search

jenkins-infra / helpdesk

Open your Infrastructure related issues here for the Jenkins project
https://github.com/jenkins-infra/helpdesk/issues/new/choose
16 stars 10 forks source link

Remove `jcenter`, and `oss.sonatype.org-releases` repositories from `public` virtual repository; reconfigure Atlassian remote repositories #3842

Closed MarkEWaite closed 8 months ago

MarkEWaite commented 9 months ago

Service(s)

Artifactory

Summary

The data transfer volume from https://repo.jenkins-ci.org is still unexpectedly high. Log file analysis for a recent 5 day period shows that the top repositories based on the sum of the sizes of the requested files are:

Repository Sum of GB requested
releases 2380
jcenter-cache 1787
incrementals 298
jcenter 98
nodejs-dist-cache 78
public 26
jgit-cache 14
oss.sonatype.org-releases-cache 8
snapshots 8
npm-dist-cache 5

JFrog has explained that even though we removed Apache Maven Central from the public repository, the contents of Apache Maven Central still exist as copies in the jcenter repository. We need to also remove the jcenter repository and the jcenter-cache repository from the definition of the public repository so that binaries from Apache Maven Central will be resolved from Apache Maven Central instead of being resolved from our repository.

When I had tried some initial experiments removing jcenter, several months ago, there were some cases where it appeared that we depend on artifacts that are only in jcenter and possibly only in our cache of jcenter. Unfortunately, my memory is weak and I cannot find any notes that reference that experiment.

I think that we should take the following steps:

Reproduction steps

Steps that I took to analyze the requests:

  1. Request Artifactory log files from JFrog
  2. Update my artfiactory-sql fork to handle the new format of Artifactory log files
  3. Upload the log files to a sqlite3 database
  4. Identity top repositories with the SQL query select repo,sum(size_bytes)/1024/1024/1024 as SUM_GB from logs group by repo order by SUM_GB desc limit 10;
MarkEWaite commented 9 months ago

I built over 240 of the top 250 plugins with the settings.xml file listed later (using repo.jenkins-ci.org for the releases repository, the jgit repository, and the netbeans repository).

I had to download the jbcrypt library separately but other than that, I was able to build without running tests.

The repositories that did not build with those settings are:

One plugin (gradle-plugin) does not build with Maven, so I can't check it.

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                              http://maven.apache.org/xsd/settings-1.0.0.xsd">
  <pluginGroups>
    <pluginGroup>org.jenkins-ci.tools</pluginGroup>
  </pluginGroups>
  <profiles>
    <profile>
      <id>jenkins</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <repositories>
        <repository>
          <id>repo.jenkins-ci.org</id>
          <url>https://repo.jenkins-ci.org/releases/</url>
        </repository>
        <repository>
          <id>jgit.repo.jenkins-ci.org</id>
          <url>https://repo.jenkins-ci.org/jgit/</url>
        </repository>
        <repository>
          <id>netbeans.repo.jenkins-ci.org</id>
          <url>https://repo.jenkins-ci.org/netbeans/</url>
        </repository>
      </repositories>
      <pluginRepositories>
        <pluginRepository>
          <id>repo.jenkins-ci.org</id>
          <url>https://repo.jenkins-ci.org/releases/</url>
        </pluginRepository>
      </pluginRepositories>
    </profile>
  </profiles>
</settings>
MarkEWaite commented 9 months ago

@daniel-beck do you have a recommendation or a preference for the location where the org.connectbot.jbcrypt:jbcrypt:1.0.0 artifact from jcenter-cache should be placed? My first thought was to place it in the Jenkins releases repository because it is required for a Jenkins release and not available in our other repositories.

According to mvnrepository.com, that library is available from the Spring plugins repository and the Spring Lib M repository. The 1.0.1 and 1.0.2 versions of that library are available from repo.maven.apache.org, but the 1.0.0 version is not.

timja commented 9 months ago

or update whatever is using 1.0.0 to a newer version?

daniel-beck commented 9 months ago

My first thought was to place it in the Jenkins releases repository because it is required for a Jenkins release and not available in our other repositories.

That's an approach we've used in the past but would consider it mostly legacy from when just everything went into releases (there are issues complaining about differences in artifacts in releases vs. elsewhere, for example). Consider a new repo also added to the public virtual repo (populate exclusively by copying from cache to that new repo as admin).

MarkEWaite commented 9 months ago

or update whatever is using 1.0.0 to a newer version?

