 Welcome to the Jenkins platform special interest group. It's March the 12th, 2021. Thanks for being here. So topics that I've got open action items to discuss then open container labeling Gareth that you'll take on. I wanted to do a brief review of she code Africa, and then coordinating proposed Docker changes is a topic. Are there other topics we need to add to the agenda. Okay, great. Then let's let's go ahead so we've got still the open action item on Docker operating system support. This one is becoming even more vital for us as more and more people are asking things that would fit within the, within the context of this, just today there was a poll request submitted asking to add Docker as a command line inside the Jenkins agent one of Jenkins agent images. And for me I feel like that feels like a security disaster waiting to happen and I'm worried about doing it. And, and yet there's, there are parts of the community that very much wanted. And so that needs a needs this, the management framework of this jet to help us decide which things we allow in and which we don't. So the, the, that proposed that poll request asking to please add the Docker and executable into the agent image felt, felt really risky to me and I was spooked by it. So I've still also got the action item on the plugin installation manager and update center blog post we're probably still a week or two away. We've got Alex's PR on install plugins thanks Alex very very much for doing that. I need to update it. I had, I had also upgraded the plugin installation manager at the same time that there have been there's been some conflicting updates I need to fix those conflicts. Okay, great. Well, and I'm not going to be able to review this for for probably several days or a week at least. So that's not a crisis if you if that needs to take a little time. Okay, cool. Great. All right, thank you again for doing that. We had discussions on further parallelization and acceleration during the contributor summit it was agreed that that acceleration of the builds is a crucial part of our roadmap. I'll get that onto the roadmap actually and that's an action item I need to put mark over the roadmap adjustments changes based on the contributor summit sorry I haven't done that yet. Will do any other action items that we need to note here that have been missed. Okay, next topic open container labeling. Do you want to take this one on. Yes, so we'd previously discussed about adding in either the OCI spec or the label schema spec labels. One of the concerns that was raised that was that it would be probably not possible to do with the builds that we have on block a hub. But what we have found is there is a way of getting most of those labels added nicely, actually, using Docker Hub. So Docker Hub supplies a couple of build arcs that you can use to figure that most of the labels you need, certainly around commit and URL and things like that. The one that it doesn't supply is build date. There is a method or a way that we can use a custom build hook to supply that if we want to go down that route. It just means that we don't have to move off of the infrastructure for building those images, just yet. Obviously, we can do if we want to in the future but it just adding these labels doesn't become the only reason that we want to move off. I mean, that sounds great so that's something conceptually you could submit a pull request to the images to to apply these these build time labels, and we could already see them based on the build hook examples of Docker Hub. Yeah. Nice. Alex any objections from you on on this considering going ahead with that. Well that sounds great because that reduces our costs. So, or keeps the cost the same doesn't increase our costs. Right, right. Well and I assume these steps are probably not terribly expensive in terms of build time so the, and if they are we want to know that. I assume that they're not going to increment the build time for the images on Docker Hub. They shouldn't go now. Great. All right so that's a decision agreed that. Great. Thank you. Anything else on that topic, Gareth. Oh, I was going to get asked like where I wasn't 100% certain where the repos were where these builds left, but I could have a go at flying appeal with this. That's I was wondering if you had access to the Docker Hub. So you can make these changes. I don't think I have, I have access, I probably have access to GitHub repositories although I'm not sure where they are, but I don't think I have Docker Hub. The initial one would be the Jenkins CI Docker. That's just the one that builds the, the controller image. Then there's Jenkins CI Docker dash agent. Jenkins CI inbound Docker agent, I think. Yeah so and then is there then SSH agent. Then there's the Docker SSH agent. And take a look at some of those. Now, I thought those did not have inside the repository, the, the details of the Docker Hub configuration I thought that was done interactively at Docker Hub. That's true, but it's so mark you want to put Docker SSH agent because there's an SSH agent plugin. Oh, oh, thanks right. Yeah, thank you very much. Okay. And Docker SSH agent does not inherit from the Docker agent. Just FYI. Okay. So we have Jenkins on Docker Hub