autopilotpattern / jenkins

Extension of official Jenkins Docker image that supports Joyent's Triton for elastic slave provisioning
43 stars 10 forks source link

Autopilot Pattern Jenkins

This repo is an extension of the official Jenkins Docker image, designed to be self-operating according to the autopilot pattern. This application demonstrates support for building containers via Joyent's Triton and for provisioning Jenkins slaves via Triton.

DockerPulls DockerStars

Design

One of the most important aspects of CI is ensuring that the CI system itself is secured, but including credentials to the build system in the container image leaves us open to accidental disclosure. This architecture injects credentials via environment variables and then uses a ContainerPilot preStart handler to update the appropriate files required by Jenkins.

Another design constraint is that CI systems often become "pets not cattle," which results in disruption to deployments if the Jenkins server is broken. We can take advantage of ContainerPilot to have a Jenkins instance bootstrap its job configuration from GitHub during the preStart handler.

The first-run.sh script called by the preStart handler will create a new job called "jenkins-jobs". When triggered, this job pulls a workspace from a git repository passed in the GITHUB_JOBS_REPO environment variable and from that repo creates new jobs from each configuration it can find in the workspace's jobs/ directory. Existing jobs will be updated from the remote repo.

Caveats

Jenkins requires SSL to be operated securely. You should only run Jenkins behind a reverse proxy that supports SSL (ex. Nginx). If you are running Jenkins in a private network, you'll want to replace the following section of the job-building job found at usr/share/jenkins/templates/jenkins-jobs.config.xml in this repo.

<triggers>
  <com.cloudbees.jenkins.GitHubPushTrigger plugin="github@1.18.1">
    <spec></spec>
  </com.cloudbees.jenkins.GitHubPushTrigger>
</triggers>

This configures the job-building job to receive GitHub webhooks to fire off the job when the remote repository receives a push. Jenkins will verify the hook is legitimate by sending a request back to GitHub, but this communication should be over SSL in both directions. If your environment cannot support this, you may want to poll the git repository for changes instead:

<triggers>
  <hudson.triggers.SCMTrigger>
    <spec>H/15 * * * *</spec>
    <ignorePostCommitHooks>false</ignorePostCommitHooks>
  </hudson.triggers.SCMTrigger>
</triggers>

This configuration polls the repository every 15 minutes.

Run it!

  1. Get a Joyent account and add your SSH key.
  2. Install the Docker Toolbox (including docker and docker-compose) on your laptop or other environment, as well as the Joyent Triton CLI (triton replaces our old sdc-* CLI tools)
  3. Configure Docker and Docker Compose for use with Joyent:
curl -O https://raw.githubusercontent.com/joyent/sdc-docker/master/tools/sdc-docker-setup.sh && chmod +x sdc-docker-setup.sh
./sdc-docker-setup.sh -k us-east-1.api.joyent.com <ACCOUNT> ~/.ssh/<PRIVATE_KEY_FILE>

Check that everything is configured correctly by running ./setup.sh. This will check that your environment is setup correctly and will create an _env file that includes the credentials and variables that we'll inject into the Jenkins container. You may wish to edit this file with a password for the Jenkins default admin user.