Jenkins

Purpose

Jenkins continuous integration server for building software artifacts for CAcert.org and this documentation.

Administration

System Administration

Application Administration

Application

Administrator(s)

Jenkins

Jan Dittberner

Additional People

Mario Lipinski has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

reverse proxied from Web

IP Intranet

172.16.2.115

IP Internal

10.0.0.115

MAC address

00:ff:a4:c9:aa:49 (eth0)

See also

See Network

DNS

Name

Type

Content

jenkins.cacert.org.

IN A

213.154.225.242

jenkins.cacert.org.

IN SSHFP

1 1 2CAEBE197C0F1C25404890ADFEDABB371FB05650

jenkins.cacert.org.

IN SSHFP

1 2 6110A42530A5197AB1180417EE32B2EB581813CA773498177481B11D969BB529

jenkins.cacert.org.

IN SSHFP

2 1 4CE4EEF515BDEE033D68B92419F71679880B2FD5

jenkins.cacert.org.

IN SSHFP

2 2 7E76D01B8DC48178535F3F6164C07EF35D3436F352DB8C62FFACD5B8E3C106A7

jenkins.cacert.org.

IN SSHFP

3 1 1CE55A42B27BF42A78E281440F146DA17255A97D

jenkins.cacert.org.

IN SSHFP

3 2 20763231FECF9518C2CECAB05AC76E4483F563C0853F8B8A53E469316DA75381

jenkins.intra.cacert.org.

IN A

172.16.2.115

Operating System

  • Debian GNU/Linux 10.0

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

2022/tcp

Jenkins

internal

Jenkins ssh port

5665/tcp

icinga2

monitor

remote monitoring service

8080/tcp

Jenkins

internal

Jenkins web interface

Running services

Service

Usage

Start mechanism

cron

job scheduler

systemd unit cron.service

Exim

SMTP server for local mail submission

systemd unit exim4.service

dbus-daemon

System message bus daemon

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

Jenkins

Jenkins CI server

systemd unit jenkins.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Connected Systems

  • Git for triggering Jenkins web hooks

  • Monitor

  • Web as reverse proxy for hostnames codedocs.cacert.org, funding.cacert.org and infradocs.cacert.org

Outbound network connections

  • Infra02 as resolving nameserver

  • Emailout as SMTP relay

  • Git for fetching source code

  • Proxyout as HTTP proxy for APT and Jenkins plugin updates

  • Puppet for configuration management

  • Webstatic for publishing code documentation to codedocs.cacert.org and infrastructure documentation to infradocs.cacert.org

  • arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching source code and build dependencies (via &CONTAINER_OUT_ELEVATED("jenkins"); in /etc/ferm/ferm.d/jenkins.conf on Infra02).

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:YRCkJTClGXqxGAQX7jKy61gYE8p3NJgXdIGxHZabtSk, MD5:75:83:f5:8f:81:4b:08:bd:fd:6b:ff:12:bc:d7:17:48

DSA

SHA256:fnbQG43EgXhTXz9hZMB+8100NvNS24xi/6zVuOPBBqc, MD5:cf:8a:2d:83:53:8d:42:5a:c9:21:7c:c4:6a:3b:81:71

ECDSA

SHA256:IHYyMf7PlRjCzsqwWsduRIP1Y8CFP4uKU+RpMW2nU4E, MD5:77:18:34:2b:25:4a:e5:f3:cd:d7:2e:c9:9d:6b:03:01

ED25519

SHA256:25iP8jSklIu8saYf8hwIDv7UVIJRQbCh0EGSH3hXNWI, MD5:4a:e0:9f:06:d5:c3:c8:36:b9:1e:ef:2e:0b:54:82:58

Non-distribution packages and modifications

  • The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

  • Jenkins from pkg.jenkins-ci.org

    package source is defined in /etc/apt/sources.list.d/jenkins.list

  • Few packages (i.e. go toolchain) from Debian testing

    package source is defined in /etc/apt/sources.list.d/buster.list

Risk assessments on critical packages

Jenkins is a widely used CI server with regular updates. Security issues are handled quickly by the upstream developers.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of Jenkins to Puppet code

Jenkins configuration

Jenkins stores its configuration and working directories in /var/lib/jenkins. Jenkins administration is performed via an integrated management web interface with role based access control.

Tasks

Changes

Planned

  • build more of CAcert’s software on the Jenkins instance

System Future

  • No plans

Additional documentation