- Create a jenkins user:
sudo useradd jenkins - Install Java:
sudo yum install java - Switch to the jenkins user:
sudo su - jenkins - Download the jenkins.war file:
wget http://mirrors.jenkins.io/war-stable/latest/jenkins.war - Install and run jenkins:
nohup java -jar jenkins.war --prefix=/jenkins > copywar.out 2>&1 &
- Install docker: https://docs.docker.com/engine/installation/linux/docker-ce/centos/#set-up-the-repository
- Start the docker daemon:
sudo systemctl start docker - Add jenkins to the docker group so that jenkins does not need to sudo docker commands:
sudo usermod -aG docker jenkins
If you would prefer to run jenkins.war as a service, then you will need to create a service wrapper for it.
#!/bin/sh
SERVICE_NAME=jenkins
PATH_TO_JAR=/home/jenkins/jenkins.jar
PID_PATH_NAME=/tmp/jenkins-pid
case $1 in
start)
echo "Starting $SERVICE_NAME ..."
if [ ! -f $PID_PATH_NAME ]; then
nohup java -jar $PATH_TO_JAR /tmp 2>> /dev/null >> /dev/null &
echo $! > $PID_PATH_NAME
echo "$SERVICE_NAME started ..."
else
echo "$SERVICE_NAME is already running ..."
fi
;;
stop)
if [ -f $PID_PATH_NAME ]; then
PID=$(cat $PID_PATH_NAME);
echo "$SERVICE_NAME stoping ..."
kill $PID;
echo "$SERVICE_NAME stopped ..."
rm $PID_PATH_NAME
else
echo "$SERVICE_NAME is not running ..."
fi
;;
restart)
if [ -f $PID_PATH_NAME ]; then
PID=$(cat $PID_PATH_NAME);
echo "$SERVICE_NAME stopping ...";
kill $PID;
echo "$SERVICE_NAME stopped ...";
rm $PID_PATH_NAME
echo "$SERVICE_NAME starting ..."
nohup java -jar $PATH_TO_JAR /tmp 2>> /dev/null >> /dev/null &
echo $! > $PID_PATH_NAME
echo "$SERVICE_NAME started ..."
else
echo "$SERVICE_NAME is not running ..."
fi
;;
esac(Following: https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7)
sudo yum install httpdsudo systemctl enable httpd.service
sudo yum install mod_sslsudo mkdir /etc/ssl/privatesudo chmod 700 /etc/ssl/privatesudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crtsudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crtsudo vim /etc/httpd/conf.d/ssl.conf- Next, uncomment the ServerName line and replace www.example.com with your domain name
- Next, find the SSLProtocol and SSLCipherSuite lines and either delete them or comment them out.
- Find the SSLCertificateFile and SSLCertificateKeyFile lines and change them to the directory we made at /etc/httpd/ssl:
- Paste the following after the end of the
VirtualHostblock
# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off
- Modify the Unencrypted Virtual Host File to Redirect to HTTPS:
- sudo vim /etc/httpd/conf.d/welcome.conf
- add:
<VirtualHost *:80>
ServerName lurch.library.temple.edu
Redirect "/" "https://lurch.library.temple.edu/"
</VirtualHost>
- Following: https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Apache
- Add the following to <VirtualHost *:443:>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
ServerAdmin webmaster@localhost
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://www.example.com/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
sudo apachectl configtestsudo systemctl restart httpd.service
- Install and configure the login module as described: https://plugins.jenkins.io/google-login
- Go to website and follow installation and configuration instructions.
- Add users using the matrix bases configuration to limit access even for logged in users: https://lurch.library.temple.edu/jenkins/configureSecurity/
- There are some real issues setting up traefik in front of jenkins that mainly
have to do with no
proxy_passequivalent in traefik. So we will forgo trying to place traefik in front of jenkinsn for the time being.
Traefik is a new comer to the reverse proxy world, but it has some relevant and exciting features that make it appropriate for our use case. Traefik can be used to proxy to docker containers and can do this dynamically. This is huge becuase our use case will be to create QA sites for PRs using docker containers. Traefik can also be used on non container applications, including web or even flat files. Thus, we will be able to proxy the jenkins application as well as the PR containers.
Traefik is written in golang and currently it's about 85% as fast a nginx (as reported on the traefik site benchmark page). This may be considered a drawback for some high use case scenarios, but our use case will not be bottle necked by the proxy server.