we have Jenkins Jenkins, which is the controller. We have Jenkins agent, which corresponds to the Docker agent. And I don't remember what the other ones are right now. I can look those up. So is this one where it's, it would be good to pair, Gareth, you and Alex together to look at this. I assume we have to ask for ask for info permission to be granted and so that's a request separately but then, then are you comfortable. I mean, I'm not, I'm not actually sure we need Docker Hub because, because a lot of this stuff Docker Hub, it's all, it's all controlled from the repo. So, oh it is. Yeah, so we should be able to do it over a pull request. Okay, let me let me let me try it out and something happen. I mean, I did that. Yeah, it helped just let me know. And we can also get you access to I mean it's not a big deal. Oh, great. So you'll, you'll first try with pull requests to the Jenkins CI repose if you can find a way to configure it there. That's certainly the preferred way. Then we've got it as code tracked with pull requests track with changes. Okay. All right. Thank you. Anything else on open container labeling. Okay, next topic then the she code Africa, April contribute on, not that it directly impacts us but just so you're aware. Well, she code Africa is focused on increasing the contributions to open source and increasing the technical skills of women in Africa. And one of our docs contributors in Abu, Abu Bakar is a leader in that group and made made us aware that beginning in April they have a contribute on where they will for one month pay women in Africa who have been who have joined the program and who have been qualified, etc, to contribute to open source software. And what they asked for was sponsoring organizations mentoring projects and Jenkins, we've got good alignment to be a mentoring project for this. And just in whetstone me and Meg McRoberts have all agreed to be mentors for it. And we've got a project idea I'll be submitting an email summary of this to the Jenkins developers mailing list today. And we'll be submitting a poll request to the Jenkins that IO doc site for to describe what this thing is if you're interested in participating certainly let me know. Then the next topic was coordinating proposed Docker changes so Alex or Gareth are there any specific things here we've talked already about install plugins, and I, we haven't had much chance to make progress and multi arch builds. Are there any of these others that need to be discussed in more depth while we're here. Not that I can think of. Okay, I know that this non root user one is is as far as I can tell still progressing and some of the images defined here are being shifted to be homed inside Jenkins infra so that we can use them for infrastructure without confusing people that they are somehow published and for anybody, we're intentionally using them for Jenkins infra and not assuming others will use them. Did I did I understand that correctly Gareth did I say that right. Yeah, I think so. Yep. Okay. And the coordinated announcement of several changes that that's just going to wait that covered all the topics that I was aware of today, anything else we need to include on today's discussion. Hopefully had any chats about security scanning the images. Ah, we had a good topic. So, let's let's give at least what I know currently. So, we have been experimenting with mark experimented with sneak scanning and Linux Foundation has an offering that we can use that we are already subscribed to for a commercial, a commercial license if you will a commercial grade sneak installation. The scans are already available. What we call Alex, it's gonna say my main concern is that our stuff on top of the base images is not a lot. So, most the security issues are going to be in the base images themselves so I don't know how much benefit. It will actually be for us to just find issues in the base images. But that's my concern. If there's no way for us to fix the issue because the base image hasn't been updated then us publishing security issues or whatever on these images is, I don't know how helpful that would be. It may give us some data to say whether or not we want to keep on supporting a particular base image in the future. Well, I mean even the Debian image with Debian Buster, which is the quote unquote newest version of Debian that's stable has lots of issues for my understanding. So, so that's our main controller image base is the Debian Buster so I just don't think we're gonna, I think it's good to know but I don't think it should be like published necessarily because it's, it's just the, my guess it's going to be almost like 99.99% base image issues. So I think you raise a good point Alex how do we make this useful to us, rather than a hindrance. And, and, and that's a, that's a piece that I'm still not clear on. I had been worrying how do we, how do we make it so that the, so that the process of resolving a of marking an issue as not an issue or as we're not going to do it was easy and low effort but I think your, your point has been more important that most of the issues will be in the base images because in terms of size of of contribution, the Debian base images several hundred megabytes and we're adding