My apologies for a delay in handling INFRA-240
<https://issues.jenkins-ci.org/browse/INFRA-240>. As the ticket indicates
now, I've resolved the problem. The issue was that ldap daemon wasn't
restarted when I installed a new certificate last week. So it continued
running with the old certificate, and when it expired, Artifactory started
refusing to talk to it.
Local apps on cucumber weren't affected because it was using unsecured
communication. I need to figure out why JIRA and Confluence were unaffected
by this. Perhaps they have the password locally cached, perhaps they have
LDAP connections pooled and long-running, or perhaps they don't properly
check the certificate.
The next thing I want to talk about is that I think this is a symptom of a
deeper issue, which is that the infra ops coverage has fallen way behind.
Tyler isn't spending time on this project as he used to be, and the time I
spend on Jenkins infra is not as much as it needs to be, too.
In the last 6 months or so, we've handed out infra acecss right to a few
more people (Daniel Beck and Oleg Nanoshev, IIRC), and that was good for
better time zone coverage and what not. But the problem still remains that
there is a leadership vacuum, that no one sufficiently "owns" the infra,
and that's difficult to solve by adding more hands alone.
So here's what I'd like to propose:
- Formalize our ops team more by designating the lead that reports to
the board. The lead shall be chosen in the discussion during the project
meeting.
- Under the new lead, accept another round of ops team members to help
spread the workload. I know for example Kostasya is interested in helping.
- Kohsuke (and Tyler if he can join) and the ops team will schedule a
series of "transfer of information" sessions to bring the new ops lead and
the team up to speed about how things are put together today.
- Identify and remove single-point-of-failure in our infra. Off the top
of my head:
- I think I'm currently the only one who has the private key to sign
update center root CA.
- jenkins-ci.org domain name still appears to be registered under
Tyler's personal account.
As the ops lead, I'd like the project to consider Adam Papai
<https://github.com/woohgit>. He's been a long time user of Jenkins and he
is a member of the CloudBees ops team. I'm sensitive to the fact that he
works for CloudBees and how that can come across, but OTOH this will be a
part of his day job, and I think that ensures that he can allocate
necessary time to the effort.
What do people think?
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/fca1745f-2083-48f4-b94c-414be6796d6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
