Add web and webstatic to Puppet
[cacert-infradocs.git] / docs / systems / jenkins.rst
1 .. index::
2 single: Systems; Jenkins
3
4 =======
5 Jenkins
6 =======
7
8 Purpose
9 =======
10
11 `Jenkins`_ continuous integration server for building software artifacts for
12 CAcert.org and this documentation.
13
14 .. _Jenkins: https://jenkins.io
15
16 Application Links
17 -----------------
18
19 Jenkins web interface
20 https://jenkins.cacert.org/
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 Application Administration
32 --------------------------
33
34 +-------------+---------------------+
35 | Application | Administrator(s) |
36 +=============+=====================+
37 | Jenkins | :ref:`people_jandd` |
38 +-------------+---------------------+
39
40 Contact
41 -------
42
43 * jenkins-admin@cacert.org
44
45 Additional People
46 -----------------
47
48 :ref:`people_mario` has :program:`sudo` access on that machine too.
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: reverse proxied from :doc:`web`
63 :IP Intranet: :ip:v4:`172.16.2.115`
64 :IP Internal: :ip:v4:`10.0.0.115`
65 :MAC address: :mac:`00:ff:a4:c9:aa:49` (eth0)
66
67 .. seealso::
68
69 See :doc:`../network`
70
71 DNS
72 ---
73
74 .. index::
75 single: DNS records; Jenkins
76
77 ========================= ======== ====================================================================
78 Name Type Content
79 ========================= ======== ====================================================================
80 jenkins.cacert.org. IN A 213.154.225.242
81 jenkins.cacert.org. IN SSHFP 1 1 2CAEBE197C0F1C25404890ADFEDABB371FB05650
82 jenkins.cacert.org. IN SSHFP 1 2 6110A42530A5197AB1180417EE32B2EB581813CA773498177481B11D969BB529
83 jenkins.cacert.org. IN SSHFP 2 1 4CE4EEF515BDEE033D68B92419F71679880B2FD5
84 jenkins.cacert.org. IN SSHFP 2 2 7E76D01B8DC48178535F3F6164C07EF35D3436F352DB8C62FFACD5B8E3C106A7
85 jenkins.cacert.org. IN SSHFP 3 1 1CE55A42B27BF42A78E281440F146DA17255A97D
86 jenkins.cacert.org. IN SSHFP 3 2 20763231FECF9518C2CECAB05AC76E4483F563C0853F8B8A53E469316DA75381
87 jenkins.intra.cacert.org. IN A 172.16.2.115
88 ========================= ======== ====================================================================
89
90 .. seealso::
91
92 See :wiki:`SystemAdministration/Procedures/DNSChanges`
93
94 Operating System
95 ----------------
96
97 .. index::
98 single: Debian GNU/Linux; Stretch
99 single: Debian GNU/Linux; 9.4
100
101 * Debian GNU/Linux 9.4
102
103 Applicable Documentation
104 ------------------------
105
106 This is it :-)
107
108 Services
109 ========
110
111 Listening services
112 ------------------
113
114 .. use the values from this table or add new lines if applicable
115
116 +----------+---------+----------+----------------------------+
117 | Port | Service | Origin | Purpose |
118 +==========+=========+==========+============================+
119 | 22/tcp | ssh | ANY | admin console access |
120 +----------+---------+----------+----------------------------+
121 | 25/tcp | smtp | local | mail delivery to local MTA |
122 +----------+---------+----------+----------------------------+
123 | 2022/tcp | Jenkins | internal | Jenkins ssh port |
124 +----------+---------+----------+----------------------------+
125 | 5666/tcp | nrpe | monitor | remote monitoring service |
126 +----------+---------+----------+----------------------------+
127 | 8080/tcp | Jenkins | internal | Jenkins web interface |
128 +----------+---------+----------+----------------------------+
129
130 Running services
131 ----------------
132
133 .. index::
134 single: cron
135 single: exim
136 single: jenkins
137 single: nrpe
138 single: openssh
139 single: puppet agent
140 single: rsyslog
141
142 +--------------------+--------------------+-----------------------------------------+
143 | Service | Usage | Start mechanism |
144 +====================+====================+=========================================+
145 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
146 +--------------------+--------------------+-----------------------------------------+
147 | Exim | SMTP server for | init script |
