Hello, Jenkins has released a security updated on Wednesday which causes it to drop parameters passed to a job unless they are explicitly defined in the job. The announce is at:
https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 That affects Zuul/Nodepooletc Zuul pass a range of built-in parameters (eg: ZUUL_PROJECT) and can inject user defined ones via the parameters functions. All of them ends up being dropped and are no more known to the job. A good news though is that the Gearman Jenkins plugin still recognizes "OFFLINE_NODE_WHEN_COMPLETE" (which might itself be a bug/security issue). So at least the slave is put offline. I have documented my test extensively on: https://phabricator.wikimedia.org/T133737#2290669 The easiest (and insecure) fix is to keep the old behaviour by passing to Jenkins: -Dhudson.model.ParametersAction.keepUndefinedParameters=true If one assumes the Gearman requests are safe, the plugin might be able to dynamically whitelist them so they get passed to the job as env variables. Alternatively, one would have to make sure the parameters coming from Zuul are predefined in the job. It might be quite challenging to align Zuul code, parameter functions and the JJB definitions. -- Antoine "hashar" Musso _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
