CLI tool for building Jenkins execution container from existing server
As part of the Jenkins Wrapper MVP (#208277 (closed)) we want to automate a portion of the process for extracting Jenkins server configuration from the users environment to make it easy to build a docker image in GitLab CI.
Develop a scripted CLI tool to extract the Jenkins home directory and server configuration from the user’s server. The output of this tool will be used to construct a Docker image to be run in GitLab Runner.
- A user should be able to download this tool from an easily accessible location.
- Users should be able to run this tool in common server environments.
- A log file should display errors which occur in the extraction.
Proposal
Have a simple Ruby script that can be used as a CLI tool.
Customers need to have Ruby installed on the server for it to work. Docker must also be installed if used for agents.
gitlab-jenkins-importer init \ # gather all dependencies and create a Dockerfile
--runner-version=1.2.3 \ # version of jenkinsfile-runner compatible with Jenkins installation
--jenkins-home=/var/jenkins_home \ # JENKINS_HOME directory
--jenkins-war=/usr/share/jenkins/jenkins.war \ # path to jenkins.war file
--agent-type=[shell|docker] \ # Jenkins agent currently in use. Supported agents are:
# 1. shell: agent running on the same Jenkins server
# 2. docker: when using Docker agents on the Jenkins server
--out=/path/to/tmp/work/dir # path to temporary working directory
When running init
:
- don't copy directories that are not needed from the JENKINS_HOME (e.g. jobs/, workspace/, /logs, etc)
- at this point the resulting Dockerfile can be customized if needed.
gitlab-jenkins-importer build \ # build a Jenkins sandbox container and push it to GitLab container registry
-u MyGitlabUsername \ # GitLab username to connect to container registry
-p MyGitlabAccessToken \ # GitLab PAT with permissions to access container registry
-r registry.gitlab.com \ # GitLab container registry
-i fabiopitino/jenkins-importer # Image name inside the container registry:
# Full name will be: registry.gitlab.com/fabiopitino/jenkins-importer
This CLI command should essentially do the following:
docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
Security Concerns
Among other things, $JENKINS_HOME/secrets
is a directory that contains the keys used to encrypt the secret values stored elsewhere in the Jenkins home directory. As such, we should even automate that part. There should instructions to do it manually as part of normal setup, and it should be clear to the reader what is in that folder, why it's needed, and what the risks are. We should also consider using GitLab variables and fetch the contents at runtime instead of having them in the container or in the repo.
In general, any user secrets and other security details that can be accessed at runtime should be filtered out/never copied to the container automatically.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.