This repo is an extension of the official Jenkins Docker image, designed to be self-operating according to the autopilot pattern. This application demonstrates support for building containers via Joyent's Triton and for provisioning Jenkins slaves via Triton.
One of the most important aspects of CI is ensuring that the CI system itself is secured, but including credentials to the build system in the container image leaves us open to accidental disclosure. This architecture injects credentials via environment variables and then uses a ContainerPilot preStart
handler to update the appropriate files required by Jenkins.
Another design constraint is that CI systems often become "pets not cattle," which results in disruption to deployments if the Jenkins server is broken. We can take advantage of ContainerPilot to have a Jenkins instance bootstrap its job configuration from GitHub during the preStart
handler.
The first-run.sh
script called by the preStart
handler will create a new job called "jenkins-jobs". When triggered, this job pulls a workspace from a git repository passed in the GITHUB_JOBS_REPO
environment variable and from that repo creates new jobs from each configuration it can find in the workspace's jobs/
directory. Existing jobs will be updated from the remote repo.
Jenkins requires SSL to be operated securely. You should only run Jenkins behind a reverse proxy that supports SSL (ex. Nginx). If you are running Jenkins in a private network, you'll want to replace the following section of the job-building job found at usr/share/jenkins/templates/jenkins-jobs.config.xml
in this repo.
<triggers>
<com.cloudbees.jenkins.GitHubPushTrigger plugin="github@1.18.1">
<spec></spec>
</com.cloudbees.jenkins.GitHubPushTrigger>
</triggers>
This configures the job-building job to receive GitHub webhooks to fire off the job when the remote repository receives a push. Jenkins will verify the hook is legitimate by sending a request back to GitHub, but this communication should be over SSL in both directions. If your environment cannot support this, you may want to poll the git repository for changes instead:
<triggers>
<hudson.triggers.SCMTrigger>
<spec>H/15 * * * *</spec>
<ignorePostCommitHooks>false</ignorePostCommitHooks>
</hudson.triggers.SCMTrigger>
</triggers>
This configuration polls the repository every 15 minutes.
docker
and docker-compose
) on your laptop or other environment, as well as the Joyent Triton CLI (triton
replaces our old sdc-*
CLI tools)curl -O https://raw.githubusercontent.com/joyent/sdc-docker/master/tools/sdc-docker-setup.sh && chmod +x sdc-docker-setup.sh
./sdc-docker-setup.sh -k us-east-1.api.joyent.com <ACCOUNT> ~/.ssh/<PRIVATE_KEY_FILE>
Check that everything is configured correctly by running ./setup.sh
. This will check that your environment is setup correctly and will create an _env
file that includes the credentials and variables that we'll inject into the Jenkins container. You may wish to edit this file with a password for the Jenkins default admin user.