another 60 megabytes is all so just if, if it we're looking at security issue by bite count I would expect more to come from the base image anyway. So, I think it. It's, it will be made. So if you look at sort of like doctor best practices and we'll be moving more towards like, whatever possible base your stuff off by completing install of Debian with a lot of things that you may not need. So try to keep them as small as possible so you may find that selecting an alternative or more of a slim down base image may be beneficial. But distrust is a good one actually that I mentioned. I mean, it just like do we then we're just reduced to that one image. And I would be interested to understand, like, exactly why the community want, like, you know, a bunch of image rather than a Debian image. I don't know that what what is the, what is the bit that they get from that. Well, and there I think the, the key motivation was we like being based on the adopt open JDK image that they're providing because we like we had the evolution originally had been, hey, we'll choose to base ourselves on Debian and then we'll build open JDK and then we learned painfully that there are times when Debian doesn't maintain their open JDK as well as adopt open JDK does. So we said let's shift and make ourselves based on the adopt open JDK images. And they, they have a set that they've selected and it might be that we would could consider okay should we ask them to, to add additional support for another image. Right now I think it's an intentional choice to use them. Yeah, they have a UBI image. For sure. I think it's not part of their experimental, which means it's just not built by Docker, Docker Hub and released by Docker Hub. But I'm pretty sure they have a UBI image in their experimental. So that could be a possibility. I'm not super familiar with UBI. But if it's one of these ones that would be better than maybe we do look at that. But and we've already got slim. So, so that piece and we've got Alpine. Though what one we don't have for example that that I see in the, in the open J9 images, the, the IBM kind of images is they seem to seem to have a preference for Ubuntu. In the J9 images. And I can't claim one way or the other over, over Debian, or even over UBI. And, and it's, again, I guess it would be a question to ask the adopt open JDK people how they choose which images they're going to maintain or not maintain. Did that, did that address have we addressed the question there I'm not sure the next steps for us in terms of we could we could do more investigation to understand what we could use of the Linux Foundation offering and how to get how to be more effective with it. Yeah, I think I think I don't know how it works. Yeah, understanding. Yeah, how do we, how do we configure it to at least scan the scan the some images and then we'll find work out what to do with that data. Yeah, the, and if I remember correctly, I, well, I don't know that it'll help us here but I could, I can navigate to the Linux Foundation page if you'd like maybe maybe what I should do is let me put a link to that in in the LFX security and put a link to it in the, in the notes so that we've got it. It is where is code scanning is now Linux Foundation, the Linux Foundation, and now projects now about LFX tools here it is okay LFX tools and well, sorry, I oh yes there it is Alexa LFX security. Okay, so this is the thing. And now, where is. Yeah, okay, here, here we are. Okay. Good. Alright, so, so we're here I haven't even signed in yet and we're here. So, so this I'm just going to drop that into the notes. So are they already scanning something. Yes they are. They're already scanning and, and the scans hang on I'm going to sign in and we can look at them together. If there's something that we find that's last time I was in here, the things that were there were not so super sensitive that I had to edit them out of any recording so. So let's just go and now if I remember right there is something about where I have to click here. Oh it's it's that's the total repos it's only scanning 33 of the 2400. I don't know hang on just a minute let's get there, because I think I've got access. Oh no. Okay. And I thought that they'd given me access because but we'll see. Alright. There, cool. Okay, so it and it knows who I am so the request has been submitted. Cool. Yeah, and so clearly they've got some data because they're highlighting what looks like it looks it looks real ish and I think all I could shown once the same thing now. How many repositories they're scanning. Yeah that that I don't know I've, I had assumed this was Docker image scans, not scans of Java source code. I've seen earlier that I've got a personal sneak account that I'm using to scan some of my images, and, and this felt like that the last time I saw something in it. So, I assume that you're with one of the things is you probably need to if you don't already have it get a Linux foundation register yourself for Linux foundation account. So, we've got access to the, to the data and let's see what we get anything else on the security scanning topic. Okay, any other topics before we close the meeting. Alright, thanks everybody recording will be posted in an hour or two.