Back to top

Installing Jenkins - Quick, Easy, Somewhat secure

Step 1: firewall off port 8080

Jenkins, by default, launches on port 8080 and anonymous users have full rights. This would let anonymous users run arbitrary code on your server. That's great for usability for a tool that's usually launched inside firewalls, but if you have a machine without a firewall...derp.

So, my recipe that provides some flexibility and some security was:

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw default deny
sudo ufw enable

That lets http, https, and ssh traffic from anywhere on the net get into the box, but denies all other traffic. Defaults of ufw also allow all outbound traffic (which is handy for apt-get and other similar stuff). To be ideal you'd lock down specific outbound connections and also only allow 22 (i.e. ssh) from known good IP addresses. I'm not into managing that closely for this particular server. Read more docs on ufw.

But then...how do you connect to port 8080 for Jenkins access? You use an ssh tunnel:

ssh -qNf -L8080:localhost:8080 [email protected]

Then you fire up a browser to http://localhost:8080 and it's being tunneled over ssh to the server. But...nothing is running there yet...step 2.

2. Install Jenkins on Ubuntu

I was installing this on an Ubuntu 11.10 server (Oneiric) but I think this is probably a good guide: Jenkins Wiki on Installing Jenkins on Ubuntu. They use their own package outside Ubuntu's repository so you have to add the key, but I found it to be much more user friendly than the default Jenkins that comes with Ubuntu. So, I'm using it!

3. Securing jenkins (basics)

Next up is some basic security for jenkins like configuring users and permissions. One helpful bit: disabling security to break back in to Jenkins.

Also, I love how the first comment on that article is from Steven Merrill, someone I know from the Drupal community.

4. Configure and create your first Jenkins jobs

Click "new job" and then "Build a free-style software project." Don't get tripped up on "building" anything. Fundamentally it's about running random scripts, so if you aren't going to "build" code this is probably still the right thing to use.

You probably also want to read the wiki on how to use jenkins.

5. Backup and upgrade

You should be backing up Jenkins. If you don't have a server-wide backup in place then backup at least the /var/lib/jenkins directory (for Ubuntu). Be sure to subscribe to the security advisories and do upgrades at least whenever those come out. If you installed as I did then it should be enough to just to "apt-get update && apt-get upgrade".

I'm documenting this based on a setup I did to help automate a variety of backend processes at CARD.com! If we end up customizing our server in any way or get some novel uses, I'll try to update this post.

Category: 
People Involved: