From ecd4ccb33fe8b63bc85510e925f82a1e1c05c7b4 Mon Sep 17 00:00:00 2001 From: Kenneth Rogers Date: Tue, 19 Oct 2021 15:37:33 -0400 Subject: [PATCH 1/3] Add marker file via Dockerfile. Script will remove marker and exit if marker is present. --- uc-certificate-fix/Dockerfile | 8 +++++++ uc-certificate-fix/ucCertRemediation.groovy | 26 +++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 uc-certificate-fix/Dockerfile diff --git a/uc-certificate-fix/Dockerfile b/uc-certificate-fix/Dockerfile new file mode 100644 index 0000000..0ca23ee --- /dev/null +++ b/uc-certificate-fix/Dockerfile @@ -0,0 +1,8 @@ +FROM cloudbees/cloudbees-core-mm:2.303.2.6 + +RUN mkdir -p /var/jenkins_home/init.groovy.d +COPY ./ucCertRemediation.groovy /var/jenkins_home/init.groovy.d/ + +RUN touch /var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION && \ + chown jenkins /var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION && \ + chmod 755 /var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION diff --git a/uc-certificate-fix/ucCertRemediation.groovy b/uc-certificate-fix/ucCertRemediation.groovy index f78cfc4..4904010 100644 --- a/uc-certificate-fix/ucCertRemediation.groovy +++ b/uc-certificate-fix/ucCertRemediation.groovy @@ -31,6 +31,10 @@ * - 2.277.42.0.3 or newer on the 2.277.x fixed release, or * - 2.249.33.0.2 on the 2.249.x fixed release * + * - OCI Container notes + * If this script is installed into a container via Dockerfile, the container will need to be run once and restarted + * for this script to take effect. + * * How to use this script * - This script can be run using the script console on any individual operations center or controller. It may also be run via * a cluster-operation (https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/cluster-operations) @@ -62,6 +66,18 @@ * ERROR_CONTACT_SUPPORT: [msg] */ +import hudson.model.UpdateCenter; +import hudson.model.UpdateSite; +import hudson.util.PersistedList; +import jenkins.model.Jenkins; +import com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite; +import net.sf.json.JSONObject; +import net.sf.json.JSONException; +import hudson.util.FormValidation; +import java.security.cert.CertificateExpiredException; +import hudson.model.DownloadService; + + def _script = ''' import hudson.model.UpdateCenter; import hudson.model.UpdateSite; @@ -95,6 +111,16 @@ _retry_time = 30000; // how long to wait before checking for an update site to _cert_error_str = "CertificateExpiredException: NotAfter: Tue Oct 19 14:31:36 EDT 2021"; // MAIN CODE BODY +info("Checking for first run inside an OCI container"); +// The Dockerfile will need to create this file. It will prevent this script from running. +noRunFilePath = "/var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION"; +def noRunFile = new File (noRunFilePath) +if (noRunFile.exists()) { + info("Found marker file for first run. Removing file and exiting") + noRunFile.delete() + return "NO_CHANGE_NEEDED" +} + info("Executing remediation check [v" + _version + "]"); if (System.properties['_CLOUDBEES_UC_CERT_REMEDIATION_INSTALL'] == "TRUE") { info("Running bootstrap install, disabling retry interval"); From ce62f18cf11670be76eb48236d544ba8ee6975eb Mon Sep 17 00:00:00 2001 From: Kenneth Rogers Date: Tue, 19 Oct 2021 16:13:43 -0400 Subject: [PATCH 2/3] Changes from PR. Move marker file out of init.groovy.d. Add and use new return value SKIPPING_FIRST_RUN. --- uc-certificate-fix/Dockerfile | 6 +++--- uc-certificate-fix/ucCertRemediation.groovy | 9 ++++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/uc-certificate-fix/Dockerfile b/uc-certificate-fix/Dockerfile index 0ca23ee..c54d86c 100644 --- a/uc-certificate-fix/Dockerfile +++ b/uc-certificate-fix/Dockerfile @@ -3,6 +3,6 @@ FROM cloudbees/cloudbees-core-mm:2.303.2.6 