[Openstack-devel] Questions about Jenkins
Thomas Goirand
thomas at goirand.fr
Mon Mar 11 08:42:43 UTC 2013
Hi James,
I have few questions to ask you about Jenkins, since I saw that you were
the package maintainer.
First of all, thanks a lot for maintaining it in Debian, that's a quite
nice tool! :)
Currently, in the default package, Jenkins appears to bind on port 8080,
and allow to start any command as the Jenkins user (add a new job, and
in it, start any command).
Would it be possible that the package either doesn't start the jenkins
daemon by default, or that (even better) it is fixed to have some kind
of auth by default?
Also, I proxy Jenkins through Apache, using this in the
/etc/apache2/sites-available/default-ssl:
<Location />
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/jenkins_htpasswd
Require user jenkins
</Location>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ServerAdmin webmaster at localhost
To enable the above:
a2enmod proxy_http
a2enmod proxy
a2enmod ssl
a2dissite default
a2ensite default-ssl
To generate the htpasswd:
[ -e /etc/jenkins/htpasswd_jenkins ] || \
htpasswd -b -c /etc/jenkins/htpasswd_jenkins jenkins PASSWORD
Finally, to protect against using jenkins port from the outside:
iptables -I INPUT -p tcp --dport 8080 \! -d 127.0.0.1 -j DROP
ip6tables -I INPUT -p tcp --dport 8080 \! -d ::1 -j DROP
I believe that all of the above could be stored in a special package
that could be called jenkins-apache, or something similar. If you don't
think it should be done, then probably this should be added in the
README.Debian.
By the way, even with a htpasswd, you may want to give partial access.
How does the option for auth login works in Jenkins?
I tried to go in the configuration screen of Jenkins, and clicked on:
"Enable security", then on "Unix user/group database", then on "Legacy
mode". After saving that, I locked myself out. :( Any advice? Could the
way to secure Jenkins be also added in the README.Debian, rather than
reading any random site found on google?
Thanks again for your work on this package (Jenkins seem quite
complicated for what it does, no?), Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list