[dev][infra][tact-sig] Zuul 4.6.0 and associated job changes

Jeremy Stanley fungi at yuggoth.org
Thu Jun 24 19:19:19 UTC 2021


Today at 14:00 UTC the OpenDev Collaboratory upgraded its deployment
of Zuul, coinciding with the 4.6.0 security release. This release
disabled or changed a number of features which could previously be
leveraged to take over executors or obtain decrypted copies of
secret data, necessitating adjustments to some jobs.

I think we've now addressed the majority of the central job
resources which were impacted, but there are almost certainly
less-frequently-exercised jobs which are still configured to do
things which will no longer work. There were likely some
strange-looking failures, particularly in promote and post pipeline
builds, between 15:00 and 19:00 UTC today, so if you need something
rerun for any reason please do reach out.

The two main categories of new bugs which will need fixing are:

  * Use of Jinja2 templating in secret definitions

  * Setting ansible_connection, ansible_host,
    ansible_python_interpreter, ansible_shell_executable, or
    ansible_user

The full release notes can be found in the release announcement
here:

http://lists.zuul-ci.org/pipermail/zuul-announce/2021-June/000096.html

If you run into a new problem in one of your jobs and you believe it
may be related to the above or similar fallout from the changes in
Zuul 4.6.0 and need assistance, please don't hesitate to contact the
TaCT SIG in the #openstack-infra channel on the OFTC IRC network or
by replying to this mailing list thread. Apologies for any
disruption this update may have caused, and thanks for your
understanding.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210624/2953bd10/attachment.sig>


More information about the openstack-discuss mailing list