That would break builds of previous versions of Jenkins core, since it requires jbcrypt 1.0.0. I failed the last time that I tried to update the jbcrypt 1.0.0 dependency to a newer version. I don't have notes on the failure, but I remember that the attempt did not succeed.

I think it is a good idea to update the version of jbcrypt to a newer release if possible, but I think that should be handled separately from this effort.

MarkEWaite commented 9 months ago

Consider a new repo also added to the public virtual repo (populate exclusively by copying from cache to that new repo as admin).

Thanks. I've updated the text of the issue to propose the creation of a new repository, addition of that new repository to the public virtual repository, and the move of the jbcrypt 1.0.0 artifact into the new repository.

dduportal commented 9 months ago

This plan looks good to me, I'm gonna proceed with the first step. proposal for the new repository name: orphans to convey the "status" of the hosted artifacts within this repo.

dduportal commented 9 months ago

Create a new repository on repo.jenkins-ci.org and copy the org.connectbot.jbcrypt:jbcrypt:1.0.0 artifact from jcenter-cache to the new repository (required for Jenkins core, appears to only be available from jcenter-cache). Add the new repository to the public virtual repository

See: https://repo.jenkins-ci.org/artifactory/orphans/org/connectbot/jbcrypt/jbcrypt/

cc @MarkEWaite so you can continue your tests.

MarkEWaite commented 9 months ago

Analyzing artifactory plugin build failure

The artifactory plugin has a dependency on the token macro plugin 2.12. The token macro plugin 2.12 has a dependency on com.jayway.jsonpath:json-path:2.4.0. Our cached copy of the JGit repository includes an outdated copy of the json-path 2.4.0 pom file for the 2.4.0 release of json-path.

Based on comments in https://github.com/openhab/openhab-addons/issues/10102#issuecomment-775779992 , we need to replace our outdated copy of 2.4.0 with an updated pom file and jar file.

If we don't want to replace the file in our cached copy of the JGit repository (because the outdated file still exists in the Eclipse JGit repository), we could place a fresh copy into the orphans repository and move the orphans repository before the JGit repository in our virtual repository search order.

Is there a way to safely remove or exclude the outdated / incorrect json-path 2.4.0 that we are getting from the Eclipse repository?

MarkEWaite commented 9 months ago

Analyzing configuration as code plugin build failure

The configuration as code plugin depends on the crowd2 plugin. The crowd2 plugin depends on the crowd-integration-client-common 5.1.5 library that appears to only be available from our jcenter-cache. Since crowd2 is an Atlassian product, I expected it to be in the atlassian-cache repository, but it does not seem to be there.

We could add the Atlassian repository to the configuration as code plugin like this:

diff --git a/pom.xml b/pom.xml
index f8c7d60e..9a1d5c37 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,6 +51,10 @@
       <id>repo.jenkins-ci.org</id>
       <url>https://repo.jenkins-ci.org/public/</url>
     </repository>
+    <repository>
+      <id>Atlassian</id>
+      <url>https://packages.atlassian.com/mvn/maven-atlassian-external/</url>
+    </repository>
   </repositories>

   <pluginRepositories>

That won't solve the case for other projects that depend on the Atlassian libraries. It also does not explain why the Atlassian libraries are not in our atlassian-cache repository but are in our jcenter-cache repository.

MarkEWaite commented 9 months ago

Analyzing Jira plugin build failure

The Jira plugin depends on Atlassian libraries that are available from our jcenter-cache but are not found unless jcenter-cache is included.

The build passed after I added the Atlassian repository to the jira-plugin pom file:

diff --git a/pom.xml b/pom.xml
index e3ca697..d56a0ff 100644
--- a/pom.xml
+++ b/pom.xml
@@ -330,6 +330,10 @@
       <id>repo.jenkins-ci.org</id>
       <url>https://repo.jenkins-ci.org/public/</url>
     </repository>
+    <repository>
+      <id>Atlassian</id>
+      <url>https://packages.atlassian.com/mvn/maven-atlassian-external</url>
+    </repository>
   </repositories>

   <pluginRepositories>
MarkEWaite commented 9 months ago

Analyzing robot plugin build failure

The robot plugin requires Java 11. It won't build with Java 21.

The robot plugin has a dependency on com.jayway.jsonpath:json-path:2.4.0. Our cached copy of the JGit repository includes an outdated copy of the json-path 2.4.0 pom file for the 2.4.0 release of json-path.

