Dockerised Jenkins Master Node with a CentOS image running a nginx SSL revserve proxy
Docker and docker-compose:
This program will use a docker-compose.yml to run a Jenkins master container on the host linux machine. It will be served securely using a ssl reverse proxy via a nginx installation hosted via a VM Centos Container. This will normally clock a RAM usage of 512MB to run these 2 containers.
Take a clone of this repo to you main Jenkin host machine. In my case this was mapped to my domain name.
code
git clone https://github.com/OtherOption/ubuntuJen.gitI did this with Certbot, click here to see what I ran
I did this step using signed certificates generated by Certbot. First I installed certbot.
sudo apt-get install certbotand then ran this Certbot command to generate a pair of keys on my domain alreadu mapped too my linux host. I did read a note that the ports should be free when running this command. I followed the onscreen prompts :
sudo certbot certonly --standaloneCopy you certifcates too the ./ubuntuJen/jenkins-nginx directory. If you used Cerbot that will be similar to:
sudo cp /etc/letsencrypt/live/example.com/privkey.pem ./ubuntuJen/jenkins-nginx
sudo cp /etc/letsencrypt/live/example.com/fullchain.pem ./ubuntuJen/jenkins-nginxThese will be used by the CentOS image running thr nginx revserve proxy later.
There are 2 Dockerfile's that need updating:
./ubuntuJen/jenkins-master/Dockerfile
You will need to update the LABEL to reflect a email address related to yourself.
LABEL maintainer=”example@example.com”./ubuntuJen/jenkins-nginx/Dockerfile
Similar too the last step. You will need to update the LABEL :
LABEL maintainer=”example@example.com”This Dockerfile manages copying the certificates copied earlier into the Docker build image. In this example repo :
- The certficate private key was named
privkey.pem - The public key was named
fullchain.pem
COPY fullchain.pem /etc/ssl/fullchain.pem
COPY privkey.pem /etc/ssl/privkey.pem 4. Build You Docker Images using the docker-compose.yml - This will also create you Docker Network and Volumes
Navigate to the ./ubuntuJen/ directory containing the docker-compose.yml file. Then run this command:
docker-compose build This will pull the latest images from DockerHub:
- centos
- jenkins/jenkins
- nginx
It will also create Docker images:
- jenkins_master
- ubuntujen_master
- ubuntujen_nginx
- jenkins_nginx
It will auto create the following Docker volumes:
- jenkins_jenkins-data
- jenkins_jenkins-log
And it will also create a network named jenkins-net
I have split Section 5 into 2 parts
- 5A. Starting up your Jenkins Webservice - Detailing the instruction for running your Jenkins Web service
- 5B. How the it all works - How all the different parts work together
Run command
docker-compose -p jenkins up -dThis will start two container running on your Docker host. These will be named:
- jenkins_master_1 - Which is your Jenkins Master Instance
- jenkins_nginx_1 - Which is your nginx ssl revserve proxy
Going to example.com should now redirect you to your hhtps:// revserve redirect towards your Jenkins constainer.
Congratulations, You are now securly hosting your Jenkins Master Instance.
This section goes over how each of the different components of uBuntuJen works in order to securely serve your Jenkins master instance. I am including this section incase you need to troupleshoot any issues :
1. The `docker-compose.yml`
version: '3'
services:
master:
build: ./jenkins-master
ports:
- "50000:50000"
volumes:
- jenkins-log:/var/log/jenkins
- jenkins-data:/var/jenkins_home
networks:
- jenkins-net
nginx:
build: ./jenkins-nginx
ports:
- "80:80"
- "443:443"
networks:
- jenkins-net
volumes:
jenkins-log:
jenkins-data:
networks:
jenkins-net:This docker-compose.yml tells Docker that this program will build 2 new docker images called master and nginx. These images will be build from Dockerfiles stored within build paths ./jenkins-master and ./jenkins-nginx
It will auto create the following Docker volumes:
jenkins_jenkins-data- Used by the Jenkins container as a persistant volume for Jenkins datajenkins_jenkins-log- Used by the Jenkins container as a persistant volume for Jenkins Log
And it will also create a network named jenkins-net. This is used by the running containers in order to communicate with eachother.
2. The `Dockerfile`s
There are two `Dockerfile`s that will be used with this `docker-compose.yml`.
./jenkins-master/Dockerfile will be used to generate a basic Jenkins Docker image named jenkins_master
FROM jenkins/jenkins
LABEL maintainer=”email@example.com”./jenkins-nginx/Dockerfile is a bit more complicated so.
FROM centos:centos7
LABEL maintainer=”email@example.com”
RUN yum -y update; yum clean all
RUN yum -y install http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm; yum -y makecache
RUN yum -y install nginx-1.10.1
RUN rm /etc/nginx/conf.d/default.conf
RUN mkdir -p /etc/ssl/
COPY jenkins.conf /etc/nginx/conf.d/jenkins.conf
COPY nginx.conf /etc/nginx/nginx.conf
COPY fullchain.pem /etc/ssl/fullchain.pem
COPY privkey.pem /etc/ssl/privkey.pem
EXPOSE 80
EXPOSE 443
CMD ["nginx"]This Dockerfile will use a base image centos:centos7 image starting up a virtual CentOS machine.
Whe pass a couple RUN yum commands to install nginx-1.10.1 on the virtual machine.
We remove the default default.conf file that in installed with nginx. We replace these with our custom .conf files stored within ./jenkins-nginx/ directory. I will go into more detial on these .confs below.
The Dockerfile will copy your private and public keys you placed within ./jenkins-nginx earlier. These are stored on the Centos machine within /etc/ssl/. In this example, my keys that are stored on my Linux host machine were called fullchain.pem and privkey.pem.
The Dockerfile will then EXPOSE 80 which is the basic hhtp traffic port allowing hhtp connections too our www.example.com domain.
It also EXPOSE 443 which is used for the https reverse proxy. This is covered more in the jenkins.conf.
Finally the Dockerfile will run a nginx command agaisnt the centos machine in order to start nginx serving content using settings from our custom .conf files.
3. The `.conf`s
nginx.conf is used to manage nginx in order to correctly map what is meant to be served, I used https://technology.riotgames.com/news/jenkins-docker-proxies-and-compose as a guide for this section and my code largely reflects theirs. Importantly the last line of this file includes a include /etc/nginx/conf.d/*.conf line which is used to pull the second jenkins.conf file in.
The jenkins.conf will map your remote www.example.com domains to your jenkins container.
code
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 default ssl;
server_name "";
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_max_temp_file_size 0;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
access_log off;
location / {
proxy_pass http://jenkins_master_1:8080;
}
}We have a server listening in on the default_server on port 80 which is the standard http request. nginx will automatically forward the request too our https://$host$request_uri; which is our secure port 443. T
his PORT 443 uses our imported fullchain.pem and privkey.pem certiffcate files to enable a secure connection to the Jenkins container.
A bunch of data is then stored within the proxy_header in order to correctly communicate with the Jenkins container.
The location / line actually maps the www.example.com domain to your http://Jenkins_master_1:8080 which is the active running docker container.
Retreive root Jenkins Password
You can use a docker command to retrieve your default root jenkins password by running :
docker exec jenkins_master_1 cat /var/jenkins_home/secrets/initialAdminPasswordRetreive error log for nginx
You can retreive the nginx error log by running the command :
docker exec jenkins_nginx_1 cat /var/log/nginx/error.log-
https://technology.riotgames.com/news/jenkins-docker-proxies-and-compose This was a great resource for understanding the set up of a revserve proxy and jenkins. I was able to expand upon this in order to securely host the revserve proxy to provide an ssl encrption.