicolor depends on: 
@@ -23,10 +24,9 @@
 Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8=
 Setting checksum for: ansicolor to bUHwcLjm/CLLqmHVugbg3zT6xyG6XvRVzBSN9wKUal8=
 Will install new plugin ansicolor 1.0.4
-Will use url: https://updates.jenkins.io/download/plugins/ansicolor/1.0.4/ansicolor.hpi to download ansicolor plugin
+Will use url: https://azure.updates.jenkins.io/download/plugins/ansicolor/1.0.4/ansicolor.hpi to download ansicolor plugin
 Downloaded ansicolor from https://ftp.belnet.be/mirror/jenkins/plugins/ansicolor/1.0.4/ansicolor.hpi (attempt 1 of 3)
 Downloaded and validated plugin ansicolor
 Checksum valid for: ansicolor
 Done

[lemeurherve]

To check Jenkins itself with azure.jenkins.io, I've blackholed updates.jenkins.io by adding 127.0.0.1 updates.jenkins.io to my /etc/host.

I then ran the controller image with docker run -it jenkins/jenkins.

Note that env vars like the ones I've passed to plugin-installation-manager-tool aren't taken in account by Jenkins.

Next, I've set https://azure.updates.jenkins.io in "Manage Jenkins > Plugins > Advanced settings > Update Site > URL"

Then, I've went to "Manage Jenkins > Plugins > Updates" and clicked on the refresh button to retrieve the update-center.json from azure.jenkins.io.

I've finally confirmed that the list of plugins was available at "Manage Jenkins > Plugins > Available plugins".

What I've also understood by getting an (expected) error when trying to install a plugin from there is that Jenkins doesn't use the same mechanism as plugin-installation-manager-tool to retrieve the plugin download URL:

• Jenkins is using the URL specified in the update-center.json file, which contains generated links pointing to updates.jenkins.io
• The plugin-installation-manager-tool is assembling its own download URL pointing to azure.updates.jenkins.io from its configuration parameter and the plugin info (name & version): https://github.com/jenkinsci/plugin-installation-manager-tool/blob/7bdb98b9ce907c1b70eaaaf37a279db6e23e8eef/plugin-management-library/src/main/java/io/jenkins/tools/pluginmanager/impl/PluginManager.java#L1226-L1244

[lemeurherve]

From these elements local tests of azure.updates.jenkins.io seems conclusive.

It also means that we'll probably have to plan a brownout to test our prototype in situ.

[lemeurherve]

• "Setup the command to trigger mirrorbits scan -all through kubernetes on the trusted agent"
  • mirrorbits scan works very well from the script using the embeded credential
  • [...]
  • Please note that, the script fails if another scan is already in progress: not a nominal case for now though

Coming back to this initial hypothesis: as the update-center2 job will run every few minutes and trigger a scan, we don't need and have to disable the 5 min cron scan configured by default on mirrorbits via its secrets (RepositoryScanInterval: 5) to avoid failing the synchronization job.

[lemeurherve]

Note: we can have R2 buckets in China with CloudFlare 🎉

Related open help desk issue that could be resolved with it in the future:

• https://github.com/jenkins-infra/helpdesk/issues/2787

[dduportal]

Update:

• As shown by https://github.com/jenkins-infra/helpdesk/issues/3875, the SAS token reached expiry the 22 December 2023. - While fixing, deleted the former updates-jenkins-io Azure File Share URL with its SAS token credential (in trusted.ci) in favor of the updates-jenkins-io Azure File Share SAS token query string used by the crawler
  • Note: https://github.com/jenkins-infra/update-center2/pull/745/files#diff-374d21adf718a5a7d618cdcd0312a9787d272f3ccc1d0e9d080986df665cec32R50 is already using the new credential. Only had to update the main udpate_center2 freestyle job configuration

[dduportal]

Todo:

• Restrict the SAS to only trusted agent networks