Browse Source

deployment: ship /var/lib/jenkins/config.xml and user jenkins-debian-glue with custom password

Avoid that the user gets a fully open Jenkins system.
User can set custom password for user jenkins-debian-glue now.
merge-requests/109/head
Michael Prokop 10 years ago
parent
commit
f85d9b4661
  1. 54
      puppet/apply.sh
  2. 72
      puppet/jenkins_debian_glue.pp

54
puppet/apply.sh

@ -1,16 +1,56 @@
#!/bin/bash
date
start_seconds=$(cut -d . -f 1 /proc/uptime)
[ -n "$start_seconds" ] && SECONDS="$[$(cut -d . -f 1 /proc/uptime)-$start_seconds]" || SECONDS="unknown"
if ! [ -r jenkins_debian_glue.pp ] ; then
# support executing custom jenkins_debian_glue.pp
if [ -n "$1" ] ; then
wget -O jenkins_debian_glue.pp --no-check-certificate "$1"
if [ -r /var/lib/jenkins/config.xml ] ; then
echo "Configuration file /var/lib/jenkins/config.xml exists already." >&2
echo "Exiting to avoid possible data loss." >&2
exit 1
fi
if [ $# -lt 1 ] ; then
echo "Usage: $0 <password> [<http://path/to/some/puppetfile.pp>]" >&2
exit 1
fi
PASSWORD_HASH=$(echo -n "${1}{jenkins-debian-glue}" | sha256sum | awk '{print $1}')
if [ -z "$PASSWORD_HASH" ] ; then
echo "Error calculating password hash. :(" >&2
exit 1
fi
if [ -n "$2" ] ; then
if [ -r jenkins_debian_glue.pp ] ; then
echo "Error: file jenkins_debian_glue.pp exists already. Exiting to avoid possible data loss." >&2
exit 1
else
echo "Retrieving $2 and storing as jenkins_debian_glue.pp"
wget -O jenkins_debian_glue.pp --no-check-certificate "$2"
fi
else
if ! [ -r jenkins_debian_glue.pp ] ; then
wget --no-check-certificate https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp
fi
fi
if ! grep -q PASSWORD_HASH_TO_BE_ADJUSTED jenkins_debian_glue.pp ; then
echo "################################################################################"
echo "Warning: string PASSWORD_HASH_TO_BE_ADJUSTED not found in jenkins_debian_glue.pp"
echo "Notice that rerunning $0 with a different password might not work as expected."
echo "To make sure adjusting the password works please execute:
rm jenkins_debian_glue.pp
$0 <your_password> https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp"
echo
echo "################################################################################"
else
printf "Adjusting password in jenkins_debian_glue.pp: "
sed -i "s/PASSWORD_HASH_TO_BE_ADJUSTED/$PASSWORD_HASH/" jenkins_debian_glue.pp || exit 1
echo OK
fi
if ! [ -r jenkins_debian_glue.pp ] ; then
echo "Error: can not find jenkins_debian_glue.pp." >&2
echo "Either manually grab https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp" >&2
@ -39,12 +79,12 @@ $IP $(hostname).example.org $(hostname)
fi
if puppet apply jenkins_debian_glue.pp ; then
echo "jenkins-debian-glue deployment finished. \o/"
[ -n "$start_seconds" ] && SECONDS="$[$(cut -d . -f 1 /proc/uptime)-$start_seconds]" || SECONDS="unknown"
echo "jenkins-debian-glue deployment finished after ${SECONDS} seconds."
else
echo "Fatal error during puppet run. :(" >&2
exit 1
fi
date
echo "Now point your browser to http://${IP}:8080"

72
puppet/jenkins_debian_glue.pp

@ -351,6 +351,78 @@ class jenkins::config {
<runSequentially>true</runSequentially>
</executionStrategy>
</matrix-project>
"
}
file { '/var/lib/jenkins/config.xml':
ensure => present,
mode => '0644',
owner => 'jenkins',
require => Package['jenkins'],
notify => Service['jenkins'],
content => "<?xml version='1.0' encoding='UTF-8'?>
<hudson>
<useSecurity>true</useSecurity>
<authorizationStrategy class='hudson.security.FullControlOnceLoggedInAuthorizationStrategy'/>
<securityRealm class='hudson.security.HudsonPrivateSecurityRealm'>
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<systemMessage>&lt;h1&gt;&lt;a href=&quot;http://jenkins-debian-glue.org/&quot;&gt;jenkins-debian-glue&lt;/a&gt; Continuous Integration labs&lt;/h1&gt;</systemMessage>
</hudson>
"
}
file { '/var/lib/jenkins/users/':
ensure => directory,
mode => '0755',
owner => 'jenkins',
require => Package['jenkins'],
}
file { '/var/lib/jenkins/users/jenkins-debian-glue/':
ensure => directory,
mode => '0755',
owner => 'jenkins',
require => File['/var/lib/jenkins/users/'],
}
# PASSWORD_HASH will be adjusted by jenkins-debian-glue's apply.sh script
file { '/var/lib/jenkins/users/jenkins-debian-glue/config.xml':
ensure => present,
mode => '0644',
owner => 'jenkins',
require => File['/var/lib/jenkins/users/jenkins-debian-glue/'],
notify => Service['jenkins'],
content => "<?xml version='1.0' encoding='UTF-8'?>
<user>
<fullName>Jenkins Debian Glue</fullName>
<properties>
<jenkins.security.ApiTokenProperty>
<apiToken>R5A9eoSreMtS3iYuvmCyrIJ1q3DQGGquBgkr7sJapuYNPLWvy5cfaT6EOAnb10kY</apiToken>
</jenkins.security.ApiTokenProperty>
<hudson.model.MyViewsProperty>
<views>
<hudson.model.AllView>
<owner class='hudson.model.MyViewsProperty' reference='../../..'/>
<name>All</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class='hudson.model.View$PropertyList'/>
</hudson.model.AllView>
</views>
</hudson.model.MyViewsProperty>
<hudson.search.UserSearchProperty>
<insensitiveSearch>false</insensitiveSearch>
</hudson.search.UserSearchProperty>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>jenkins-debian-glue:PASSWORD_HASH_TO_BE_ADJUSTED</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<hudson.tasks.Mailer_-UserProperty>
<emailAddress>jenkins@example.org</emailAddress>
</hudson.tasks.Mailer_-UserProperty>
</properties>
</user>
"
}
}

Loading…
Cancel
Save