Improve system documentation
[cacert-infradocs.git] / docs / systems / jenkins.rst
1 .. index::
2 single: Systems; Jenkins
3
4 =======
5 Jenkins
6 =======
7
8 Purpose
9 =======
10
11 `Jenkins`_ continuous integration server for building software artifacts for
12 CAcert.org and this documentation.
13
14 .. _Jenkins: https://jenkins.io
15
16 Application Links
17 -----------------
18
19 Jenkins web interface
20 https://jenkins.cacert.org/
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 Application Administration
32 --------------------------
33
34 +-------------+---------------------+
35 | Application | Administrator(s) |
36 +=============+=====================+
37 | Jenkins | :ref:`people_jandd` |
38 +-------------+---------------------+
39
40 Contact
41 -------
42
43 * jenkins-admin@cacert.org
44
45 Additional People
46 -----------------
47
48 :ref:`people_mario` has :program:`sudo` access on that machine too.
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: reverse proxied from :doc:`web`
63 :IP Intranet: :ip:v4:`172.16.2.115`
64 :IP Internal: :ip:v4:`10.0.0.115`
65 :MAC address: :mac:`00:ff:a4:c9:aa:49` (eth0)
66
67 .. seealso::
68
69 See :doc:`../network`
70
71 .. index::
72 single: Monitoring; Jenkins
73
74 Monitoring
75 ----------
76
77 :internal checks: :monitor:`jenkins.infra.cacert.org`
78
79 DNS
80 ---
81
82 .. index::
83 single: DNS records; Jenkins
84
85 ========================= ======== ====================================================================
86 Name Type Content
87 ========================= ======== ====================================================================
88 jenkins.cacert.org. IN A 213.154.225.242
89 jenkins.cacert.org. IN SSHFP 1 1 2CAEBE197C0F1C25404890ADFEDABB371FB05650
90 jenkins.cacert.org. IN SSHFP 1 2 6110A42530A5197AB1180417EE32B2EB581813CA773498177481B11D969BB529
91 jenkins.cacert.org. IN SSHFP 2 1 4CE4EEF515BDEE033D68B92419F71679880B2FD5
92 jenkins.cacert.org. IN SSHFP 2 2 7E76D01B8DC48178535F3F6164C07EF35D3436F352DB8C62FFACD5B8E3C106A7
93 jenkins.cacert.org. IN SSHFP 3 1 1CE55A42B27BF42A78E281440F146DA17255A97D
94 jenkins.cacert.org. IN SSHFP 3 2 20763231FECF9518C2CECAB05AC76E4483F563C0853F8B8A53E469316DA75381
95 jenkins.intra.cacert.org. IN A 172.16.2.115
96 ========================= ======== ====================================================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Stretch
107 single: Debian GNU/Linux; 9.4
108
109 * Debian GNU/Linux 9.4
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 .. use the values from this table or add new lines if applicable
123
124 +----------+---------+----------+----------------------------+
125 | Port | Service | Origin | Purpose |
126 +==========+=========+==========+============================+
127 | 22/tcp | ssh | ANY | admin console access |
128 +----------+---------+----------+----------------------------+
129 | 25/tcp | smtp | local | mail delivery to local MTA |
130 +----------+---------+----------+----------------------------+
131 | 2022/tcp | Jenkins | internal | Jenkins ssh port |
132 +----------+---------+----------+----------------------------+
133 | 5666/tcp | nrpe | monitor | remote monitoring service |
134 +----------+---------+----------+----------------------------+
135 | 8080/tcp | Jenkins | internal | Jenkins web interface |
136 +----------+---------+----------+----------------------------+
137
138 Running services
139 ----------------
140
141 .. index::
142 single: cron
143 single: exim
144 single: jenkins
145 single: nrpe
146 single: openssh
147 single: puppet agent
148 single: rsyslog
149
150 +--------------------+--------------------+-----------------------------------------+
151 | Service | Usage | Start mechanism |
152 +====================+====================+=========================================+
153 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
154 +--------------------+--------------------+-----------------------------------------+
155 | Exim | SMTP server for | init script |
156 | | local mail | :file:`/etc/init.d/exim4` |
157 | | submission | |
158 +--------------------+--------------------+-----------------------------------------+
