Docker Jenkins Continuous Integration and Delivery server.

docker Jenkins Continuous Integration and Delivery server.

This is a fully functional Jenkins server, based on the weekly and LTS releases .

To use the latest LTS: 

docker pull jenkins/jenkins:lts

To use the latest weekly: 

docker pull jenkins/jenkins

Lighter alpine based image also available

docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:lts

NOTE: read below the build executors part for the role of the 50000 port mapping.

This will store the workspace in /var/jenkins_home. All Jenkins data lives in there - including plugins and configuration. You will probably want to make that an explicit volume so you can manage it and attach to another container for upgrades :

mkdir /home/jenkins

cd /home

sudo chown -R 1000:1000 jenkins_home

docker run -p 8080:8080 -p 50000:50000 -v /home/jenkins_home:/var/jenkins_home jenkins/jenkins:lts

this will automatically create a 'jenkins_home' volume on docker host, that will survive container stop/restart/deletion.

Avoid using a bind mount from a folder on host into /var/jenkins_home, as this might result in file permission issue. If you really need to bind mount jenkins_home, ensure that directory on host is accessible by the jenkins user in container (jenkins user - uid 1000) or use -u some_other_user parameter with docker run.

Backing up data

If you bind mount in a volume - you can simply back up that directory (which is jenkins_home) at any time.

This is highly recommended. Treat the jenkins_home directory as you would a database - in Docker you would generally put a database on a volume.

If your volume is inside a container - you can use docker cp $ID:/var/jenkins_home command to extract the data, or other options to find where the volume data is. Note that some symlinks on some OSes may be converted to copies (this can confuse jenkins with lastStableBuild links etc)


Running Jenkins from a subdomain (like http://jenkins.domain.tld)

Due to people are often struggling getting Jenkins to work behind an NGINX reverse proxy setup I've decided to share my currently running config.

Hope this could be of any help to someone.

server {

    listen 80;

    server_name jenkins.domain.tld;

    return 301 https://$host$request_uri;

}


server {


    listen 80;

    server_name jenkins.domain.tld;


    location / {


      proxy_set_header        Host $host:$server_port;

      proxy_set_header        X-Real-IP $remote_addr;

      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header        X-Forwarded-Proto $scheme;


      # Fix the "It appears that your reverse proxy set up is broken" error.

      proxy_pass          http://127.0.0.1:8080;

      proxy_read_timeout 90;


      proxy_redirect      http://127.0.0.1:8080 https://jenkins.domain.tld;


      # Required for new HTTP-based CLI

      proxy_http_version 1.1;

      proxy_request_buffering off;

      # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651

      add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;





    }

  }

Running from a subdomain with SSL

upstream jenkins {

  server 127.0.0.1:8080 fail_timeout=0;

}


server {

  listen 80;

  server_name jenkins.domain.tld;

  return 301 https://$host$request_uri;

}


server {

  listen 443 ssl;

  server_name jenkins.domain.tld;


  ssl_certificate /etc/nginx/ssl/server.crt;

  ssl_certificate_key /etc/nginx/ssl/server.key;


  location / {

    proxy_set_header        Host $host:$server_port;

    proxy_set_header        X-Real-IP $remote_addr;

    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_redirect http:// https://;

    proxy_pass              http://jenkins;

    # Required for new HTTP-based CLI

    proxy_http_version 1.1;

    proxy_request_buffering off;

    proxy_buffering off; # Required for HTTP-based CLI to work over SSL

    # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651

    add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;

  }

}

Running Jenkins from a folder with TLS encryption (like https://domain.tld/jenkins/)

However, you may want to access Jenkins from a folder on your main web server. This allows you to use the same TLS/SSL certificate as for your top level domain, whereas a sub-domain like jenkins.domain.tld may require a new TLS/SSL certificate (that seems to depend on your certificate provider). You can configure nginx as a reverse proxy to translate requests coming in from the WAN as https://domain.tld/jenkins/ to LAN requests tohttp://10.0.0.100:8080/jenkins.

Note that this example uses the same settings as currently listed on the wiki article at https://wiki.jenkins-ci.org/display/JENKINS/Running+Hudson+behind+Nginx, but with different values for the proxy_pass and proxy_redirect directives.

server {



    # All your server and TLS/certificate settings are up here somewhere

    [...]



    # Nginx configuration specific to Jenkins

    # Note that regex takes precedence, so use of "^~" ensures earlier evaluation

    location ^~ /jenkins/ {


        # Convert inbound WAN requests for https://domain.tld/jenkins/ to 

        # local network requests for http://10.0.0.100:8080/jenkins/

        proxy_pass http://10.0.0.100:8080/jenkins/;


    # Rewrite HTTPS requests from WAN to HTTP requests on LAN

        proxy_redirect http:// https://;


        # The following settings from https://wiki.jenkins-ci.org/display/JENKINS/Running+Hudson+behind+Nginx

        sendfile off;


        proxy_set_header   Host             $host:$server_port;

        proxy_set_header   X-Real-IP        $remote_addr;

        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

        proxy_max_temp_file_size 0;


        #this is the maximum upload size

        client_max_body_size       10m;

        client_body_buffer_size    128k;


        proxy_connect_timeout 90;

        proxy_send_timeout 90;

        proxy_read_timeout 90;


        proxy_temp_file_write_size 64k;


        # Required for new HTTP-based CLI

        proxy_http_version 1.1;

        proxy_request_buffering off;

        proxy_buffering off; # Required for HTTP-based CLI to work over SSL

  }

In addition, you must ensure that Jenkins is configured to listen for requests to the /jenkins/ folder (e.g. http://10.0.0.100:8080/jenkins/ instead of http://10.0.0.100:8080/). Do that by adding the parameter --prefix=/jenkins to the Jenkins default start-up configuration file. On my system (Ubuntu 12.04 LTS) the configuration file is /etc/default/jenkins. For example, here's the full JENKINS_ARG parameter list (the only part I added was--prefix=/jenkins):

JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/jenkins"

Once configured, you should also set the URL used by the Jenkins UI at Jenkins > Manage Jenkins > Jenkins Location > Jenkins URL to something like:  "https://domain.tld/jenkins/.

Being compatible with CSRF protection

This section applies to Jenkins 1.x only. Jenkins 2 uses an nginx-compatible crumb header name by default.

If you enable "Prevent Cross Site Request Forgery exploits" in the Configure Global Security page, you'll need special care for Jenkins to work behind a proxy. You'll need to enable the Enable proxy compatibility checkbox. And you'll need to add to your nginx configuration the following fragment:

http {

  ignore_invalid_headers off;

}

This is required because Jenkins uses a custom HTTP header named .crumb. See bug https://issues.jenkins-ci.org/browse/JENKINS-12875 for details.

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,313评论 6 496
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,369评论 3 389
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 159,916评论 0 349
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,333评论 1 288
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,425评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,481评论 1 292
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,491评论 3 412
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,268评论 0 269
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,719评论 1 307
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,004评论 2 328
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,179评论 1 342
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,832评论 4 337
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,510评论 3 322
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,153评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,402评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,045评论 2 365
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,071评论 2 352