Leeeroooy Jenkins or let's do some CI/CD
Let's have some fun with Jenkins today. I could run the war file right ahead, but I don't want to write a SMF service to start/stop it. So let's go with Tomcat instead.
# pkg install --no-backup-be tomcat-8 # zfs create -o compression=lz4 tank/tomcat8 # rsync -av /var/tomcat8/ /tank/tomcat8/ # rm -rf /tank/tomcat8/webapps/ROOT # cat << EOF > /usr/tomcat8/bin/setenv.sh UMASK="0022" CATALINA_BASE="/tank/tomcat8" CATALINA_OPTS="-DJENKINS_HOME=/tank/jenkins/ -Dhudson.model.UpdateCenter.never=true -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1" JAVA_OPTS="-Xms256m -Xmx1g -XX:+UseLargePages" EOF
Let's fix those nasty consider increasing the maximum size of the cache
warnings, too.
# tail -f /tank/tomcat8/logs/catalina.out 19-Sep-2017 12:52:48.777 WARNING [Handling GET /static/30e0a8de/assets/jquery-detached/jsmodules/jquery2.js from 127.0.0.1 : http-nio-127.0.0.1-8080-exec-1] org.apache.catalina.webresources.Cache.getResource Unable to add the resource at [/WEB-INF/classes/assets/jquery-detached/jsmodules/jquery2.js] to the cache for web application [] because there was insufficient free space available after evicting expired cache entries - consider increasing the maximum size of the cache ... # perl -w -pi -e 's|^(</Context>)$| <Resources cachingAllowed="true" cacheMaxSize="100000" />\n$1|' /tank/tomcat8/conf/context.xml
We want Tomcat to listen on localhost only because we'll proxy it later through an TLS Apache httpd (you know, compliance...). Also make sure to change XXX_REPLACE_WITH_YOUR_FQDN
to the FQDN you're using.
# groupadd -g 5213 jenkins # useradd -u 5213 -g jenkins -d /tank/jenkins -s /bin/ksh93 -m jenkins # passwd -N jenkins # zfs create -o compression=lz4 tank/jenkins # chown jenkins:jenkins /tank/jenkins # wget -O /tank/tomcat8/webapps/ROOT.war http://mirrors.jenkins.io/war-stable/latest/jenkins.war # chown jenkins:jenkins /tank/tomcat8/webapps/ROOT.war # perl -w -pi -e 's|(<Connector port="8080" protocol="HTTP/1.1")|$1 address="127.0.0.1" proxyName="XXX_REPLACE_WITH_YOUR_FQDN" proxyPort="443"|' /tank/tomcat8/conf/server.xml # perl -w -pi -e 's|^(\s+<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />)$|<!-- $1 -->|' /tank/tomcat8/conf/server.xml # svccfg -s tomcat8 setprop start/user=jenkins # svccfg -s tomcat8 setprop start/group=jenkins # svcadm refresh tomcat8 # svcadm enable tomcat8 # tail -f /tank/tomcat8/logs/catalina.out ... 19-Sep-2017 12:58:45.093 INFO [Jenkins initialization thread] hudson.WebAppMain$3.run Jenkins is fully up and running
Tomcat is running as a non-root user and serving Jenkins on localhost now. Time to configure the Apache httpd proxy.
Steps for creating a new SSL certificate/key with pktool
can be found here How to create a SSL CA/certificate/key with pktool. Done? Good.
# cp CA.crt /etc/apache2/2.2/server-ca.crt # cp server.crt /etc/apache2/2.2/ # cp server.key /etc/apache2/2.2/ # chown webservd:webservd /etc/apache2/2.2/server* # cat << 'EOF' > /etc/apache2/2.2/conf.d/ssl-jenkins.conf SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 SSLCryptoDevice pkcs11 Listen XXX_REPLACE_WITH_YOUR_FQDN:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite AESGCM:AES SSLProxyCipherSuite AESGCM:AES SSLHonorCipherOrder on SSLProtocol TLSv1.2 SSLProxyProtocol TLSv1.2 SSLSessionCache "shmcb:/var/run/apache2/2.2/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/var/run/apache2/2.2/ssl_mutex" ProxyRequests off ProxyPreserveHost on <VirtualHost _default_:443> ServerName XXX_REPLACE_WITH_YOUR_FQDN ServerAdmin webservd@XXX_REPLACE_WITH_YOUR_FQDN SSLEngine on SSLCompression off SSLSessionTickets off SSLCertificateFile "/etc/apache2/2.2/server.crt" SSLCertificateKeyFile "/etc/apache2/2.2/server.key" SSLCertificateChainFile "/etc/apache2/2.2/server-ca.crt" Header always set Strict-Transport-Security "max-age=15768000" RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" AllowEncodedSlashes NoDecode ProxyPass / http://127.0.0.1:8080/ nocanon ProxyPassReverse / https://XXX_REPLACE_WITH_YOUR_FQDN/ CustomLog "/var/apache2/2.2/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> EOF # /usr/apache2/2.2/bin/apachectl -t Syntax OK # svcadm enable apache22
Fetch the admin password from /tank/jenkins/secrets/initialAdminPassword
and you're ready to go.
Jenkins System Properties |
Read the next part at Using Jenkins to build nginx.
No comments:
Post a Comment