Based on comments in https://github.com/openhab/openhab-addons/issues/10102#issuecomment-775779992 , we need to replace our outdated copy of 2.4.0 with an updated pom file and jar file.

If we don't want to replace the file in our cached copy of the JGit repository (because the outdated file still exists in the Eclipse JGit repository), we could place a fresh copy into the orphans repository and move the orphans repository before the JGit repository in our virtual repository search order.

Is there a way to safely remove or exclude the outdated / incorrect json-path 2.4.0 that we are getting from the Eclipse repository?

MarkEWaite commented 9 months ago

Analyzing promoted builds plugin build failure

The promoted builds plugin has an optional dependency on the project inheritance plugin 21.04.03. The project inheritance plugin 21.04.03 pom file uses http instead of https in its repository URL references. Maven rejects attempts to from an http repository.

There are hints like this on several pages that http blocking can be bypassed with a mirrorOf definition, but I've not been able to make it work.

daniel-beck commented 9 months ago

The artifact org.connectbot.jbcrypt:jbcrypt:1.0.0 has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's

Any particular reason why?

MarkEWaite commented 9 months ago

The artifact org.connectbot.jbcrypt:jbcrypt:1.0.0 has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's

Any particular reason why?

I could not find the artifact org.connectbot.jbcrypt:jbcrypt:1.0.0 on repo.jenkins-ci.org in any repository other than jcenter-cache. Since the goal is to remove jcenter-cache from the definition of the public virtual repository, it seemed like we need to copy that artifact to a new repository that can be included in the public virtual repository without including all of jcenter-cache.

Did that address your question or is there something more that I'm not understanding in the question?

daniel-beck commented 9 months ago

Did that address your question or is there something more that I'm not understanding in the question?

From my proposal of the new repo holding these dependencies:

populate exclusively by copying from cache to that new repo as admin

That trivially ensures identical artifacts. Per Damien,

has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's

That looks very manual and results in differences. For example, we don't have *.asc files now. No idea whether they're needed, but any difference seems unnecessary.

If my proposed approach is not possible, or has drawbacks I'm unaware of, and that's the reason for the different approach, I'd like to know.

basil commented 9 months ago

Is there a way to safely remove or exclude the outdated / incorrect json-path 2.4.0 that we are getting from the Eclipse repository?

Googling brings up https://jfrog.com/help/r/jfrog-artifactory-documentation/basic-settings-for-remote-repositories which shows that you can configure exclude patterns on a remote repository (i.e., a cache). Based on this documentation I think we should delete the json-path dependency from our Eclipse remote repository (i.e., our cache) and add an exclude pattern so that it won't be downloaded again. Then requests for it from the JGit remote repository should 404 and the lookup should proceed to the (valid) version on Central.

basil commented 9 months ago

~See this page for more information on the Atlassian repositories. https://packages.atlassian.com/maven-public/ contains just the core Atlassian libraries (sort of like our releases) while https://packages.atlassian.com/maven-external/ contains a lot of other stuff, including third-party libraries (sort of like our public). That is, the former could be cached by us, but the latter couldn't (otherwise we'd have the same bandwidth issue as with JCenter). Unfortunately, the Jira library is present in maven-public but the Crowd library is only available in maven-external. So I don't see a way around https://github.com/jenkinsci/crowd2-plugin depending directly on https://packages.atlassian.com/maven-external/ (including all its dependencies, which thankfully is only https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/integrations which is not published in any releases). For the Jira plugin, https://packages.atlassian.com/maven-public/ could be added to the build as in https://github.com/jenkinsci/jira-plugin/pull/578 (including downstream consumers, of which the only significant one is https://github.com/jenkinsci/blueocean-plugin/pull/2531), or we could start caching https://packages.atlassian.com/maven-public/ and include that in our public virtual repository, in which case we wouldn't need https://github.com/jenkinsci/jira-plugin/pull/578 or the <repository> portion of https://github.com/jenkinsci/blueocean-plugin/pull/2531.~

Edit: This already exists: https://repo.jenkins-ci.org/ui/repos/tree/General/atlassian which is part of public.

basil commented 9 months ago

promoted-builds can only be fixed by adopting and re-releasing project-inheritance I think.

basil commented 9 months ago

promoted-builds can only be fixed by adopting and re-releasing project-inheritance I think.

@MarkEWaite Would you like to do this or shall I?

MarkEWaite commented 9 months ago

promoted-builds can only be fixed by adopting and re-releasing project-inheritance I think.

@MarkEWaite Would you like to do this or shall I?