RUN mkdir -p /var/jenkins_home/init.groovy.d COPY ./ucCertRemediation.groovy /var/jenkins_home/init.groovy.d/ -RUN touch /var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION && \ - chown jenkins /var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION && \ - chmod 755 /var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION +RUN touch /var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION && \ + chown jenkins /var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION && \ + chmod 755 /var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION diff --git a/uc-certificate-fix/ucCertRemediation.groovy b/uc-certificate-fix/ucCertRemediation.groovy index 4904010..48e13a7 100644 --- a/uc-certificate-fix/ucCertRemediation.groovy +++ b/uc-certificate-fix/ucCertRemediation.groovy @@ -63,6 +63,7 @@ * DISABLED_CERT_VALIDATION * REMOVED_OFFLINE_UC * UNINSTALLED_SCRIPT + * SKIPPING_FIRST_RUN * ERROR_CONTACT_SUPPORT: [msg] */ @@ -103,7 +104,7 @@ _dry_run = false; //Constants - do not edit below this line // ---------------------------------------------------------------------------------------------------- -_version = "00005"; +_version = "00007"; _online_uc_url_prefix = "https://jenkins-updates.cloudbees.com/update-center/"; _offline_uc_url = "file:" + Jenkins.getInstance().getRootDir() + File.separator + "war" + File.separator + "WEB-INF" + File.separator + "plugins" + File.separator + "update-center.json"; _offline_uc_url_modern = "file:" + Jenkins.getInstance().servletContext.getRealPath("/") + File.separator + "WEB-INF" + File.separator + "plugins" + File.separator + "update-center.json"; @@ -113,12 +114,12 @@ _cert_error_str = "CertificateExpiredException: NotAfter: Tue Oct 19 14:31:36 ED // MAIN CODE BODY info("Checking for first run inside an OCI container"); // The Dockerfile will need to create this file. It will prevent this script from running. -noRunFilePath = "/var/jenkins_home/init.groovy.d/DO_NOT_RUN_UC_REMEDIATION"; +noRunFilePath = "/var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION"; def noRunFile = new File (noRunFilePath) if (noRunFile.exists()) { info("Found marker file for first run. Removing file and exiting") noRunFile.delete() - return "NO_CHANGE_NEEDED" + return "SKIPPING_FIRST_RUN" } info("Executing remediation check [v" + _version + "]"); @@ -429,6 +430,8 @@ if (result.equals("NO_CHANGE_NEEDED")) { println("The remediation is now complete and successful"); } else if (result.equals("UNINSTALLED_SCRIPT")) { println("No issues detected, script has been uninstalled"); +} else if (result.equals("SKIPPING_FIRST_RUN")) { + println("Running in container and skipping first run. Restart container to run script."); } else { // some other error occured println("An error occured: " + result); From f1d086dcd0be22dc8f60f1c0be324a8052dc5f94 Mon Sep 17 00:00:00 2001 From: Kenneth Rogers Date: Tue, 19 Oct 2021 17:18:24 -0400 Subject: [PATCH 3/3] Use chown during copy to set ownership. --- uc-certificate-fix/Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/uc-certificate-fix/Dockerfile b/uc-certificate-fix/Dockerfile index c54d86c..a4195d9 100644 --- a/uc-certificate-fix/Dockerfile +++ b/uc-certificate-fix/Dockerfile @@ -1,8 +1,10 @@ FROM cloudbees/cloudbees-core-mm:2.303.2.6 +USER jenkins + RUN mkdir -p /var/jenkins_home/init.groovy.d -COPY ./ucCertRemediation.groovy /var/jenkins_home/init.groovy.d/ +COPY --chown=jenkins:jenkins ./ucCertRemediation.groovy /var/jenkins_home/init.groovy.d/ RUN touch /var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION && \ chown jenkins /var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION && \ - chmod 755 /var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION + chmod 755 /var/jenkins_home/DO_NOT_RUN_UC_REMEDIATION