Introduction
What’s new
Installation on Amazon Web Service (AWS) guide
Introduction
Getting started
Navigating
New User Experience
Continuous Delivery as a Service
Shared configurations
Managing
Operating
Managing agents
External HTTP endpoints
Cross Team Collaboration
Building on CloudBees Jenkins Enterprise
Upgrading CloudBees Jenkins Enterprise
Troubleshooting
Cluster Environment: Amazon Web Services
Changing domain name and enabling SSL
Using wiki markup languages in descriptions
Appendix: AWS Running in an internal-only VPC
Appendix: Configuration reference
Appendix: Destroying and recreating a cluster
Generating a support bundle
Backup and restore
Jenkins CLI tool
About plugins
IntroductionRestart Aborted Builds pluginAWS CLI pluginCloudBees Amazon Web Services Deploy EngineMicrosoft Azure CLI pluginCloudBees Backup pluginCloudBees Bitbucket Branch Source pluginCloudBees Assurance ProgramCloudBees CasC API pluginCloudBees CasC Client pluginCloudBees CasC Items API pluginCloudBees CasC Items Commons pluginCloudBees CasC Items Controller pluginCloudBees CasC Items Server pluginCloudBees CasC Server pluginCloud Foundry CLI pluginConsolidated Build View pluginCloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry NotificationCloudBees Even Scheduler pluginCloudBees Fast Archiving pluginFolders pluginFolders Plus pluginGitHub Branch Source pluginJenkins Health Advisor by CloudBeesCloudBees Long-Running Build pluginMonitoring pluginNodes Plus pluginOpenShift CLI pluginCloudBees Plugin Usage Analyzer pluginCloudBees Prometheus Metrics pluginPull Request Builder for GitHub pluginCloudBees Quiet Start pluginSecure Copy pluginSkip Next Build pluginSSH Build Agents pluginCloudBees Support pluginTemplate pluginCloudBees Label Throttling pluginUser Activity MonitoringCloudBees Git Validated Merge pluginVisual Studio Team Services pluginWikitext Security plugin
Plugin management
IntroductionGetting started with plugin managementCloudBees Assurance ProgramBeekeeper Upgrade AssistantAdding Beekeeper plugin exceptionsFinding the support tier for a pluginInstalling pluginsUpgrading plugins from the Plugin ManagerUninstalling pluginsDisabling pluginsReviewing plugin usageConfiguring plugin catalogsManaging plugins with Update CenterManaging plugins in a secure environment
Getting started
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
Planning for Pipelines
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
Creating Pipelines
IntroductionPrerequisitesCreating your first PipelineCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
Automating with Jenkinsfile
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The Env
Administering Pipelines
IntroductionControlling buildsManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative Pipeline
Remote collaboration features
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
Pipeline templates
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
Pipeline syntax reference
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
Multibranch Pipeline Template syntax
IntroductionBranch SourceBitbucketGitHubGitBranch Property StrategyExamples
Introduction
CyberArk Credential Provider Plugin
Restricting access and delegating administration with Role-Based Access Control
Folders Plus plugin
Managing build agents with Nodes Plus plugin
Understanding Beekeeper security warnings
CloudBees Jenkins JVM troubleshooting
Performance decision tree for troubleshooting
Troubleshooting memory leaks
Troubleshooting file and thread leaks
Miscellaneous references
Amazon Web Services CLI Plugin
Microsoft Azure CLI Plugin
Cloud Foundry CLI Plugin
OpenShift CLI Plugin
CLI reference
Configuration reference
Elasticsearch
Infrastructure security
CloudBees ServiceNow Integration
Support policies

Infrastructure security

2 minute read

CloudBees Jenkins Enterprise has been built with the assumption that it owns the infrastructure where it is installed. It expects to be able to install and manage software such as Apache Mesos, Marathon, Docker, etc.

This article applies to CloudBees Jenkins Enterprise 1.x, based on Apache Mesos. CloudBees Jenkins Enterprise 2.x addresses most (if not all) of security concerns by relying on Kubernetes architecture.

Infrastructure Administration

Any infrastructure operation that is installing (cluster-init), updating (cje upgrade) or collecting information (generating support bundle) require root access.

Required access rights during execution

CloudBees Jenkins Enterprise is composed of a set of components, some of them need root access to fulfill their role.

ComponentRequires RootJustification

Apache Mesos

Yes

Manages system resources, schedules Docker containers.

Marathon

Yes

Mesos framework scheduling components such as Castle, operations center, Masters, and Elasticsearch.

Docker

Yes

The Docker daemon itself needs to run as root. The Docker client currently runs as root.

Palace

Yes

Mesos framework scheduling build agents containers.

Castle

Yes

Manages volumes across the cluster. It does cgroups magic in order to dynamically attach volumes to Jenkins containers.

Logstash

Yes

Requires access to all logs files in order to index them and forward them to Elasticsearch.

Topbeat

Yes

Monitors system metrics and sends them to Elasticsearch.

Elasticsearch

Yes

Pending product evolution to run it as uid 1000 and customizable.

Crons

Yes

Calls Docker for maintenance purpose (removing old containers and images). Since Docker runs as root, this component needs to run as root as well.

operations center

No

Runs as uid 1000.

Can be customized if needed in order to accommodate NFS mounts (if applicable).

See volume_user and volume_group configuration attributes for more information.

Managed Master

No

Runs as uid 1000.

Can be customized if needed in order to accommodate NFS mounts (if applicable).

See volume_user and volume_group configuration attributes for more information.

Access rights for customer applications

Build agents are scheduled as Docker containers in a dedicated worker pool. These agents run using the uid/gid defined in the Docker image being called. However, it is possible to override the user to use in the agent template configuration. Under options, add a new Parameter named user. The value should have the format: <name|uid>[:<group|gid>].

User parameter

Best practice is to run Docker containers as a non-root user (principle of least privilege). Therefore, it is recommended to create a user with a known uid in the Dockerfile when building Docker images used across the cluster.

For the same reason, it is discouraged to mount the Docker socket (practice known as DonD) in a Docker container or use Docker-in-Docker (DinD). These require privileged mode, which is equivalent to running them directly as root on the host.

Elasticsearch
CloudBees ServiceNow Integration