148 | | local mail | :file:`/etc/init.d/exim4` |
149 | | submission | |
150 +--------------------+--------------------+-----------------------------------------+
151 | Jenkins | Jenkins CI server | init script :file:`/etc/init.d/jenkins` |
152 +--------------------+--------------------+-----------------------------------------+
153 | Nagios NRPE server | remote monitoring | init script |
154 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
155 | | :doc:`monitor` | |
156 +--------------------+--------------------+-----------------------------------------+
157 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
158 | | remote | |
159 | | administration | |
160 +--------------------+--------------------+-----------------------------------------+
161 | Puppet agent | configuration | init script |
162 | | management agent | :file:`/etc/init.d/puppet` |
163 +--------------------+--------------------+-----------------------------------------+
164 | rsyslog | syslog daemon | init script |
165 | | | :file:`/etc/init.d/syslog` |
166 +--------------------+--------------------+-----------------------------------------+
167
168 Connected Systems
169 -----------------
170
171 * :doc:`git` for triggering Jenkins web hooks
172 * :doc:`monitor`
173 * :doc:`web` as reverse proxy for hostnames funding.cacert.org and
174 infradocs.cacert.org
175
176
177 Outbound network connections
178 ----------------------------
179
180 * :doc:`infra02` as resolving nameserver
181 * :doc:`emailout` as SMTP relay
182 * :doc:`git` for fetching source code
183 * :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
184 * :doc:`puppet` for configuration management
185 * :doc:`webstatic` for publishing infrastructure documentation to
186 infradocs.cacert.org
187 * arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching source
188 code and build dependencies (via ``&CONTAINER_OUT_ELEVATED("jenkins");`` in
189 :file:`/etc/ferm/ferm.d/jenkins.conf` on :doc:`infra02`).
190
191 Security
192 ========
193
194 .. sshkeys::
195 :RSA: SHA256:YRCkJTClGXqxGAQX7jKy61gYE8p3NJgXdIGxHZabtSk MD5:75:83:f5:8f:81:4b:08:bd:fd:6b:ff:12:bc:d7:17:48
196 :DSA: SHA256:fnbQG43EgXhTXz9hZMB+8100NvNS24xi/6zVuOPBBqc MD5:cf:8a:2d:83:53:8d:42:5a:c9:21:7c:c4:6a:3b:81:71
197 :ECDSA: SHA256:IHYyMf7PlRjCzsqwWsduRIP1Y8CFP4uKU+RpMW2nU4E MD5:77:18:34:2b:25:4a:e5:f3:cd:d7:2e:c9:9d:6b:03:01
198 :ED25519: SHA256:25iP8jSklIu8saYf8hwIDv7UVIJRQbCh0EGSH3hXNWI MD5:4a:e0:9f:06:d5:c3:c8:36:b9:1e:ef:2e:0b:54:82:58
199
200 Non-distribution packages and modifications
201 -------------------------------------------
202
203 * The Puppet agent package and a few dependencies are installed from the
204 official Puppet APT repository because the versions in Debian are too old to
205 use modern Puppet features.
206 * Jenkins from pkg.jenkins-ci.org
207
208 package source is defined in :file:`/etc/apt/sources.list.d/jenkins.list`
209 * Few packages (i.e. go toolchain) from Debian testing
210
211 package source is defined in :file:`/etc/apt/sources.list.d/buster.list`
212
213 Risk assessments on critical packages
214 -------------------------------------
215
216 Jenkins is a widely used CI server with regular updates. Security issues are
217 handled quickly by the upstream developers.
218
219 Critical Configuration items
220 ============================
221
222 The system configuration is managed via Puppet profiles. There should be no
223 configuration items outside of the Puppet repository.
224
225 .. todo:: move configuration of :doc:`jenkins` to Puppet code
226
227 Jenkins configuration
228 ---------------------
229
230 Jenkins stores its configuration and working directories in
231 :file:`/var/lib/jenkins`. Jenkins administration is performed via an integrated
232 management web interface with role based access control.
233
234 Tasks
235 =====
236
237 Planned
238 -------
239
240 * build more of CAcert's software on the Jenkins instance
241
242 Additional documentation
243 ========================
244
245 .. seealso::
246
247 * :wiki:`Exim4Configuration`
248
249 References
250 ----------
251
252 * https://jenkins.io/