[Openstack-devel] Questions about Jenkins

Thomas Goirand thomas at goirand.fr
Mon Mar 11 08:42:43 UTC 2013 

Hi James,

I have few questions to ask you about Jenkins, since I saw that you were
the package maintainer.

First of all, thanks a lot for maintaining it in Debian, that's a quite
nice tool! :)

Currently, in the default package, Jenkins appears to bind on port 8080,
and allow to start any command as the Jenkins user (add a new job, and
in it, start any command).

Would it be possible that the package either doesn't start the jenkins
daemon by default, or that (even better) it is fixed to have some kind
of auth by default?

Also, I proxy Jenkins through Apache, using this in the
/etc/apache2/sites-available/default-ssl:

        <Location />
        AuthType Basic
        AuthName "Restricted Access"
        AuthUserFile /etc/apache2/jenkins_htpasswd
        Require user jenkins
        </Location>

        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/
        ServerAdmin webmaster at localhost

To enable the above:
a2enmod proxy_http
a2enmod proxy
a2enmod ssl
a2dissite default
a2ensite default-ssl

To generate the htpasswd:

[ -e /etc/jenkins/htpasswd_jenkins ] || \
	htpasswd -b -c /etc/jenkins/htpasswd_jenkins jenkins PASSWORD

Finally, to protect against using jenkins port from the outside:

iptables -I INPUT -p tcp --dport 8080 \! -d 127.0.0.1 -j DROP
ip6tables -I INPUT -p tcp --dport 8080 \! -d ::1 -j DROP

I believe that all of the above could be stored in a special package
that could be called jenkins-apache, or something similar. If you don't
think it should be done, then probably this should be added in the
README.Debian.

By the way, even with a htpasswd, you may want to give partial access.
How does the option for auth login works in Jenkins?

I tried to go in the configuration screen of Jenkins, and clicked on:
"Enable security", then on "Unix user/group database", then on "Legacy
mode". After saving that, I locked myself out. :( Any advice? Could the
way to secure Jenkins be also added in the README.Debian, rather than
reading any random site found on google?

Thanks again for your work on this package (Jenkins seem quite
complicated for what it does, no?), Cheers,

Thomas Goirand (zigo)

More information about the Openstack-devel mailing list