I'd prefer that you do it. Thanks for the analysis that there really isn't another way except to adopt and release a new version.

basil commented 9 months ago

https://plugins.jenkins.io/scp/ hasn't been released in 13 years and has an open security vulnerability, so I think we should be deprecating this plugin rather than getting it to build.

@MarkEWaite I'd prefer that you do it.

basil commented 9 months ago

project-inheritance can't actually be adopted because it isn't in our GitHub organization. Rather I have filed https://github.com/jenkinsci/promoted-builds-plugin/pull/272 to remove promoted-builds's (optional) integration with it.

basil commented 9 months ago

Open action items from my perspective:

basil commented 9 months ago

I just discovered that we already have https://repo.jenkins-ci.org/ui/repos/tree/General/atlassian (which we are not being asked to disable), and it is already part of https://repo.jenkins-ci.org/artifactory/public. In any case, I confirmed that Jira plugin builds correctly with nothing but https://repo.jenkins-ci.org/releases/, https://repo.jenkins-ci.org/orphans/, https://repo.jenkins-ci.org/atlassian/, and Central (in that order), and I confirmed that Crowd2 plugin builds correctly with nothing but https://repo.jenkins-ci.org/releases, https://repo.jenkins-ci.org/atlassian, and Central (in that order). Based on these results I have closed the PRs in jira-plugin and crowd2-plugin (as well as the downstream PRs in blueocean-plugin and configuration-as-code-plugin).

I do not know why this was not included in https://github.com/jenkins-infra/helpdesk/issues/3842#issuecomment-1837820356. For the experiment to have scientific rigor, it should have included everything that is part of https://repo.jenkins-ci.org/artifactory/public, in the same order (minus JCenter, of course). If the experiment had been done this way, I do not think these false positives would have turned up.

basil commented 9 months ago

In my opinion it would be valuable to re-run the experiment from https://github.com/jenkins-infra/helpdesk/issues/3842#issuecomment-1837820356 but with the exact list of remote repositories that are in public (in the same order), minus JCenter, and with the addition of orphans (in the same position that we expect to add it to public), preferably also after implementing https://github.com/jenkins-infra/helpdesk/issues/3842#issuecomment-1839521681, but before the brownout. The expected results of this experiment re-run would be the disappearance of Jira-related problems, and the (potential!) appearance of new problems that we could not see before due to an unrealistic test environment.

dduportal commented 9 months ago

Did that address your question or is there something more that I'm not understanding in the question?

From my proposal of the new repo holding these dependencies:

populate exclusively by copying from cache to that new repo as admin

That trivially ensures identical artifacts. Per Damien,

has been deployed to this new repository, along with its POM, sources and javadoc. A Maven metadat file has been autogenerated and looks the same as jcenter's

That looks very manual and results in differences. For example, we don't have *.asc files now. No idea whether they're needed, but any difference seems unnecessary.

If my proposed approach is not possible, or has drawbacks I'm unaware of, and that's the reason for the different approach, I'd like to know.

I failed to find a way to copy only selected dependency from the cache, so I did a manual "deploy" through the UI.

Thanks for pointing this out, I misunderstood your first message. Currently trying to copy from the cache repo following https://jfrog.com/help/r/jfrog-artifactory-documentation/move-and-copy-artifacts to see if it adds the .asc files.

MarkEWaite commented 9 months ago

The recommendation from @basil was exactly right. I've redefined my settings.xml to include exactly the repositories that are included in the search order of the Jenkins repository and I believe I've found an additional issue that we should test during the brownout tomorrow.

@dduportal shared that the list of repositories included in the public virtual repository is available with the command:

curl https://repo.jenkins-ci.org/api/repositories/public

That provides the following output:

{
  "key": "public",
  "packageType": "maven",
  "description": "All public repositories aggregated for the purpose of building Jenkins and its plugins",
  "repositories": [
    "snapshots",
    "releases",
    "shibboleth",
    "maven.jenkins-ci.org",
    "maven.twttr.com",
    "javanet2",
    "tmate",
    "jcenter",
    "oss.sonatype.org-releases",
    "cloudbees.public.release",
    "jgit",
    "netbeans",
    "fusesource",
    "atlassian"
  ],
  "rclass": "virtual"
}

When I define my settings.xml based on that definition, many of the artifacts that I expected to be delivered by Apache Maven Central are instead delivered from the oss.sonatype.org-releases cache on repo.jenkins-ci.org.

