RHEL 7: Deploy Jenkins

3 minute read

Description:

I followed this post to install Jenkins on a RHEL 7 Server and Nginx with a reverse proxy for SSL offloading.

To Resolve:

  1. Download and install Jenkins:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    
     sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
     sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key
     yum install jenkins
    
     yum install java-1.8.0-openjdk
     # java -version
    
     systemctl start jenkins
     systemctl enable jenkins
    
     firewall-cmd --zone=public --add-port=8080/tcp --permanent
     firewall-cmd --zone=public --add-service=http --permanent
     firewall-cmd --reload
    
     # go to jenkins.domain.com:8080 in browser
     cat /var/lib/jenkins/secrets/initialAdminPassword
     ec2df2f8ef2649b1b61afd6684624d5e9
    
     # Choose to install community recommended plugins
    
  2. This has it setup to work with HTTP, now to move to HTTPS

    • Install nginx
    1
    2
    3
    4
    5
    6
    7
    
     rpm -Uvh http://nginx.org/packages/rhel/7/noarch/RPMS/nginx-release-rhel-7-0.el7.ngx.noarch.rpm
     yum install nginx
     systemctl start nginx
     systemctl enable nginx
     firewall-cmd --permanent --zone=public --add-service=http
     firewall-cmd --permanent --zone=public --add-service=https
     firewall-cmd --reload
    
    • Request cert
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    
     openssl genrsa -out domain.key 2048
     openssl req -new -sha256 -key domain.key -out domain.csr
     Country? US
     State? Texas
     City? City
     organization? My Company
     organizational unit? My Parent Company
     Common name? server.domain.com
     email? admin@domain.com
     openssl req -noout -text -in domain.csr
    
    • Send domain.csr to Incommon.
    • Once complete, Download ‘server’ and ‘intermediate’ as X509, Base64 encoded
    • Open a cert decoder website and copy/paste the certs in this order: Server Cert => InCommon RSA Server CA => USERTrust RSA Certification Authority
    • Save as combined.cer

    • Configute Nginx
    • add the combined certs and domain.key to /etc/nginx/ssl
    • test: nginx -t

    • Ran into an issue:
    1
    2
    3
    4
    5
    6
    7
    8
    
     nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
     nginx: configuration file /etc/nginx/nginx.conf test is successful
     # says successul, but when I start service I get 
    
     nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
     Failed to parse PID from file /var/run/nginx.pid: Invalid argument
    
     fix is to reboot
    
    • Now we vi /etc/nginx/conf.d/jenkins.conf
    • And paste in the following after changing your cert details and server name
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    
     upstream jenkins {
     server 127.0.0.1:8080 fail_timeout=0;
     }
    
     server {
     listen 80;
     server_name server.domain.com;
     return 301 https://$host$request_uri;
     }
    
     server {
     listen 443 ssl;
     server_name jenkins.domain.com;
    
     ssl_certificate    /etc/nginx/ssl/combined.cer;
     ssl_certificate_key /etc/nginx/ssl/domain.key;
    
     location / {
         proxy_set_header        Host $host:$server_port;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto $scheme;
         proxy_redirect          http://127.0.0.1:8080 https://server.domain.com;
         proxy_pass              http://127.0.0.1:8080;
         # Required for new HTTP-based CLI
         proxy_http_version 1.1;
         proxy_request_buffering off;
         proxy_buffering off; # Required for HTTP-based CLI to work over SSL
         # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
         add_header 'X-SSH-Endpoint' 'jenkins.domain.com:50022' always;
     }
     }
    
    • Now run systemctl start nginx and you will get an error like [crit] 14549#14549: *7 connect() to 127.0.0.1:8080 failed (13: Permission denied) while connecting to upstream

    • Fix:

    1
    2
    3
    4
    
     # per https://stackoverflow.com/questions/23948527/13-permission-denied-while-connecting-to-upstreamnginx
     systemctl stop nginx 
     setsebool -P httpd_can_network_connect 1
     systemctl stop nginx 
    
  3. Now that Jenkins is running, need to modify a few things:

    • Jenkins Web UI => Manage Jenkins => Configure System => Jenkins Location => Update the Jenkins URL to use HTTPS - https://jenkins.domain.com/

    • Install ‘Active Directory plugin’
    • Manage Jenkins => Configure Global Security => Security Realm:Active Directory

      • Domain Name = domain.com
      • Domain Controller = dc-1.domain.com:3268
      • bind dn = CN=user,DC=Domain,DC=com
      • bind password = password
    • Save and exit. Logout of web UI.
    • Login as your user # this takes a while the first time, but will be fast after that. Notice that is displays all your AD groups when you login.
    • Now go back to Manage Jenkins => Configure Global Security => Authorization => Select ‘Matrix-based Security’
    • Add the main admin AD group your user is a member of (just the name by itself) and check the box for ‘Administer’ under ‘Overall’ section.
    • Give Anonymous Users ‘Read’ under the ‘Overall’ section. Not sure if this is required but I did this for scripts to run from VRO.
    • Give ‘Authenticated Users’ nothing.

-----------------------------------------------------------
Spotted a mistake in this article? Why not suggest an edit!
Did you like the article? Donations are always welcome!
-----------------------------------------------------------

Comments