Separate Jenkins config.xml for internal and external setup Ensure that Jenkins external/internal configurations contain only the settings necessary for hosting jobs. This separation helps to minimize potential security risks. Bug: Issue 16988 Change-Id: Idde756ad53311936ca514495e10625ba631a9f88
diff --git a/jenkins-docker/server/Dockerfile b/jenkins-docker/server/Dockerfile index dde7d0a..392c1fb 100644 --- a/jenkins-docker/server/Dockerfile +++ b/jenkins-docker/server/Dockerfile
@@ -43,8 +43,11 @@ ENV REMOTE_DOCKER_HOST unix:///var/run/docker.sock ENV BINTRAY_URL https://dl.bintray.com/lucamilanesio + +ARG SERVER_TYPE + COPY edit-config.xslt $JENKINS_REF -COPY config.xml $JENKINS_REF +COPY config-$SERVER_TYPE.xml $JENKINS_REF/config.xml COPY jenkins.plugins.logstash.LogstashInstallation.xml $JENKINS_REF COPY jenkins.model.JenkinsLocationConfiguration.xml $JENKINS_REF COPY org.codefirst.SimpleThemeDecorator.xml $JENKINS_REF @@ -58,7 +61,6 @@ # TODO: CVE-2024-23897 Groovy workaround can be removed only after upgrading to 2.442, LTS 2.426.3 COPY CVE-2024-23897-disable-cli.groovy $JENKINS_REF/init.groovy.d/ -ARG SERVER_TYPE COPY gerrit-ci-scripts-$SERVER_TYPE.xml $JENKINS_REF/jobs/gerrit-ci-scripts/config.xml COPY gerrit-ci-scripts-manual-$SERVER_TYPE.xml $JENKINS_REF/jobs/gerrit-ci-scripts-manual/config.xml COPY org.jenkinsci.plugins.workflow.libs.GlobalLibraries.xml $JENKINS_REF/
diff --git a/jenkins-docker/server/config.xml b/jenkins-docker/server/config-external.xml similarity index 88% rename from jenkins-docker/server/config.xml rename to jenkins-docker/server/config-external.xml index a2c1f99..3bd1373 100644 --- a/jenkins-docker/server/config.xml +++ b/jenkins-docker/server/config-external.xml
@@ -288,47 +288,6 @@ <removeVolumes>false</removeVolumes> <pullStrategy>PULL_LATEST</pullStrategy> </com.nirima.jenkins.plugins.docker.DockerTemplate> - <com.nirima.jenkins.plugins.docker.DockerTemplate> - <configVersion>2</configVersion> - <labelString>aws</labelString> - <connector class="io.jenkins.docker.connector.DockerComputerAttachConnector"> - <user>jenkins</user> - <jvmArgs> - <string>-Dfile.encoding=UTF-8</string> - </jvmArgs> - </connector> - <remoteFsMapping></remoteFsMapping> - <remoteFs>/home/jenkins</remoteFs> - <instanceCap>5</instanceCap> - <mode>EXCLUSIVE</mode> - <retentionStrategy class="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy"> - <idleMinutes>10</idleMinutes> - <idleMinutes defined-in="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy">10</idleMinutes> - </retentionStrategy> - <numExecutors>1</numExecutors> - <dockerTemplateBase> - <image>gerritforge/gerrit-ci-agent-aws</image> - <dockerCommand></dockerCommand> - <lxcConfString>aws</lxcConfString> - <hostname></hostname> - <dnsHosts/> - <volumes> - <string>/dev/urandom:/dev/random</string> - </volumes> - <volumesFrom2/> - <environment/> - <bindPorts></bindPorts> - <bindAllPorts>false</bindAllPorts> - <privileged>true</privileged> - <tty>false</tty> - <extraHosts class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList"> - <c class="list"/> - <list reference="../c"/> - </extraHosts> - </dockerTemplateBase> - <removeVolumes>false</removeVolumes> - <pullStrategy>PULL_LATEST</pullStrategy> - </com.nirima.jenkins.plugins.docker.DockerTemplate> </templates> <serverUrl>unix:///var/run/docker.sock</serverUrl> <connectTimeout>30</connectTimeout>
diff --git a/jenkins-docker/server/config-internal.xml b/jenkins-docker/server/config-internal.xml new file mode 100644 index 0000000..0cb07de --- /dev/null +++ b/jenkins-docker/server/config-internal.xml
@@ -0,0 +1,130 @@ +<?xml version='1.1' encoding='UTF-8'?> +<hudson> + <disabledAdministrativeMonitors> + <string>hudson.diagnosis.ReverseProxySetupMonitor</string> + </disabledAdministrativeMonitors> + <version>2.375.2</version> + <numExecutors>1</numExecutors> + <mode>EXCLUSIVE</mode> + <useSecurity>true</useSecurity> + <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy"> + <permission>hudson.model.Hudson.Administer:bro314</permission> + <permission>hudson.model.Hudson.Administer:dpursehouse</permission> + <permission>hudson.model.Hudson.Administer:EdwinKempin</permission> + <permission>hudson.model.Hudson.Administer:lucamilanesio</permission> + <permission>hudson.model.Hudson.Administer:msohn</permission> + <permission>hudson.model.Hudson.Administer:phiesel</permission> + <permission>hudson.model.Hudson.Administer:poucet</permission> + <permission>hudson.model.Hudson.Administer:zivkov</permission> + <permission>hudson.model.Hudson.Administer:syntonyze</permission> + <permission>hudson.model.Hudson.Administer:geminicaprograms</permission> + <permission>hudson.model.Hudson.Administer:paladox</permission> + <permission>USER:hudson.model.Hudson.Read:anonymous</permission> + <permission>USER:hudson.model.Item.Read:anonymous</permission> + <permission>USER:hudson.model.Item.ViewStatus:anonymous</permission> + </authorizationStrategy> + <securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm"> + <githubWebUri>https://github.com</githubWebUri> + <githubApiUri>https://api.github.com</githubApiUri> + <clientID>#OAUTH_ID#</clientID> + <clientSecret>#OAUTH_SECRET#</clientSecret> + </securityRealm> + <disableRememberMe>false</disableRememberMe> + <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/> + <workspaceDir>${ITEM_ROOTDIR}/workspace</workspaceDir> + <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir> + <markupFormatter class="hudson.markup.RawHtmlMarkupFormatter" plugin="antisamy-markup-formatter@155.v795fb_8702324"> + <disableSyntaxHighlighting>false</disableSyntaxHighlighting> + </markupFormatter> + <jdks/> + <viewsTabBar class="hudson.views.DefaultViewsTabBar"/> + <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/> + <clouds> + <com.nirima.jenkins.plugins.docker.DockerCloud plugin="docker-plugin@1.2.10"> + <name>dockerhost</name> + <templates> + <com.nirima.jenkins.plugins.docker.DockerTemplate> + <configVersion>2</configVersion> + <labelString>aws</labelString> + <connector class="io.jenkins.docker.connector.DockerComputerAttachConnector"> + <user>jenkins</user> + <jvmArgs> + <string>-Dfile.encoding=UTF-8</string> + </jvmArgs> + </connector> + <remoteFsMapping></remoteFsMapping> + <remoteFs>/home/jenkins</remoteFs> + <instanceCap>5</instanceCap> + <mode>EXCLUSIVE</mode> + <retentionStrategy class="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy"> + <idleMinutes>10</idleMinutes> + <idleMinutes defined-in="com.nirima.jenkins.plugins.docker.strategy.DockerOnceRetentionStrategy">10</idleMinutes> + </retentionStrategy> + <numExecutors>1</numExecutors> + <dockerTemplateBase> + <image>gerritforge/gerrit-ci-agent-aws</image> + <dockerCommand></dockerCommand> + <lxcConfString>aws</lxcConfString> + <hostname></hostname> + <dnsHosts/> + <volumes> + <string>/dev/urandom:/dev/random</string> + <string>/var/run/docker.sock:/var/run/docker.sock</string> + </volumes> + <volumesFrom2/> + <environment/> + <bindPorts></bindPorts> + <bindAllPorts>false</bindAllPorts> + <privileged>true</privileged> + <tty>false</tty> + <extraHosts class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList"> + <c class="list"/> + <list reference="../c"/> + </extraHosts> + </dockerTemplateBase> + <removeVolumes>false</removeVolumes> + <pullStrategy>PULL_LATEST</pullStrategy> + </com.nirima.jenkins.plugins.docker.DockerTemplate> + </templates> + <serverUrl>unix:///var/run/docker.sock</serverUrl> + <connectTimeout>30</connectTimeout> + <readTimeout>30</readTimeout> + <credentialsId></credentialsId> + <containerCap>100</containerCap> + <exposeDockerHost>true</exposeDockerHost> + </com.nirima.jenkins.plugins.docker.DockerCloud> + </clouds> + <quietPeriod>5</quietPeriod> + <scmCheckoutRetryCount>0</scmCheckoutRetryCount> + <views> + <hudson.model.AllView> + <owner class="hudson" reference="../../.."/> + <name>All</name> + <filterExecutors>false</filterExecutors> + <filterQueue>false</filterQueue> + <properties class="hudson.model.View$PropertyList"/> + </hudson.model.AllView> + </views> + <primaryView>All</primaryView> + <slaveAgentPort>0</slaveAgentPort> + <label>server</label> + <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> + <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb> + </crumbIssuer> + <nodeProperties> + <hudson.slaves.EnvironmentVariablesNodeProperty> + <envVars serialization="custom"> + <unserializable-parents/> + <tree-map> + <default> + <comparator class="hudson.util.CaseInsensitiveComparator"/> + </default> + <int>1</int> + <string>PATH</string> + <string>/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin</string> + </tree-map> + </envVars> + </hudson.slaves.EnvironmentVariablesNodeProperty> + </nodeProperties> + <globalNodeProperties/> +</hudson>