I think that we need to disable jcenter, jcenter-cache, and oss.sonatype.org-releases during the brownout tomorrow. When I remove those from my settings file, I see that the expected artifacts are retrieved from Apache Maven Central.

The settings.xml file that I'm using is:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                              http://maven.apache.org/xsd/settings-1.0.0.xsd">

  <pluginGroups>
    <pluginGroup>org.jenkins-ci.tools</pluginGroup>
  </pluginGroups>

  <profiles>
    <profile>
      <id>faster</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <properties>
        <forkCount>1C</forkCount>
      </properties>
    </profile>
    <profile>
      <id>jenkins</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <repositories>
        <repository>
          <id>snapshots</id>
          <url>https://repo.jenkins-ci.org/snapshots/</url>
          <snapshots>
            <enabled>true</enabled>
          </snapshots>
          <releases>
            <enabled>false</enabled>
          </releases>
        </repository>
        <repository>
          <!-- intentionally named repo.jenkins-ci.org to override public -->
          <id>repo.jenkins-ci.org</id>
          <url>https://repo.jenkins-ci.org/releases/</url>
        </repository>
        <repository>
          <id>shibboleth</id>
          <url>https://repo.jenkins-ci.org/shibboleth/</url>
        </repository>
        <repository>
          <id>maven.jenkins-ci.org</id>
          <url>https://repo.jenkins-ci.org/maven.jenkins-ci.org/</url>
        </repository>
        <repository>
          <id>maven.twttr.com</id>
          <url>https://repo.jenkins-ci.org/maven.twttr.com/</url>
        </repository>
        <repository>
          <id>javanet2</id>
          <url>https://repo.jenkins-ci.org/javanet2/</url>
        </repository>
        <repository>
          <id>tmate</id>
          <url>https://repo.jenkins-ci.org/tmate/</url>
        </repository>
        <!-- <repository> -->
        <!--   <id>jcenter</id> -->
        <!--   <url>https://repo.jenkins-ci.org/jcenter/</url> -->
        <!-- </repository> -->
        <!-- <repository> -->
        <!--   <id>oss.sonatype.org-releases</id> -->
        <!--   <url>https://repo.jenkins-ci.org/oss.sonatype.org-releases/</url> -->
        <!-- </repository> -->
        <repository>
          <id>cloudbees.public.release</id>
          <url>https://repo.jenkins-ci.org/cloudbees.public.release/</url>
        </repository>
        <repository>
          <id>jgit</id>
          <url>https://repo.jenkins-ci.org/jgit/</url>
        </repository>
        <repository>
          <id>netbeans</id>
          <url>https://repo.jenkins-ci.org/netbeans/</url>
        </repository>
        <repository>
          <id>fusesource</id>
          <url>https://repo.jenkins-ci.org/fusesource/</url>
        </repository>
        <repository>
          <id>atlassian</id>
          <url>https://repo.jenkins-ci.org/atlassian/</url>
        </repository>
        <repository>
          <id>orphans</id>
          <url>https://repo.jenkins-ci.org/orphans/</url>
        </repository>
      </repositories>
      <pluginRepositories>
        <pluginRepository>
          <id>repo.jenkins-ci.org</id>
          <url>https://repo.jenkins-ci.org/releases/</url>
        </pluginRepository>
      </pluginRepositories>
    </profile>
  </profiles>
</settings>
MarkEWaite commented 9 months ago

More details on configuration as code plugin build failure

With the settings.xml that includes orphans and replacing the https://repo.jenkins-ci.org/public/ with https://repo.jenkins-ci.org/releases/ in the pom.xml file of the configuration as code plugin, the plugin build fails because it cannot find crowd-integration-client-common-5.1.5.pom:

Downloading from repo.jenkins-ci.org: https://repo.jenkins-ci.org/releases/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from shibboleth: https://repo.jenkins-ci.org/shibboleth/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from maven.jenkins-ci.org: https://repo.jenkins-ci.org/maven.jenkins-ci.org/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from maven.twttr.com: https://repo.jenkins-ci.org/maven.twttr.com/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from javanet2: https://repo.jenkins-ci.org/javanet2/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from tmate: https://repo.jenkins-ci.org/tmate/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from cloudbees.public.release: https://repo.jenkins-ci.org/cloudbees.public.release/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from jgit: https://repo.jenkins-ci.org/jgit/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from netbeans: https://repo.jenkins-ci.org/netbeans/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from fusesource: https://repo.jenkins-ci.org/fusesource/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from atlassian: https://repo.jenkins-ci.org/atlassian/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from incrementals: https://repo.jenkins-ci.org/incrementals/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloading from central: https://repo.maven.apache.org/maven2/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
[WARNING] The POM for com.atlassian.crowd:crowd-integration-client-common:jar:5.1.5 is missing, no dependency information available

