summaryrefslogtreecommitdiff
path: root/docs/systems/jenkins.rst
blob: 456967b7bb32dbab40608a19a61c88e5495b9e25 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
.. index::
   single: Systems; Jenkins

=======
Jenkins
=======

Purpose
=======

`Jenkins`_ continuous integration server for building software artifacts for
CAcert.org and this documentation.

.. _Jenkins: https://jenkins.io

Application Links
-----------------

Jenkins web interface
   https://jenkins.cacert.org/

Administration
==============

System Administration
---------------------

* Primary: :ref:`people_jandd`
* Secondary: None

Application Administration
--------------------------

+-------------+---------------------+
| Application | Administrator(s)    |
+=============+=====================+
| Jenkins     | :ref:`people_jandd` |
+-------------+---------------------+

Contact
-------

* jenkins-admin@cacert.org

Additional People
-----------------

:ref:`people_mario` has :program:`sudo` access on that machine too.

Basics
======

Physical Location
-----------------

This system is located in an :term:`LXC` container on physical machine
:doc:`infra02`.

Logical Location
----------------

:IP Internet: reverse proxied from :doc:`web`
:IP Intranet: :ip:v4:`172.16.2.115`
:IP Internal: :ip:v4:`10.0.0.115`
:MAC address: :mac:`00:ff:a4:c9:aa:49` (eth0)

.. seealso::

   See :doc:`../network`

.. index::
   single: Monitoring; Jenkins

Monitoring
----------

:internal checks: :monitor:`jenkins.infra.cacert.org`

DNS
---

.. index::
   single: DNS records; Jenkins

========================= ======== ====================================================================
Name                      Type     Content
========================= ======== ====================================================================
jenkins.cacert.org.       IN A     213.154.225.242
jenkins.cacert.org.       IN SSHFP 1 1 2CAEBE197C0F1C25404890ADFEDABB371FB05650
jenkins.cacert.org.       IN SSHFP 1 2 6110A42530A5197AB1180417EE32B2EB581813CA773498177481B11D969BB529
jenkins.cacert.org.       IN SSHFP 2 1 4CE4EEF515BDEE033D68B92419F71679880B2FD5
jenkins.cacert.org.       IN SSHFP 2 2 7E76D01B8DC48178535F3F6164C07EF35D3436F352DB8C62FFACD5B8E3C106A7
jenkins.cacert.org.       IN SSHFP 3 1 1CE55A42B27BF42A78E281440F146DA17255A97D
jenkins.cacert.org.       IN SSHFP 3 2 20763231FECF9518C2CECAB05AC76E4483F563C0853F8B8A53E469316DA75381
jenkins.intra.cacert.org. IN A     172.16.2.115
========================= ======== ====================================================================

.. seealso::

   See :wiki:`SystemAdministration/Procedures/DNSChanges`

Operating System
----------------

.. index::
   single: Debian GNU/Linux; Stretch
   single: Debian GNU/Linux; 9.4

* Debian GNU/Linux 9.4

Applicable Documentation
------------------------

This is it :-)

Services
========

Listening services
------------------

.. use the values from this table or add new lines if applicable

+----------+---------+----------+----------------------------+
| Port     | Service | Origin   | Purpose                    |
+==========+=========+==========+============================+
| 22/tcp   | ssh     | ANY      | admin console access       |
+----------+---------+----------+----------------------------+
| 25/tcp   | smtp    | local    | mail delivery to local MTA |
+----------+---------+----------+----------------------------+
| 2022/tcp | Jenkins | internal | Jenkins ssh port           |
+----------+---------+----------+----------------------------+
| 5666/tcp | nrpe    | monitor  | remote monitoring service  |
+----------+---------+----------+----------------------------+
| 8080/tcp | Jenkins | internal | Jenkins web interface      |
+----------+---------+----------+----------------------------+

Running services
----------------

.. index::
   single: cron
   single: exim
   single: jenkins
   single: nrpe
   single: openssh
   single: puppet agent
   single: rsyslog

