CloudBees Jenkins Enterprise kernel upgrades to patch the Meltdown and Spectre vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715)

Issue

Resolution

Depending when your CloudBees Jenkins Enterprise instance was deployed, it may or may not be affected by these vulnerabilities, step 4 in the instructions below will help check.

1 . Identify your current leader using:

#!/bin/bash
mesos_username=$(cje run echo-secrets router_username)
mesos_password=$(cje run echo-secrets router_password)
mesos_url=$(cje run display-outputs | grep mesos)
mesos_protocol=$(echo $mesos_url | cut -d ':' -f 2)
mesos_url=$(echo $mesos_url | cut -d ':' -f 3)
curl -s $mesos_protocol:$mesos_url/master/state.json \
 -u "$mesos_username:$mesos_password" | \
 python -c 'import sys, json; print json.load(sys.stdin)["leader"]'

It should be labeled controller-L where L is a number from 1 to the number of controllers in your cluster.

2 . We will upgrade every controller that is not the leader first. Starting with the first controller that is not the leader:

3 . Connect to the controller by running:

dna connect controller-N

4 . To check if your kernel is vulnerable before upgrading, run:

uname -a

and look for the Kernel Version, then check with your OS Vendor to see which version contains the fix.
* For Red Hat Enterprise Linux, consult: https://access.redhat.com/security/vulnerabilities/speculativeexecution
* For CentOS, consult https://www.centos.org/forums/viewforum.php?f=51
* For Ubuntu, consult https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

5 . Upgrade the kernel by running:

  • For CentOS or Red Hat Enterprise Linux:
sudo yum upgrade kernel -y
  • For Ubuntu:
sudo apt-get upgrade -y

6 . Restart the controller we just upgraded:

sudo reboot now

7 . Go back and perform steps 3 through 6 to upgrade the kernels for all the rest of the controllers that are not the leader.

8 . Monitor the health of the controllers and masters in Mesos and Marathon until the controllers and associated tasks are marked as healthy and running.

9 . Go back and perform steps 3 through 6 to upgrade the kernel of the leader.

10 . Update all workers:

  • For CJE anywhere installations: consult with your OS vendor for the latest kernel versions with the fix (see links in step 4).
  • For CJE AWS installations: Create updated AMI(s) and update the worker AMI(s) by following: How to change controllers and workers AMI

This article was last updated on 2018-01-19.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.