If I restore the https://repo.jenkins-ci.org/public/ in pom.xml, then that dependency is found in the "public" repository. The build output is:

Downloading from repo.jenkins-ci.org: https://repo.jenkins-ci.org/public/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom
Downloaded from repo.jenkins-ci.org: https://repo.jenkins-ci.org/public/com/atlassian/crowd/crowd-integration-client-common/5.1.5/crowd-integration-client-common-5.1.5.pom (3.4 kB at 8.5 kB/s)

I think that means that the atlassian crowd components needed by the configuration as code plugin integration test are only available from one of the repositories that I've excluded from the settings.xml file (either jcenter or oss.sonatype.org-releases). The atlassian repository that is included in the configuration does not currently include those components.

Based on that, I expect tomorrow's brownout to fail the build of the configuration as code plugin while public does not include the jcenter repository.

basil commented 9 months ago

I can reproduce the problem in crowd2-plugin and configuration-as-code's integrations module. Running

$ curl https://repo.jenkins-ci.org/api/repositories/atlassian      
{
  "key" : "atlassian",
  "packageType" : "maven",
  "description" : "",
  "url" : "https://maven.atlassian.com/content/repositories/atlassian-public/",
  "rclass" : "remote"

I see the remote repository is for https://maven.atlassian.com/content/repositories/atlassian-public/ but note from this page that

We are in the process of deprecating all maven.atlassian.com URLs. If you are using any of those, please change them to a URL mentioned above as soon as practical. We will advise the developer community more widely when we expect to permanently decommission the maven.atlassian.com URLs.

That page (which itself is about three years old) mentions https://packages.atlassian.com/maven-external/ which is a virtual repository for (at least) https://packages.atlassian.com/maven-3rdparty/, https://packages.atlassian.com/maven-public/, and https://packages.atlassian.com/maven-public-snapshot/. It seems that https://maven.atlassian.com/content/repositories/atlassian-public/ maps to https://packages.atlassian.com/maven-public/ which contains the Jira libraries but not the Crowd libraries.

Unfortunately https://packages.atlassian.com/maven-external/ contains 3rd-party libraries, so we cannot easily mirror it without introducing similar bandwidth problems as with JCenter. And after doing some Googling I can't find any other repository that contains the Crowd libraries. So I would suggest adding https://packages.atlassian.com/maven-external/ to the <repositories> section of crowd2-plugin and any downstream consumers (currently just configuration-as-code's integrations module). If a repository is identified that contains Crowd libraries but not other 3rd party libraries, then we could mirror it and add it to the public virtual repository.

The public virtual repository should also be updated to use https://packages.atlassian.com/maven-public/ in favor of the deprecated https://maven.atlassian.com/content/repositories/atlassian-public/.

basil commented 9 months ago

After scouring the Internet a little further, I think I have found where it lives:

https://packages.atlassian.com/mvn/maven-atlassian-external/

I confirmed that between https://packages.atlassian.com/maven-public/ and https://packages.atlassian.com/mvn/maven-atlassian-external/ Crowd 2 can be built successfully.

My new recommendation is to create two new remote repositories corresponding to https://packages.atlassian.com/maven-public/ and https://packages.atlassian.com/mvn/maven-atlassian-external/ and replace the existing atlassian entry with these two new ones during the brownout. This should be equivalent to what is currently coming from JCenter, without dragging in tons of other third-party libraries.

MarkEWaite commented 9 months ago

I have built 244 out of 248 repositories using the previous settings.xml with the addition of https://packages.atlassian.com/maven-public/ and https://packages.atlassian.com/mvn/maven-atlassian-external/ as repositories.