+--------------------+--------------------+-----------------------------------------+
| Service            | Usage              | Start mechanism                         |
+====================+====================+=========================================+
| cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
+--------------------+--------------------+-----------------------------------------+
| Exim               | SMTP server for    | init script                             |
|                    | local mail         | :file:`/etc/init.d/exim4`               |
|                    | submission         |                                         |
+--------------------+--------------------+-----------------------------------------+
| Jenkins            | Jenkins CI server  | init script :file:`/etc/init.d/jenkins` |
+--------------------+--------------------+-----------------------------------------+
| Nagios NRPE server | remote monitoring  | init script                             |
|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
|                    | :doc:`monitor`     |                                         |
+--------------------+--------------------+-----------------------------------------+
| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
|                    | remote             |                                         |
|                    | administration     |                                         |
+--------------------+--------------------+-----------------------------------------+
| Puppet agent       | configuration      | init script                             |
|                    | management agent   | :file:`/etc/init.d/puppet`              |
+--------------------+--------------------+-----------------------------------------+
| rsyslog            | syslog daemon      | init script                             |
|                    |                    | :file:`/etc/init.d/syslog`              |
+--------------------+--------------------+-----------------------------------------+

Connected Systems
-----------------

* :doc:`git` for triggering Jenkins web hooks
* :doc:`monitor`
* :doc:`web` as reverse proxy for hostnames codedocs.cacert.org,
  funding.cacert.org and infradocs.cacert.org


Outbound network connections
----------------------------

* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`git` for fetching source code
* :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
* :doc:`puppet` for configuration management
* :doc:`webstatic` for publishing code documentation to codedocs.cacert.org and
  infrastructure documentation to infradocs.cacert.org
* arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching source
  code and build dependencies (via ``&CONTAINER_OUT_ELEVATED("jenkins");`` in
  :file:`/etc/ferm/ferm.d/jenkins.conf` on :doc:`infra02`).

Security
========

.. sshkeys::
   :RSA:     SHA256:YRCkJTClGXqxGAQX7jKy61gYE8p3NJgXdIGxHZabtSk MD5:75:83:f5:8f:81:4b:08:bd:fd:6b:ff:12:bc:d7:17:48
   :DSA:     SHA256:fnbQG43EgXhTXz9hZMB+8100NvNS24xi/6zVuOPBBqc MD5:cf:8a:2d:83:53:8d:42:5a:c9:21:7c:c4:6a:3b:81:71
   :ECDSA:   SHA256:IHYyMf7PlRjCzsqwWsduRIP1Y8CFP4uKU+RpMW2nU4E MD5:77:18:34:2b:25:4a:e5:f3:cd:d7:2e:c9:9d:6b:03:01
   :ED25519: SHA256:25iP8jSklIu8saYf8hwIDv7UVIJRQbCh0EGSH3hXNWI MD5:4a:e0:9f:06:d5:c3:c8:36:b9:1e:ef:2e:0b:54:82:58

Non-distribution packages and modifications
-------------------------------------------

* The Puppet agent package and a few dependencies are installed from the
  official Puppet APT repository because the versions in Debian are too old to
  use modern Puppet features.
* Jenkins from pkg.jenkins-ci.org

  package source is defined in :file:`/etc/apt/sources.list.d/jenkins.list`
* Few packages (i.e. go toolchain) from Debian testing

  package source is defined in :file:`/etc/apt/sources.list.d/buster.list`

Risk assessments on critical packages
-------------------------------------

Jenkins is a widely used CI server with regular updates. Security issues are
handled quickly by the upstream developers.

Critical Configuration items
============================

The system configuration is managed via Puppet profiles. There should be no
configuration items outside of the Puppet repository.

.. todo:: move configuration of :doc:`jenkins` to Puppet code

Jenkins configuration
---------------------

Jenkins stores its configuration and working directories in
:file:`/var/lib/jenkins`. Jenkins administration is performed via an integrated
management web interface with role based access control.

Tasks
=====

Changes
=======

Planned
-------

* build more of CAcert's software on the Jenkins instance

System Future
-------------

* No plans

Additional documentation
========================

.. seealso::

   * :wiki:`Exim4Configuration`

References
----------

* https://jenkins.io/