[MediaWiki-commits] [Gerrit] operations/puppet[production]: contint: puppet cleanup for CI master

Wed, 12 Oct 2016 13:20:52 -0700 

Hashar has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/315563

Change subject: contint: puppet cleanup for CI master
......................................................................

contint: puppet cleanup for CI master

* Remove package graphviz, was installed for the Jenkins plugin "job
  dependency graph" which we no more use.
* Drop groovy shutdown workaround for SECURITY-128 now included in
  Jenkins since 1.638 and 1.625.2
  https://github.com/jenkinsci-cert/SECURITY-218

Change-Id: I55b8b5509e7790b981a1b6e6e35ee8e34242f6d6
---
M modules/jenkins/manifests/init.pp
1 file changed, 6 insertions(+), 11 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/63/315563/1

diff --git a/modules/jenkins/manifests/init.pp 
b/modules/jenkins/manifests/init.pp
index 43a81bd..9669681 100644
--- a/modules/jenkins/manifests/init.pp
+++ b/modules/jenkins/manifests/init.pp
@@ -18,8 +18,6 @@
         require => Package['openjdk-7-jre-headless'],
     }
 
-    # Graphiz on Jenkins master for the 'job dependency graph' plugin
-    require_package('graphviz')
 
     # Jenkins should write everything group writable so admins can interact 
with
     # files easily, hence we need it to run with umask 0002.
@@ -34,18 +32,15 @@
         mode    => '0644',
     }
 
+    # Legacy workaround for a Jenkins security issue. No more needed since
+    # Jenkins 1.638 and 1.625.2
+    # 
https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/
+    # https://github.com/jenkinsci-cert/SECURITY-218
     file { '/var/lib/jenkins/init.groovy.d':
-        ensure => 'directory',
-        owner  => 'jenkins',
-        group  => 'jenkins',
-        mode   => '0755',
+        ensure => absent,
     }
-
     file { '/var/lib/jenkins/init.groovy.d/cli-shutdown.groovy':
-        source => 'puppet:///modules/jenkins/cli-shutdown.groovy',
-        owner  => 'jenkins',
-        group  => 'jenkins',
-        mode   => '0755',
+        ensure => absent,
     }
 
     service { 'jenkins':

-- 
To view, visit https://gerrit.wikimedia.org/r/315563
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I55b8b5509e7790b981a1b6e6e35ee8e34242f6d6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to