vfarcic
commented
7 years ago Would you like to give it a try and make a PR?
Closed patrickleet closed 6 years ago
vfarcic
commented
7 years ago Would you like to give it a try and make a PR?
vfarcic
commented
6 years ago Another way would be to setup GitHub authentication, check which file was changed in Jenkins home, and include that file in the image. That way, you'd have GitHub authentication from the start.
patrickleet
commented
6 years ago Yes, I’m also using custom secrets for github secrets, so I was thinking just checking for those would work for me as well. On Sun, Jan 28, 2018 at 8:00 AM Viktor Farcic notifications@github.com wrote:
Another way would be to setup GitHub authentication, check which file was changed in Jenkins home, and include that file in the image. That way, you'd have GitHub authentication from the start.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/vfarcic/docker-flow-stacks/issues/14#issuecomment-361061318, or mute the thread https://github.com/notifications/unsubscribe-auth/AAc-y5JjdP65hTaUeEslH2TrJfAz4xDLks5tPG9_gaJpZM4QE6G7 .
vfarcic
commented
6 years ago Did that work @patrickleet?
vfarcic
commented
6 years ago Closing due to inactivity.
patrickleet
commented
6 years ago Hey @vfarcic , sorry for the inactivity...
Got around to trying a couple of different solutions with this..
githubUser doesn't exist.#!groovy
import jenkins.model.*
import hudson.security.*
import jenkins.security.s2m.AdminWhitelistRule
def instance = Jenkins.getInstance()
def user = new File("/run/secrets/jenkins-user").text.trim()
def pass = new File("/run/secrets/jenkins-pass").text.trim()
def githubUser = new File("/run/secrets/github-user")
// if auth already configured, skip creating user and setting auth
if (!githubUser.exists()) {
println "Creating user " + user + "..."
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
hudsonRealm.createAccount(user, pass)
instance.setSecurityRealm(hudsonRealm)
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
instance.setAuthorizationStrategy(strategy)
instance.save()
Jenkins.instance.getInjector().getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false)
println "User " + user + " was created"
}and
FROM jenkinsci/jenkins:lts-alpine
# Whether to skip setup wizard
ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"
# Creates username and password specified through environment variables JENKINS_USER_SECRET and JENKINS_PASS_SECRET
COPY security.groovy /usr/share/jenkins/ref/init.groovy.d/security.groovy
# Install a list of plugins from the file 'plugins.txt' and their dependencies
COPY plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt
COPY /var/jenkins_home/config.xml /var/jenkins_home/config.xmlIn both cases, the github authentication gets clobbered, and it needs to be set up manually again.
Any other ideas?
patrickleet
commented
6 years ago after inspecting the file in the container, it looks like the new security script never makes it in, so maybe this would work if it were there on first run, but can't be added in later?
patrickleet
commented
6 years ago Ok, so I think above is the case, which means script from 1 works, but not once you've got a volume mounting that overrides it with a previous version of the script.
execing into the container and modifying security.groovy to the new script using vi seems to have fixed the issue
patrickleet
commented
6 years ago there's still a bit of a mystery
seems the incorrect version of the script wasn't where security.groovy was initially mounted, but at
cat /var/jenkins_home/init.groovy.d/security.groovy
vfarcic
commented
6 years ago Everything in /usr/share/jenkins/ref is moved to /var/jenkins_home. The purpose of that directory is to circumvent mounted JENKINS_HOME. If you mount JENKINS_HOME as a volume, that overwrites any files you might bake into the image's JENKINS_HOME. Therefore, the image has a mechanism that moves things from /usr/share/jenkins/ref to /var/jenkins_home unless the same file already exists.
Please let me know @patrickleet if I managed to explain it.
patrickleet
commented
6 years ago Yes makes sense and got it working. Thanks. On Sun, Mar 11, 2018 at 12:07 PM Viktor Farcic notifications@github.com wrote:
Everything in /usr/share/jenkins/ref is moved to /var/jenkins_home. The purpose of that directory is to circumvent mounted JENKINS_HOME. If you mount JENKINS_HOME as a volume, that overwrites any files you might bake into the image's JENKINS_HOME. Therefore, the image has a mechanism that moves things from /usr/share/jenkins/ref to /var/jenkins_home unless the same file already exists.
Please let me know @patrickleet https://github.com/patrickleet if I managed to explain it.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/vfarcic/docker-flow-stacks/issues/14#issuecomment-372126632, or mute the thread https://github.com/notifications/unsubscribe-auth/AAc-y8_pAurM7oI_eH5dn2gWq5pkMt9eks5tdUungaJpZM4QE6G7 .
https://github.com/vfarcic/docker-flow-stacks/blob/master/jenkins/security.groovy
This security script will wipe any settings you make to Global Security when the container restarts.
Instead of just setting the security realm, we should first check that it is not set to something already?
For example, I am using Github Authentication plugin, and every time the container restarts, I have to reconfigure security.