Separate Jenkins config.xml for internal and external setup
Ensure that Jenkins external/internal configurations contain only the
settings necessary for hosting jobs. This separation helps to minimize
potential security risks.
Bug: Issue 16988
Change-Id: Idde756ad53311936ca514495e10625ba631a9f88
diff --git a/jenkins-docker/server/Dockerfile b/jenkins-docker/server/Dockerfile
index dde7d0a..392c1fb 100644
--- a/jenkins-docker/server/Dockerfile
+++ b/jenkins-docker/server/Dockerfile
@@ -43,8 +43,11 @@
ENV REMOTE_DOCKER_HOST unix:///var/run/docker.sock
ENV BINTRAY_URL https://dl.bintray.com/lucamilanesio
+
+ARG SERVER_TYPE
+
COPY edit-config.xslt $JENKINS_REF
-COPY config.xml $JENKINS_REF
+COPY config-$SERVER_TYPE.xml $JENKINS_REF/config.xml
COPY jenkins.plugins.logstash.LogstashInstallation.xml $JENKINS_REF
COPY jenkins.model.JenkinsLocationConfiguration.xml $JENKINS_REF
COPY org.codefirst.SimpleThemeDecorator.xml $JENKINS_REF
@@ -58,7 +61,6 @@
# TODO: CVE-2024-23897 Groovy workaround can be removed only after upgrading to 2.442, LTS 2.426.3
COPY CVE-2024-23897-disable-cli.groovy $JENKINS_REF/init.groovy.d/
-ARG SERVER_TYPE
COPY gerrit-ci-scripts-$SERVER_TYPE.xml $JENKINS_REF/jobs/gerrit-ci-scripts/config.xml
COPY gerrit-ci-scripts-manual-$SERVER_TYPE.xml $JENKINS_REF/jobs/gerrit-ci-scripts-manual/config.xml
COPY org.jenkinsci.plugins.workflow.libs.GlobalLibraries.xml $JENKINS_REF/
diff --git a/jenkins-docker/server/config.xml b/jenkins-docker/server/config-external.xml
similarity index 88%
rename from jenkins-docker/server/config.xml
rename to jenkins-docker/server/config-external.xml
index a2c1f99..3bd1373 100644
--- a/jenkins-docker/server/config.xml
+++ b/jenkins-docker/server/config-external.xml
@@ -288,47 +288,6 @@
<removeVolumes>false</removeVolumes>
<pullStrategy>PULL_LATEST</pullStrategy>
</com.nirima.jenkins.plugins.docker.DockerTemplate>
- <com.nirima.jenkins.plugins.docker.DockerTemplate>
- <configVersion>2</configVersion>
- <labelString>aws</labelString>
- <connector class="io.jenkins.docker.connector.DockerComputerAttachConnector">
- <user>jenkins</user>
- <jvmArgs>
- <string>-Dfile.encoding=UTF-8</string>
- </jvmArgs>
- </connector>
- <remoteFsMapping></remoteFsMapping>
- <remoteFs>/home/jenkins</remoteFs>
- <instanceCap>5</instanceCap>
- <mode>EXCLUSIVE</mode>
- <retentionStrategy class="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy">
- <idleMinutes>10</idleMinutes>
- <idleMinutes defined-in="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy">10</idleMinutes>
- </retentionStrategy>
- <numExecutors>1</numExecutors>
- <dockerTemplateBase>
- <image>gerritforge/gerrit-ci-agent-aws</image>
- <dockerCommand></dockerCommand>
- <lxcConfString>aws</lxcConfString>
- <hostname></hostname>
- <dnsHosts/>
- <volumes>
- <string>/dev/urandom:/dev/random</string>
- </volumes>
- <volumesFrom2/>
- <environment/>
- <bindPorts></bindPorts>
- <bindAllPorts>false</bindAllPorts>
- <privileged>true</privileged>
- <tty>false</tty>
- <extraHosts class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
- <c class="list"/>
- <list reference="../c"/>
- </extraHosts>
- </dockerTemplateBase>
- <removeVolumes>false</removeVolumes>
- <pullStrategy>PULL_LATEST</pullStrategy>
- </com.nirima.jenkins.plugins.docker.DockerTemplate>
</templates>
<serverUrl>unix:///var/run/docker.sock</serverUrl>
<connectTimeout>30</connectTimeout>
diff --git a/jenkins-docker/server/config-internal.xml b/jenkins-docker/server/config-internal.xml
new file mode 100644
index 0000000..0cb07de
--- /dev/null
+++ b/jenkins-docker/server/config-internal.xml
@@ -0,0 +1,130 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<hudson>
+ <disabledAdministrativeMonitors>
+ <string>hudson.diagnosis.ReverseProxySetupMonitor</string>
+ </disabledAdministrativeMonitors>
+ <version>2.375.2</version>
+ <numExecutors>1</numExecutors>
+ <mode>EXCLUSIVE</mode>
+ <useSecurity>true</useSecurity>
+ <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
+ <permission>hudson.model.Hudson.Administer:bro314</permission>
+ <permission>hudson.model.Hudson.Administer:dpursehouse</permission>
+ <permission>hudson.model.Hudson.Administer:EdwinKempin</permission>
+ <permission>hudson.model.Hudson.Administer:lucamilanesio</permission>
+ <permission>hudson.model.Hudson.Administer:msohn</permission>
+ <permission>hudson.model.Hudson.Administer:phiesel</permission>