159 | Jenkins | Jenkins CI server | init script :file:`/etc/init.d/jenkins` |
160 +--------------------+--------------------+-----------------------------------------+
161 | Nagios NRPE server | remote monitoring | init script |
162 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
163 | | :doc:`monitor` | |
164 +--------------------+--------------------+-----------------------------------------+
165 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
166 | | remote | |
167 | | administration | |
168 +--------------------+--------------------+-----------------------------------------+
169 | Puppet agent | configuration | init script |
170 | | management agent | :file:`/etc/init.d/puppet` |
171 +--------------------+--------------------+-----------------------------------------+
172 | rsyslog | syslog daemon | init script |
173 | | | :file:`/etc/init.d/syslog` |
174 +--------------------+--------------------+-----------------------------------------+
175
176 Connected Systems
177 -----------------
178
179 * :doc:`git` for triggering Jenkins web hooks
180 * :doc:`monitor`
181 * :doc:`web` as reverse proxy for hostnames codedocs.cacert.org,
182 funding.cacert.org and infradocs.cacert.org
183
184
185 Outbound network connections
186 ----------------------------
187
188 * :doc:`infra02` as resolving nameserver
189 * :doc:`emailout` as SMTP relay
190 * :doc:`git` for fetching source code
191 * :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
192 * :doc:`puppet` for configuration management
193 * :doc:`webstatic` for publishing code documentation to codedocs.cacert.org and
194 infrastructure documentation to infradocs.cacert.org
195 * arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching source
196 code and build dependencies (via ``&CONTAINER_OUT_ELEVATED("jenkins");`` in
197 :file:`/etc/ferm/ferm.d/jenkins.conf` on :doc:`infra02`).
198
199 Security
200 ========
201
202 .. sshkeys::
203 :RSA: SHA256:YRCkJTClGXqxGAQX7jKy61gYE8p3NJgXdIGxHZabtSk MD5:75:83:f5:8f:81:4b:08:bd:fd:6b:ff:12:bc:d7:17:48
204 :DSA: SHA256:fnbQG43EgXhTXz9hZMB+8100NvNS24xi/6zVuOPBBqc MD5:cf:8a:2d:83:53:8d:42:5a:c9:21:7c:c4:6a:3b:81:71
205 :ECDSA: SHA256:IHYyMf7PlRjCzsqwWsduRIP1Y8CFP4uKU+RpMW2nU4E MD5:77:18:34:2b:25:4a:e5:f3:cd:d7:2e:c9:9d:6b:03:01
206 :ED25519: SHA256:25iP8jSklIu8saYf8hwIDv7UVIJRQbCh0EGSH3hXNWI MD5:4a:e0:9f:06:d5:c3:c8:36:b9:1e:ef:2e:0b:54:82:58
207
208 Non-distribution packages and modifications
209 -------------------------------------------
210
211 * The Puppet agent package and a few dependencies are installed from the
212 official Puppet APT repository because the versions in Debian are too old to
213 use modern Puppet features.
214 * Jenkins from pkg.jenkins-ci.org
215
216 package source is defined in :file:`/etc/apt/sources.list.d/jenkins.list`
217 * Few packages (i.e. go toolchain) from Debian testing
218
219 package source is defined in :file:`/etc/apt/sources.list.d/buster.list`
220
221 Risk assessments on critical packages
222 -------------------------------------
223
224 Jenkins is a widely used CI server with regular updates. Security issues are
225 handled quickly by the upstream developers.
226
227 Critical Configuration items
228 ============================
229
230 The system configuration is managed via Puppet profiles. There should be no
231 configuration items outside of the Puppet repository.
232
233 .. todo:: move configuration of :doc:`jenkins` to Puppet code
234
235 Jenkins configuration
236 ---------------------
237
238 Jenkins stores its configuration and working directories in
239 :file:`/var/lib/jenkins`. Jenkins administration is performed via an integrated
240 management web interface with role based access control.
241
242 Tasks
243 =====
244
245 Changes
246 =======
247
248 Planned
249 -------
250
251 * build more of CAcert's software on the Jenkins instance
252
253 System Future
254 -------------
255
256 * No plans
257
258 Additional documentation
259 ========================
260
261 .. seealso::
262
263 * :wiki:`Exim4Configuration`
264
265 References
266 ----------
267
268 * https://jenkins.io/