a rant about jenkins script security

Posted on by
Reply

I’m working on the lab for my Automating Your CI/CD Stack with Java and Groovy Oracle Code One session. And of course I tripped over Jenkins Script Security plugin.

I don’t need script security. I’m running a lab. But you can’t turn off that feature. Sigh.

I can run this code from the scripting console as an admin. I can also run it from within a job using the embedded Groovy console option. If I try to pull the same code from GitHub and run it from the same job as a Groovy script, I can’t. Script security views the SAME script to be more dangerous because I put it in source control.

import jenkins.model.Jenkins

def instance = Jenkins.getInstance()
def realm = Jenkins.getInstance().securityRealm

I can think of three ways to “solve” the problem that Cloudbees created.

Option 1: Deal with script security

I can configure script security to allow these signatures. However, this does not make things more secure. I want these to be available to admins not for general use. So approving them or whitelisting them is the wrong decision. (Ok. It doesn’t matter here since this is just a lab. But in this hypothetical use case…)

Option 2: Authorized Build plugin

There’s an authorize project plugin that lets you run the build as an admin. I didn’t try it, but it appears to provide a decent workaround to this problem. (I’m trying to minimize setup)

Option 3: Just run the code through the Groovy console

I’m going with this. Up to 50 people are going to be doing this manually in a lab. Copy/paste is the easiest solution.

setup for HOL-4957 – Automating Your CI/CD Stack with Java and Groovy

Posted on by
Reply

Scott and I’ll be leading a hands on lab “Automating your Ci/CD Stack with Java and Groovy” at Oracle Code One. This is a BYOL (bring your own laptop) lab.

If you run into any trouble setting up for the lab, you can post a comment on this blog post or start a thread in the Cloud/Virtualization forum at CodeRanch.

This lab requires the following:

  1. Docker
  2. Docker images
  3. Enough disk space
  4. The ability to run curl
  5. Optional: JDK 8
  6. Optional: Groovy

1 – Docker

To install Docker, follow the instructions at: https://docs.docker.com/install/

Validation:

At the command line, run docker –version. (Small version differences are ok in the output)

$ docker --version

Docker version 18.06.0-ce, build 0ffa825

2 – Docker images

These images a little under 2GB combined. So as not to tax the conference network, please pull them in advance. This will also let you deal with any corporate internet proxies while you are still at work and can ask for help.

At the command line run:

docker pull sonatype/nexus3:3.13.0

docker pull jenkins/jenkins:2.146

docker pull sonarqube:7.1

 Note: “latest” will probably work. These version numbers are the ones we tested with.

$ docker pull sonatype/nexus3:3.13.0
3.13.0: Pulling from sonatype/nexus3
256b176beaff: Pull complete
18d124afa1e9: Pull complete
9bb412307f82: Pull complete
Digest: sha256:19d186d5bc8be1ea4f7bae72756baa830e79bf20aae0e9e7b1a0c7d3ce7ac136
Status: Downloaded newer image for sonatype/nexus3:3.13.0

$ docker pull jenkins/jenkins:2.146
2.146: Pulling from jenkins/jenkins
55cbf04beb70: Pull complete
1607093a898c: Pull complete
9a8ea045c926: Pull complete
d4eee24d4dac: Pull complete
c58988e753d7: Pull complete
794a04897db9: Pull complete
70fcfa476f73: Pull complete
806029475e0c: Pull complete
67959b355155: Pull complete
4d217ccd3d4c: Pull complete
0261bb88a4a5: Pull complete
96f2a3ae5539: Pull complete
f6bf99db32d5: Pull complete
bb47d4bbb0e1: Pull complete
4b48ec5d60cf: Pull complete
7280a8dfb767: Pull complete
91091f8d44ca: Pull complete
8ca02cad320f: Pull complete
46009bfec329: Pull complete
f9860b79812e: Pull complete
89ac8103ea67: Pull complete
Digest: sha256:161cb25fbb23a1c5ac5fdd0feebd713edd62c235e199e68b34d1a78205a42da7
Status: Downloaded newer image for jenkins/jenkins:2.146
JeanneBrskysMBP:OracleCodeOne2018-HOL-Automating-Stack-Groovy nyjeanne$ docker pull sonarqube:7.1
7.1: Pulling from library/sonarqube
55cbf04beb70: Already exists 
1607093a898c: Already exists 
9a8ea045c926: Already exists 
d4eee24d4dac: Already exists 
c58988e753d7: Already exists 
794a04897db9: Already exists 
70fcfa476f73: Already exists 
806029475e0c: Already exists 
67959b355155: Already exists 
1e6b3af7f55a: Pull complete 
e0b67c57c8e1: Pull complete 
ce12e009fbe7: Pull complete 
3edf8e47f9c4: Pull complete 
Digest: sha256:4438a37735caa24d80da31ee29e72d686abdaa8f5009746ec60e0d43519e1a57
Status: Downloaded newer image for sonarqube:7.1

4 – The ability to run curl

If you are running Mac, Linux or Windows 10, you don’t need to do anything. If you are running an older version of Windows, you can install Cygwin.

5 – Optional: JDK

If you want to run groovy locally, JDK 8 (not higher) needs to be in your path. It is possible to do the lab without having Groovy installed.

6 – Optional: Groovy

Follow the instructions at: http://groovy-lang.org/install.html

Note: Please download Groovy 2.X rather than 3.X. Version 3.X is in alpha at the time of writing this lab.

Validation:

At the command line, run groovy –version.(Small version differences are ok in the output)

$ groovy -version

Groovy Version: 2.5.2 JVM: 1.8.0_45 Vendor: Oracle Corporation OS: Mac OS X

4 – Disk space

This lab uses about 2 Gigabytes of disk space (not counting Docker itself.) The last step of the lab explains how to recover disk space.

Validation

At the command line, run curl https://www.oracle.com/code-one/index.html and ensure the output isn’t an error message.

 

cleaning up docker

Posted on by
Reply

It’s been a while since I used Docker on my machine so I decided to clean things up. When I launched Docker, it prompted me to upgrade. Half a gig but easy to get that out of the way at least.

Then I ran “docker images” and was reminded that I haven’t done a good job of keeping this clean. I had:

  • the original docker-whale play
  • a bunch of experiments from when I didn’t know what I was doing (some of which have unnamed layers so I don’t even know what they are)
  • some Java 9 early access edition stuff
  • following along with the “Kubernetes in Action” book when I was the Technical Development Editor
  • a lab I went to

Note: i’m not sure if any of this is a good way of doing things. But it worked for me.

Deleting the images the slow way

Yuck. I decided to delete all the images. For some, it was easy. Just run “docker rmi <imageHash>”.

For some, I got

Error response from daemon: conflict: unable to delete xxx (cannot be forced) - image has dependent child images

I also tried running “docker rmi $(docker images -a -q)” to delete all the images. This deleted some, but gave the same dependent child images error.

Great, I don’t know what they are.  Luckily, StackOverflow had a command to find the children.

for i in $(docker images -q)
do
    docker history $i | grep -q xxx && echo $i
done | sort -u

I also got:

Error response from daemon: conflict: unable to delete xxx (must be forced) - image is referenced in multiple repositories

For these, it was just a matter of running “docker -rmi –force xxx.”

Deleting the images the fast way

I deleted the rest of the images with:

“docker rmi –force $(docker images -a -q)”

Containers and volumes

I did a far better job of cleaning these up!

docker ps -a

docker volume ls