+ <permission>hudson.model.Hudson.Administer:poucet</permission>
+ <permission>hudson.model.Hudson.Administer:zivkov</permission>
+ <permission>hudson.model.Hudson.Administer:syntonyze</permission>
+ <permission>hudson.model.Hudson.Administer:geminicaprograms</permission>
+ <permission>hudson.model.Hudson.Administer:paladox</permission>
+ <permission>USER:hudson.model.Hudson.Read:anonymous</permission>
+ <permission>USER:hudson.model.Item.Read:anonymous</permission>
+ <permission>USER:hudson.model.Item.ViewStatus:anonymous</permission>
+ </authorizationStrategy>
+ <securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
+ <githubWebUri>https://github.com</githubWebUri>
+ <githubApiUri>https://api.github.com</githubApiUri>
+ <clientID>#OAUTH_ID#</clientID>
+ <clientSecret>#OAUTH_SECRET#</clientSecret>
+ </securityRealm>
+ <disableRememberMe>false</disableRememberMe>
+ <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
+ <workspaceDir>${ITEM_ROOTDIR}/workspace</workspaceDir>
+ <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
+ <markupFormatter class="hudson.markup.RawHtmlMarkupFormatter" plugin="antisamy-markup-formatter@155.v795fb_8702324">
+ <disableSyntaxHighlighting>false</disableSyntaxHighlighting>
+ </markupFormatter>
+ <jdks/>
+ <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
+ <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
+ <clouds>
+ <com.nirima.jenkins.plugins.docker.DockerCloud plugin="docker-plugin@1.2.10">
+ <name>dockerhost</name>
+ <templates>
+ <com.nirima.jenkins.plugins.docker.DockerTemplate>
+ <configVersion>2</configVersion>
+ <labelString>aws</labelString>
+ <connector class="io.jenkins.docker.connector.DockerComputerAttachConnector">
+ <user>jenkins</user>
+ <jvmArgs>
+ <string>-Dfile.encoding=UTF-8</string>
+ </jvmArgs>
+ </connector>
+ <remoteFsMapping></remoteFsMapping>
+ <remoteFs>/home/jenkins</remoteFs>
+ <instanceCap>5</instanceCap>
+ <mode>EXCLUSIVE</mode>
+ <retentionStrategy class="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy">
+ <idleMinutes>10</idleMinutes>
+ <idleMinutes defined-in="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy">10</idleMinutes>
+ </retentionStrategy>
+ <numExecutors>1</numExecutors>
+ <dockerTemplateBase>
+ <image>gerritforge/gerrit-ci-agent-aws</image>
+ <dockerCommand></dockerCommand>
+ <lxcConfString>aws</lxcConfString>
+ <hostname></hostname>
+ <dnsHosts/>
+ <volumes>
+ <string>/dev/urandom:/dev/random</string>
+ <string>/var/run/docker.sock:/var/run/docker.sock</string>
+ </volumes>
+ <volumesFrom2/>
+ <environment/>
+ <bindPorts></bindPorts>
+ <bindAllPorts>false</bindAllPorts>
+ <privileged>true</privileged>
+ <tty>false</tty>
+ <extraHosts class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
+ <c class="list"/>
+ <list reference="../c"/>
+ </extraHosts>
+ </dockerTemplateBase>
+ <removeVolumes>false</removeVolumes>
+ <pullStrategy>PULL_LATEST</pullStrategy>
+ </com.nirima.jenkins.plugins.docker.DockerTemplate>
+ </templates>
+ <serverUrl>unix:///var/run/docker.sock</serverUrl>
+ <connectTimeout>30</connectTimeout>
+ <readTimeout>30</readTimeout>
+ <credentialsId></credentialsId>
+ <containerCap>100</containerCap>
+ <exposeDockerHost>true</exposeDockerHost>
+ </com.nirima.jenkins.plugins.docker.DockerCloud>
+ </clouds>
+ <quietPeriod>5</quietPeriod>
+ <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
+ <views>
+ <hudson.model.AllView>
+ <owner class="hudson" reference="../../.."/>
+ <name>All</name>
+ <filterExecutors>false</filterExecutors>
+ <filterQueue>false</filterQueue>
+ <properties class="hudson.model.View$PropertyList"/>
+ </hudson.model.AllView>
+ </views>
+ <primaryView>All</primaryView>
+ <slaveAgentPort>0</slaveAgentPort>
+ <label>server</label>
+ <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
+ <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
+ </crumbIssuer>
+ <nodeProperties>
+ <hudson.slaves.EnvironmentVariablesNodeProperty>
+ <envVars serialization="custom">
+ <unserializable-parents/>
+ <tree-map>
+ <default>
+ <comparator class="hudson.util.CaseInsensitiveComparator"/>
+ </default>
+ <int>1</int>
+ <string>PATH</string>
+ <string>/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin</string>
+ </tree-map>
+ </envVars>
+ </hudson.slaves.EnvironmentVariablesNodeProperty>
+ </nodeProperties>
+ <globalNodeProperties/>
+</hudson>