Update Stretch containers to 9.4 point release
[cacert-infradocs.git] / docs / systems / jenkins.rst
1 .. index::
2 single: Systems; Jenkins
3
4 =======
5 Jenkins
6 =======
7
8 Purpose
9 =======
10
11 `Jenkins`_ continuous integration server for building software artifacts for
12 CAcert.org and this documentation.
13
14 .. _Jenkins: https://jenkins.io
15
16 Application Links
17 -----------------
18
19 Jenkins web interface
20 https://jenkins.cacert.org/
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 Application Administration
32 --------------------------
33
34 +-------------+---------------------+
35 | Application | Administrator(s) |
36 +=============+=====================+
37 | Jenkins | :ref:`people_jandd` |
38 +-------------+---------------------+
39
40 Contact
41 -------
42
43 * jenkins-admin@cacert.org
44
45 Additional People
46 -----------------
47
48 :ref:`people_mario` has :program:`sudo` access on that machine too.
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: reverse proxied from :doc:`web`
63 :IP Intranet: :ip:v4:`172.16.2.115`
64 :IP Internal: :ip:v4:`10.0.0.115`
65 :MAC address: :mac:`00:ff:a4:c9:aa:49` (eth0)
66
67 .. seealso::
68
69 See :doc:`../network`
70
71 DNS
72 ---
73
74 .. index::
75 single: DNS records; Jenkins
76
77 ========================= ======== ====================================================================
78 Name Type Content
79 ========================= ======== ====================================================================
80 jenkins.cacert.org. IN A 213.154.225.242
81 jenkins.cacert.org. IN SSHFP 1 1 2CAEBE197C0F1C25404890ADFEDABB371FB05650
82 jenkins.cacert.org. IN SSHFP 1 2 6110A42530A5197AB1180417EE32B2EB581813CA773498177481B11D969BB529
83 jenkins.cacert.org. IN SSHFP 2 1 4CE4EEF515BDEE033D68B92419F71679880B2FD5
84 jenkins.cacert.org. IN SSHFP 2 2 7E76D01B8DC48178535F3F6164C07EF35D3436F352DB8C62FFACD5B8E3C106A7
85 jenkins.cacert.org. IN SSHFP 3 1 1CE55A42B27BF42A78E281440F146DA17255A97D
86 jenkins.cacert.org. IN SSHFP 3 2 20763231FECF9518C2CECAB05AC76E4483F563C0853F8B8A53E469316DA75381
87 jenkins.intra.cacert.org. IN A 172.16.2.115
88 ========================= ======== ====================================================================
89
90 .. seealso::
91
92 See :wiki:`SystemAdministration/Procedures/DNSChanges`
93
94 Operating System
95 ----------------
96
97 .. index::
98 single: Debian GNU/Linux; Stretch
99 single: Debian GNU/Linux; 9.4
100
101 * Debian GNU/Linux 9.4
102
103 Applicable Documentation
104 ------------------------
105
106 This is it :-)
107
108 Services
109 ========
110
111 Listening services
112 ------------------
113
114 .. use the values from this table or add new lines if applicable
115
116 +----------+---------+----------+----------------------------+
117 | Port | Service | Origin | Purpose |
118 +==========+=========+==========+============================+
119 | 22/tcp | ssh | ANY | admin console access |
120 +----------+---------+----------+----------------------------+
121 | 25/tcp | smtp | local | mail delivery to local MTA |
122 +----------+---------+----------+----------------------------+
123 | 2022/tcp | Jenkins | internal | Jenkins ssh port |
124 +----------+---------+----------+----------------------------+
125 | 5666/tcp | nrpe | monitor | remote monitoring service |
126 +----------+---------+----------+----------------------------+
127 | 8080/tcp | Jenkins | internal | Jenkins web interface |
128 +----------+---------+----------+----------------------------+
129
130 Running services
131 ----------------
132
133 .. index::
134 single: Exim
135 single: Jenkins
136 single: cron
137 single: nrpe
138 single: openssh
139 single: rsyslog
140
141 +--------------------+--------------------+-----------------------------------------+
142 | Service | Usage | Start mechanism |
143 +====================+====================+=========================================+
144 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