MarkEWaite commented 9 months ago

The Atlassian libraries were unavailable during the brownout, as seen by a failure in building a repository permissions updater pull request:

The failure message was:

07:15:07  + mvn -U -B -ntp clean verify
07:15:08  [INFO] Scanning for projects...
07:15:09  [INFO] 
07:15:09  [INFO] ----------< io.jenkins.infra:repository-permissions-updater >-----------
07:15:09  [INFO] Building Artifactory Upload Permissions Updater 1.0-SNAPSHOT
07:15:09  [INFO]   from pom.xml
07:15:09  [INFO] --------------------------------[ jar ]---------------------------------
07:15:34  [INFO] ------------------------------------------------------------------------
07:15:34  [INFO] BUILD FAILURE
07:15:34  [INFO] ------------------------------------------------------------------------
07:15:34  [INFO] Total time:  26.495 s
07:15:34  [INFO] Finished at: 2023-12-06T14:15:34Z
07:15:34  [INFO] ------------------------------------------------------------------------
07:15:34  [ERROR] Failed to execute goal on project repository-permissions-updater: Could not resolve dependencies for project io.jenkins.infra:repository-permissions-updater:jar:1.0-SNAPSHOT: Failed to collect dependencies at com.atlassian.jira:jira-rest-java-client-core:jar:5.2.7: Failed to read artifact descriptor for com.atlassian.jira:jira-rest-java-client-core:jar:5.2.7: The following artifacts could not be resolved: com.atlassian.jira:jira-rest-java-client-core:pom:5.2.7 (absent): Could not transfer artifact com.atlassian.jira:jira-rest-java-client-core:pom:5.2.7 from/to repo.jenkins-ci.org (https://repo.jenkins-ci.org/public/): status code: 401, reason phrase:  (401) -> [Help 1]

We had added the Atlassian repositories as remote repositories at the start of the brownout, but maybe they were not populated?

basil commented 9 months ago

The artifacts are there in the remote repositories:

https://repo.jenkins-ci.org/atlassian-maven-public/ is returning 401, not 404. Seems like it was not set up for anonymous access (i.e., an unrealistic test environment).

basil commented 9 months ago

Based on https://twitter.com/askatlassian/status/1732550688176005520 it appears that the next step is to file a ticket at https://developer.atlassian.com/support to ask them which combination of repositories contains Jira and Crowd libraries but not other third-party software.

jtnord commented 9 months ago

closed source Atlassian proprietary binaries are in https://packages.atlassian.com/mvn/maven-closedsource/

jtnord commented 9 months ago

but as per the URL - these are not open source software contained here - they are subject to the atlassian licence https://www.atlassian.com/legal/software-license-agreemen (the parents track eventually to a version of https://packages.atlassian.com/mvn/maven-closedsource/com/atlassian/pom/closedsource-pom/ but in any case they are in the closedsource repo!)

so the question is should hosting of these plugins be allowed per https://www.jenkins.io/doc/developer/publishing/preparation/#license and that the libraries they require are not open source

basil commented 9 months ago

Yep, https://packages.atlassian.com/mvn/maven-closedsource/com/atlassian/crowd/atlassian-crowd/5.2.1/atlassian-crowd-5.2.1.pom is a child of closedsource-pom. I think we have three options:

  1. Preserve existing behavior by mirroring https://packages.atlassian.com/maven-external/ and (temporarily) https://packages.atlassian.com/mvn/maven-closedsource/ then file a separate ticket to track the removal of the latter and its implications on the Crowd2 plugin (and downstream consumers like the Configuration as Code test suite) as a separate exercise.
  2. Break Crowd2 plugin (and downstream consumers like the Configuration as Code test suite) by mirroring only https://packages.atlassian.com/maven-external/ then file a separate ticket regarding the violation of the hosting policy.
  3. File a separate ticket regarding the violation of the hosting policy as a prerequisite to the completion of this ticket.

Since this ticket is time and budget sensitive, my preference would be either for options 1 or 2. I don't see 1 as being a horrible workaround since it is really just preserving the status quo, which is admittedly not great. But 2 also seems fine because the Crowd 2 plugin only has 2,000 installations, so its tests could be temporarily excluded from Configuration as Code's test suite if needed.

daniel-beck commented 9 months ago

a child of closedsource-pom

What license is this stuff distributed under? If it's proprietary, we should just suspend the plugin. See e.g. https://github.com/jenkins-infra/helpdesk/issues/3742 or https://github.com/jenkins-infra/update-center2/pull/720. (Even during any grace period we may offer the maintainers to address this without suspension, we don't really need to care about supporting their rule violations.)

basil commented 9 months ago

https://www.atlassian.com/legal/software-license-agreement is proprietary, and that suggestion corresponds to (2) in my previous post.

