Docker Jenkins Continuous Integration and Delivery server.

docker Jenkins Continuous Integration and Delivery server.

This is a fully functional Jenkins server, based on the weekly and LTS releases .

To use the latest LTS: 

docker pull jenkins/jenkins:lts

To use the latest weekly: 

docker pull jenkins/jenkins

Lighter alpine based image also available

docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:lts

NOTE: read below the build executors part for the role of the 50000 port mapping.

This will store the workspace in /var/jenkins_home. All Jenkins data lives in there - including plugins and configuration. You will probably want to make that an explicit volume so you can manage it and attach to another container for upgrades :

mkdir /home/jenkins

cd /home

sudo chown -R 1000:1000 jenkins_home

docker run -p 8080:8080 -p 50000:50000 -v /home/jenkins_home:/var/jenkins_home jenkins/jenkins:lts

this will automatically create a 'jenkins_home' volume on docker host, that will survive container stop/restart/deletion.

Avoid using a bind mount from a folder on host into /var/jenkins_home, as this might result in file permission issue. If you really need to bind mount jenkins_home, ensure that directory on host is accessible by the jenkins user in container (jenkins user - uid 1000) or use -u some_other_user parameter with docker run.

Backing up data

If you bind mount in a volume - you can simply back up that directory (which is jenkins_home) at any time.

This is highly recommended. Treat the jenkins_home directory as you would a database - in Docker you would generally put a database on a volume.

If your volume is inside a container - you can use docker cp $ID:/var/jenkins_home command to extract the data, or other options to find where the volume data is. Note that some symlinks on some OSes may be converted to copies (this can confuse jenkins with lastStableBuild links etc)

Running Jenkins from a subdomain (like http://jenkins.domain.tld)

Due to people are often struggling getting Jenkins to work behind an NGINX reverse proxy setup I've decided to share my currently running config.

Hope this could be of any help to someone.

server {

    listen 80;

    server_name jenkins.domain.tld;

    return 301 https://$host$request_uri;

}

server {

    listen 80;

    server_name jenkins.domain.tld;

    location / {

      proxy_set_header        Host $host:$server_port;

      proxy_set_header        X-Real-IP $remote_addr;

      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the "It appears that your reverse proxy set up is broken" error.

      proxy_pass          http://127.0.0.1:8080;

      proxy_read_timeout 90;

      proxy_redirect      http://127.0.0.1:8080 https://jenkins.domain.tld;

      # Required for new HTTP-based CLI

      proxy_http_version 1.1;

      proxy_request_buffering off;

      # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651

      add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;

    }

  }

Running from a subdomain with SSL

upstream jenkins {

  server 127.0.0.1:8080 fail_timeout=0;

}

server {

  listen 80;

  server_name jenkins.domain.tld;

  return 301 https://$host$request_uri;

}

server {

  listen 443 ssl;

  server_name jenkins.domain.tld;

  ssl_certificate /etc/nginx/ssl/server.crt;

  ssl_certificate_key /etc/nginx/ssl/server.key;

  location / {

    proxy_set_header        Host $host:$server_port;

    proxy_set_header        X-Real-IP $remote_addr;

    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_redirect http:// https://;

    proxy_pass              http://jenkins;

    # Required for new HTTP-based CLI

    proxy_http_version 1.1;

    proxy_request_buffering off;

    proxy_buffering off; # Required for HTTP-based CLI to work over SSL

    # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651

    add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;

  }

}

Running Jenkins from a folder with TLS encryption (like https://domain.tld/jenkins/)

However, you may want to access Jenkins from a folder on your main web server. This allows you to use the same TLS/SSL certificate as for your top level domain, whereas a sub-domain like jenkins.domain.tld may require a new TLS/SSL certificate (that seems to depend on your certificate provider). You can configure nginx as a reverse proxy to translate requests coming in from the WAN as https://domain.tld/jenkins/ to LAN requests tohttp://10.0.0.100:8080/jenkins.

Note that this example uses the same settings as currently listed on the wiki article at https://wiki.jenkins-ci.org/display/JENKINS/Running+Hudson+behind+Nginx, but with different values for the proxy_pass and proxy_redirect directives.

server {

    # All your server and TLS/certificate settings are up here somewhere

    [...]

    # Nginx configuration specific to Jenkins

    # Note that regex takes precedence, so use of "^~" ensures earlier evaluation

    location ^~ /jenkins/ {

        # Convert inbound WAN requests for https://domain.tld/jenkins/ to 

        # local network requests for http://10.0.0.100:8080/jenkins/

        proxy_pass http://10.0.0.100:8080/jenkins/;

    # Rewrite HTTPS requests from WAN to HTTP requests on LAN

        proxy_redirect http:// https://;

        # The following settings from https://wiki.jenkins-ci.org/display/JENKINS/Running+Hudson+behind+Nginx

        sendfile off;

        proxy_set_header   Host             $host:$server_port;

        proxy_set_header   X-Real-IP        $remote_addr;

        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

        proxy_max_temp_file_size 0;

        #this is the maximum upload size

        client_max_body_size       10m;

        client_body_buffer_size    128k;

        proxy_connect_timeout 90;

        proxy_send_timeout 90;

        proxy_read_timeout 90;

        proxy_temp_file_write_size 64k;

        # Required for new HTTP-based CLI

        proxy_http_version 1.1;

        proxy_request_buffering off;

        proxy_buffering off; # Required for HTTP-based CLI to work over SSL

  }

In addition, you must ensure that Jenkins is configured to listen for requests to the /jenkins/ folder (e.g. http://10.0.0.100:8080/jenkins/ instead of http://10.0.0.100:8080/). Do that by adding the parameter --prefix=/jenkins to the Jenkins default start-up configuration file. On my system (Ubuntu 12.04 LTS) the configuration file is /etc/default/jenkins. For example, here's the full JENKINS_ARG parameter list (the only part I added was--prefix=/jenkins):

JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/jenkins"

Once configured, you should also set the URL used by the Jenkins UI at Jenkins > Manage Jenkins > Jenkins Location > Jenkins URL to something like:  "https://domain.tld/jenkins/.

Being compatible with CSRF protection

This section applies to Jenkins 1.x only. Jenkins 2 uses an nginx-compatible crumb header name by default.

If you enable "Prevent Cross Site Request Forgery exploits" in the Configure Global Security page, you'll need special care for Jenkins to work behind a proxy. You'll need to enable the Enable proxy compatibility checkbox. And you'll need to add to your nginx configuration the following fragment:

http {

  ignore_invalid_headers off;

}

This is required because Jenkins uses a custom HTTP header named .crumb. See bug https://issues.jenkins-ci.org/browse/JENKINS-12875 for details.