This repository contains Dockerfiles for a Jenkins Docker image intended for use with OpenShift v3
For an example of how to use it, see this sample.
The image is pushed to DockerHub as openshift/jenkins-1-centos7.
For more information about using these images with OpenShift, please see the official OpenShift Documentation.
Jenkins versions currently provided are:
RHEL versions currently supported are:
- RHEL7
CentOS versions currently supported are:
- CentOS7
Choose either the CentOS7 or RHEL7 based image:
-
RHEL7 based image
To build a RHEL7 based image, you need to run Docker build on a properly subscribed RHEL machine.
$ git clone https://github.com/openshift/jenkins.git $ cd jenkins $ make build TARGET=rhel7 VERSION=1
-
CentOS7 based image
This image is available on DockerHub. To download it run:
$ docker pull openshift/jenkins-1-centos7
To build a Jenkins image from scratch run:
$ git clone https://github.com/openshift/jenkins.git $ cd jenkins $ make build VERSION=1
Notice: By omitting the VERSION
parameter, the build/test action will be performed
on all provided versions of Jenkins. Since we are currently providing only version 1
,
you can omit this parameter.
The image recognizes the following environment variables that you can set during
initialization by passing -e VAR=VALUE
to the Docker run command.
Variable name | Description |
---|---|
JENKINS_PASSWORD |
Password for the 'admin' account when using default Jenkin authentication. |
OPENSHIFT_ENABLE_OAUTH |
Determines whether the OpenShift Login plugin manages authentication when logging into Jenkins. |
OPENSHIFT_PERMISSIONS_POLL_INTERVAL |
Specifies in milliseconds how often the OpenShift Login plugin polls OpenShift for the permissions associated with each user defined in Jenkins. |
You can also set the following mount points by passing the -v /host:/container
flag to Docker.
Volume mount point | Description |
---|---|
/var/lib/jenkins |
Jenkins config directory |
Notice: When mounting a directory from the host into the container, ensure that the mounted directory has the appropriate permissions and that the owner and group of the directory matches the user UID or name which is running inside the container.
In order to install additional Jenkins plugins, the OpenShift Jenkins image provides a way
how to add those by layering on top of this image. The derived image, will provide the same functionality
as described in this documentation, in addition it will also include all plugins you list in the plugins.txt
file.
To create derived image, you have to write following Dockerfile
:
FROM openshift/jenkins-1-centos7
COPY plugins.txt /opt/openshift/configuration/plugins.txt
RUN /usr/local/bin/plugins.sh /opt/openshift/configuration/plugins.txt
The format of plugins.txt
file is:
pluginId:pluginVersion
For example, to install the github Jenkins plugin, you specify following to plugins.txt
:
github:1.11.3
After this, just run docker build -t my_jenkins_image -f Dockerfile
.
The s2i tool allows you to do additional modifications of this Jenkins image.
For example, you can use S2I to copy custom Jenkins Jobs definitions, additional
plugins or replace the default config.xml
file with your own configuration.
To do that, you can either use the standalone s2i
tool, that will produce the
customized Docker image or you can use OpenShift Source build strategy.
In order to include your modifications in Jenkins image, you need to have a Git repository with following directory structure:
./plugins
folder that contains binary Jenkins plugins you want to copy into Jenkins./plugins.txt
file that list the plugins you want to install (see the section above)./configuration/jobs
folder that contains the Jenkins job definitions./configuration/config.xml
file that contains your custom Jenkins configuration
Note that the ./configuration
folder will be copied into /var/lib/jenkins
folder, so you can also include additional files (like credentials.xml
, etc.).
To build your customized Jenkins image, you can then execute following command:
$ s2i build https://github.com/your/repository openshift/jenkins-1-centos7 your_image_name
NOTE: if instead of adding a plugin you want to replace an existing plugin via dropping the binary plugin in the ./plugins
directory,
make sure the filename ends in .jpi
.
- OpenShift Pipeline Plugin
See the following, as well an example use of the plugin's capabilities with the OpenShift Sample Job included in this image. For more details visit the Jenkins plugin website.
- Kubernetes Plugin This plugin allows slaves to be dynamically provisioned on multiple Docker hosts using Kubernetes. To learn how to use this plugin, see the example available in the OpenShift Origin repository. For more details about plugin, visit the plugin web site.
For this, we will assume that you are using the openshift/jenkins-1-centos7
image.
If you want to set only the mandatory environment variables and store the database
in the /tmp/jenkins
directory on the host filesystem, execute the following command:
$ docker run -d -e JENKINS_PASSWORD=<password> -v /tmp/jenkins:/var/lib/jenkins openshift/jenkins-1-centos7
The admin user name is set to admin
. There are now two supported means of authenticating:
- If running outside of OpenShift, or running in OpenShift without the environment variable
OPENSHIFT_ENABLE_OAUTH
set to a value other thanfalse
on the container, you have to to specify the password by setting theJENKINS_PASSWORD
environment variable. This process is done upon initialization. - If running in OpenShift and the environment variable
OPENSHIFT_ENABLE_OAUTH
is set to a value other thanfalse
on the container, the OpenShift Login plugin manages the login process, and to login you specify whatever password is required by the identity provider used by OpenShift. So if the default OpenShift identity providerAllow All
is used, you can provide any non-empty string as the password for the predefinedadmin
user. IfAllow All
is not used, then valid user/password combinations stored with your identity provider must be used, and if the image's predefinedadmin
user is not a user with a valid password stored with your identity provider, you'll no longer be able to log in withadmin
.
However, any user with the OpenShift admin
role for the OpenShift project Jenkins is running in will have the same permissions as those this image assigns to the admin
user.
Users with the edit
or view
roles for the OpenShift project Jenkins is running in will have progressively reduced permissions within Jenkins.
For the view
role, the Jenkins permissions are:
- hudson.model.Hudson.Read
- hudson.model.Item.Read
For the edit
role, in addition to the permissions available to view
:
- hudson.model.Item.Build
- hudson.model.Item.Configure
- hudson.model.Item.Create
- hudson.model.Item.Delete
- hudson.model.Item.Workspace
- hudson.scm.SCM.Tag
Users authenticated against OpenShift OAuth will be added to the Jenkins authorization matrix upon their first successful login.
Permissions for users in Jenkins can be changed in OpenShift after those users are initially established in Jenkins. The OpenShift Login plugin polls the OpenShift API server for permissions and will update the permissions stored in Jenkins for each Jenkins user with the permissions retrieved from OpenShift. Technically speaking, you can change the permissions for a Jenkins user from the Jenkins UI as well, but those changes will be overwritten the next time the poll occurs.
You can control how often the polling occurs with the OPENSHIFT_PERMISSIONS_POLL_INTERVAL
environment variable. The default polling interval when no environment variable is set is 5 minutes.
This repository also provides a test framework which checks basic functionality of the Jenkins image.
Users can choose between testing Jenkins based on a RHEL or CentOS image.
-
RHEL based image
To test a RHEL7 based Jenkins image, you need to run the test on a properly subscribed RHEL machine.
$ cd jenkins $ make test TARGET=rhel7 VERSION=5.5
-
CentOS based image
$ cd jenkins $ make test VERSION=1
Notice: By omitting the VERSION
parameter, the build/test action will be performed
on all provided versions of Jenkins. Since we are currently providing only version 1
,
you can omit this parameter.