145 | | remote | |
146 | | administration | |
147 +--------------------+--------------------+-----------------------------------------+
148 | Jenkins | Jenkins CI server | init script :file:`/etc/init.d/jenkins` |
149 +--------------------+--------------------+-----------------------------------------+
150 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
151 +--------------------+--------------------+-----------------------------------------+
152 | rsyslog | syslog daemon | init script |
153 | | | :file:`/etc/init.d/syslog` |
154 +--------------------+--------------------+-----------------------------------------+
155 | Exim | SMTP server for | init script |
156 | | local mail | :file:`/etc/init.d/exim4` |
157 | | submission | |
158 +--------------------+--------------------+-----------------------------------------+
159 | Nagios NRPE server | remote monitoring | init script |
160 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
161 | | :doc:`monitor` | |
162 +--------------------+--------------------+-----------------------------------------+
163
164 Connected Systems
165 -----------------
166
167 * :doc:`git` for triggering Jenkins web hooks
168 * :doc:`monitor`
169 * :doc:`web` as reverse proxy for hostnames funding.cacert.org and
170 infradocs.cacert.org
171
172
173 Outbound network connections
174 ----------------------------
175
176 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
177 * :doc:`emailout` as SMTP relay
178 * :doc:`git` for fetching source code
179 * :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
180 * :doc:`puppet` for configuration management
181 * :doc:`webstatic` for publishing infrastructure documentation to
182 infradocs.cacert.org
183 * arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching source
184 code and build dependencies (via ``&CONTAINER_OUT_ELEVATED("jenkins");`` in
185 :file:`/etc/ferm/ferm.d/jenkins.conf` on :doc:`infra02`).
186
187 Security
188 ========
189
190 .. sshkeys::
191 :RSA: SHA256:YRCkJTClGXqxGAQX7jKy61gYE8p3NJgXdIGxHZabtSk MD5:75:83:f5:8f:81:4b:08:bd:fd:6b:ff:12:bc:d7:17:48
192 :DSA: SHA256:fnbQG43EgXhTXz9hZMB+8100NvNS24xi/6zVuOPBBqc MD5:cf:8a:2d:83:53:8d:42:5a:c9:21:7c:c4:6a:3b:81:71
193 :ECDSA: SHA256:IHYyMf7PlRjCzsqwWsduRIP1Y8CFP4uKU+RpMW2nU4E MD5:77:18:34:2b:25:4a:e5:f3:cd:d7:2e:c9:9d:6b:03:01
194 :ED25519: SHA256:25iP8jSklIu8saYf8hwIDv7UVIJRQbCh0EGSH3hXNWI MD5:4a:e0:9f:06:d5:c3:c8:36:b9:1e:ef:2e:0b:54:82:58
195
196 Non-distribution packages and modifications
197 -------------------------------------------
198
199 * The Puppet agent package and a few dependencies are installed from the
200 official Puppet APT repository because the versions in Debian are too old to
201 use modern Puppet features.
202 * Jenkins from pkg.jenkins-ci.org
203
204 package source is defined in :file:`/etc/apt/sources.list.d/jenkins.list`
205 * Few packages (i.e. go toolchain) from Debian testing
206
207 package source is defined in :file:`/etc/apt/sources.list.d/buster.list`
208
209 Risk assessments on critical packages
210 -------------------------------------
211
212 Jenkins is a widely used CI server with regular updates. Security issues are
213 handled quickly by the upstream developers.
214
215 Critical Configuration items
216 ============================
217
218 The system configuration is managed via Puppet profiles. There should be no
219 configuration items outside of the Puppet repository.
220
221 Jenkins configuration
222 ---------------------
223
224 Jenkins stores its configuration and working directories in
225 :file:`/var/lib/jenkins`. Jenkins administration is performed via an integrated
226 management web interface with role based access control.
227
228 Tasks
229 =====
230
231 Planned
232 -------
233
234 * build more of CAcert's software on the Jenkins instance
235
236 Additional documentation
237 ========================
238
239 .. seealso::
240
241 * :wiki:`Exim4Configuration`
242
243 References
244 ----------
245
246 * https://jenkins.io/