1

I have Jenkins docker image and I want to relax Jenkins Content Security Policy from docker environment.

I can do that from Jenkins script console:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline';")
System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")

But not from docker-compose environment. Then docker container is restarting on run.

Docker service is run by 'jenkins.sh' script:

cat /usr/local/bin/jenkins.sh

#! /bin/bash -e

: "${JENKINS_HOME:="/var/jenkins_home"}"
touch "${COPY_REFERENCE_FILE_LOG}" || { echo "Can not write to ${COPY_REFERENCE_FILE_LOG}. Wrong volume permissions?"; exit 1; }
echo "--- Copying files at $(date)" >> "$COPY_REFERENCE_FILE_LOG"
find /usr/share/jenkins/ref/ -type f -exec bash -c '. /usr/local/bin/jenkins-support; for arg; do copy_reference_file "$arg"; done' _ {} +

# if `docker run` first argument start with `--` the user is passing jenkins launcher arguments
if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then

  # read JAVA_OPTS and JENKINS_OPTS into arrays to avoid need for eval (and associated vulnerabilities)
  java_opts_array=()
  while IFS= read -r -d '' item; do
    java_opts_array+=( "$item" )
  done < <([[ $JAVA_OPTS ]] && xargs printf '%s\0' <<<"$JAVA_OPTS")

  jenkins_opts_array=( )
  while IFS= read -r -d '' item; do
    jenkins_opts_array+=( "$item" )
  done < <([[ $JENKINS_OPTS ]] && xargs printf '%s\0' <<<"$JENKINS_OPTS")

  exec java "${java_opts_array[@]}" -jar /usr/share/jenkins/jenkins.war "${jenkins_opts_array[@]}" "$@"
fi

# As argument is not jenkins, assume user want to run his own process, for example a `bash` shell to explore this image
exec "$@"

My jenkins Dockerfile environment:

ENV JAVA_OPTS="-Xmx2048m"
ENV JENKINS_OPTS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war"

My docker-compose.yml:

version: '2'
services:
  jenkins:
    build: jenkins
    image: my-jenkins
    container_name: my-jenkins
    environment:
    - JAVA_OPTS="-Xmx2048m"
#    - JENKINS_OPTS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war"
#    - JENKINS_OPTS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war -Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self'; style-src 'self' 'unsafe-inline';\""
#    - JENKINS_OPTS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war -Dhudson.model.DirectoryBrowserSupport.CSP=default-src 'self'; style-src 'self' 'unsafe-inline';"
    ports:
    - "49001:8080"
    - "50000:50000"
    volumes:
    - data-jenkins-home:/var/jenkins_home
    restart: always

volumes:
  data-jenkins-home:

Jenkins container is broken (it is restarting in about a second or two) if any of the upper rows are uncommented. Run throws:

Mar 02, 2017 11:32:25 AM Main deleteWinstoneTempContents
WARNING: Failed to delete the temporary Winstone file /tmp/winstone/jenkins.war

I see that the 'jenkins.sh' is recreating JENKINS_OPTS array. Is it possible to set env variable JENKINS_OPTS to run the service properly using taht script?

Community
  • 1
  • 1
urkon
  • 233
  • 1
  • 5
  • 15

1 Answers1

1

You can set JENKINS_OPTS in the docker run command which creates container. e.g. this docker run command shows how JAVA_OPTS and JENKINS_OPTS can be set. Also it shows how jenkins GUI port can be mapped (from 8080 in container to 9090 to outside world here). Also it shows how jenkins home dir can be customized (docker volume mount).

JENKINS_PORT=9090
JENKINS_SLAVE_PORT=50000
JENKINS_DIR=jenkins
IMAGE=whatever

docker run -it \
-d \
--name jenkins42 \
--restart always \
-p $OMN_HOST_IP:$JENKINS_PORT:8080 \
-p $OMN_HOST_IP:$JENKINS_SLAVE_PORT:50000 \
--env JAVA_OPTS="-Dhudson.Main.development=true \
    -Dhudson.footerURL=http://customurl.com \
    -Xms800M -Xmx800M -Xmn400M \
    " \
-v $JENKINS_DIR:/var/jenkins_home \
$VARGS \
$IMAGE
gaoithe
  • 4,218
  • 3
  • 30
  • 38