MarkEWaite commented 9 months ago

but as per the URL - these are not open source software contained here - they are subject to the atlassian licence https://www.atlassian.com/legal/software-license-agreement (the parents track eventually to a version of https://packages.atlassian.com/mvn/maven-closedsource/com/atlassian/pom/closedsource-pom/ but in any case they are in the closedsource repo!)

so the question is should hosting of these plugins be allowed per https://www.jenkins.io/doc/developer/publishing/preparation/#license and that the libraries they require are not open source

I agree with @jtnord and @basil that the dependency com.atlassian.crowd:crowd-integration-api:jar:5.1.5 is not open source. The pom file for that dependency does not include a license, but I've tracked back through the parent poms and the trail leads to closedsource-pom:6.2.2 that includes the license https://www.atlassian.com/legal/software-license-agreement

I think that we should take option 2 as described by @basil . I've submitted the following issue to Jenkins infra help desk to suspend distribution of the Crowd2 integration plugin:

basil commented 9 months ago

Confluence Publisher is also impacted: https://github.com/jenkins-infra/helpdesk/issues/3856

dduportal commented 9 months ago

The artifacts are there in the remote repositories:

* https://packages.atlassian.com/maven-public/com/atlassian/jira/jira-rest-java-client-core/5.2.7/

* https://packages.atlassian.com/mvn/maven-atlassian-external/com/atlassian/jira/jira-rest-java-client-core/5.2.7/

https://repo.jenkins-ci.org/atlassian-maven-public/ is returning 401, not 404. Seems like it was not set up for anonymous access (i.e., an unrealistic test environment).

Pairing operation with @MarkEWaite today: the repository https://repo.jenkins-ci.org/artifactory/atlassian-maven-public is now available publicly (added to the permissions scheme "Any Remote" which adds Read and Cache to the anonymous user.

dduportal commented 9 months ago

Start of the 2nd brownout on repo.jenkins-ci.org with @MarkEWaite:

We've updated the public virtual repository to the following setup:

curl --silent https://repo.jenkins-ci.org/api/repositories/public | jq -r '.'
{
  "key": "public",
  "packageType": "maven",
  "description": "All public repositories aggregated for the purpose of building Jenkins and its plugins",
  "repositories": [
    "releases",
    "orphans",
    "atlassian-maven-public",
    "shibboleth",
    "maven.jenkins-ci.org",
    "maven.twttr.com",
    "javanet2",
    "tmate",
    "cloudbees.public.release",
    "jgit",
    "netbeans",
    "fusesource",
    "snapshots"
  ],
  "rclass": "virtual"
}
MarkEWaite commented 9 months ago

After implementing the production change, we found that the artifactory plugin depends on a 3.1.7 release of a platform pom that is only available from the Spring plugins repository at https://repo.spring.io/plugins-release/ . Other versions of that artifact are available from Atlassian public, but not that version.

@dduportal created a jcenter-orphans remote repository that includes a specific item

com.atlassian.pom:public-pom:pom:4.0.7 was then missing. That was fixed by adding another entry to jcenter-orphans

com.atlassian.sal:sal-api:jar:3.0.7 was missing.

Items that were missing have been added to the jcenter-orphans remote repository with a narrow inclusion definition to avoid including any more of jcenter than those few items that are not available elsewhere. The jcenter-orphans repository is intentionally placed near the end of the search list so that the official Atlassian repository cache is used first.,

MarkEWaite commented 9 months ago

The crawler job that detects updated tools is failing on ci.jenkins.io with a Grape error

Resolved by adding Maven central to the Grape repository list in:

dduportal commented 9 months ago

The crawler job that detects updated tools is failing on ci.jenkins.io with a Grape error

* https://ci.jenkins.io/job/Infra/job/crawler/job/master

Resolved by adding Maven central to the Grape repository list in:

* [Add Maven Central to Grape configuration crawler#134](https://github.com/jenkins-infra/crawler/pull/134)

Thanks @basil for the batch of PRs to fix and improve the crawler (and @MarkEWaite @timja @NotMyFault for the revies/deploys).

dduportal commented 9 months ago

Update:

MarkEWaite commented 9 months ago
  • Removed jcenter-cache and atlassian-cache from both Any Remote and Anything permissions scheme to ensure they cannot be reached anonymously (as such the outbound bandwidth should drastically decrease)

Thanks very much. Should the same change be applied to oss.sonatype.org-releases since it also contains a copy of Apache Maven Central?

MarkEWaite commented 8 months ago

Jenkins core 2.439 and later now depend on a version of the jbcrypt library that is available from Apache Maven Central. Thanks to @andham for that improvement. Refer to the merged pull request: