Installing and Securing Jenkins

Earlier this year, I wrote an article about PHP-CI, which you can use as a continuous integration tool for your PHP projects. Within this article I indicated I still liked Jenkins the most as a CI tool. Time to dive into Jenkins and see how we can set this up for our PHP project.

Key Takeaways

• Jenkins is a versatile tool that can be used for continuous integration of many different applications, including web, software, and mobile applications. It offers numerous options and possibilities, making it potentially overwhelming for new users.
• Installing Jenkins on Ubuntu Server 14.04 LTS involves running specific commands to add the key for the Jenkins repository to the system, add Jenkins to the sources.list file, and finally install Jenkins. Once installed, Jenkins can be accessed through a browser by adding port 8080 to the end of the URL.
• Securing Jenkins is crucial to prevent unauthorized access. This involves enabling the security realm, creating a user database, disabling the option for users to sign up without permission, and setting the authorization using either matrix based security or Project-based Matrix Authorization Strategy.
• Preparing Jenkins for PHP projects involves installing several plugins and creating a template. The plugins perform tasks such as analyzing a report and converting it to a graph. The template, created by Sebastian Bergmann, simplifies the process of configuring a new project.

Introduction to Jenkins

The list of things that Jenkins has to offer is huge due to the rich plugin system it has. Basically, Jenkins is just a tool which connects all kinds of different tools and plugins together to create a report for you. For example, it can run PHPUnit and show you the results in a graph over time. It can check your PHP code for errors by running php -l. However, you can also let Jenkins build a project and output a zip file, which you can use to deploy your application. The advantage of this is that you get a complete zip file back to upgrade your production application without having to run tools like Composer or NPM on your production servers.

Jenkins can be used for many different applications. You can use it for web applications written in PHP, but also for software and mobile applications written in Java or any other language. This makes Jenkins a very versatile tool and very interesting for companies handling many different projects.

Because Jenkins has so many options and possibilities, it looks overwhelming for people to start using it. Within this series of articles, we will slowly work our way into Jenkins. We will start with the installation and setup. After that we will continue with analyzing a project. In the end, we will take a close look at numerous other plugins we can use to check the quality of our product.

We will mainly focus on the quality of the PHP code, but in the end we will also take a short look at analyzing our HTML, CSS and JavaScript which work in close harmony with PHP.

Installing Jenkins

You can install Jenkins on any popular operating system. For this article, we are going to install Jenkins on Ubuntu Server 14.04 LTS. If you are using a different operating system, you can check here for the installation instructions per operating system. To install Jenkins on Ubuntu the easiest way would be by running this command.

<span>sudo apt-get install jenkins</span>

However, you are now installing Jenkins which is located in Ubuntu’s repository. Jenkins itself suggests to install directly from the Jenkins repositories. First, we add the key to our system for the repository.

<span>wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key | sudo apt-key add -</span>

Now we run the following command to add Jenkins to the sources.list file.

<span>deb http://pkg.jenkins-ci.org/debian binary/</span>

Now we are ready to install Jenkins.

sudo apt-get update
<span>sudo apt-get install jenkins</span>

When finished, Jenkins is successfully installed on your server.

You can now reach Jenkins through your browser by adding port 8080 to the end of the URL. So imagine my server is named ci.myserver.com you can reach Jenkins on ci.myserver.com:8080.

.

Securing Jenkins

The first thing you should notice is that Jenkins is completely open. Anyone now going to this URL can do all kinds of different tasks, so the first thing we are going to do is secure it. We start by clicking on Manage Jenkins in the sidebar menu. where we will be greeted by a notification from Jenkins, recommending to secure the CI server.

Click the Setup Security button to continue. On the next page, mark enable security checkbox as checked. The following steps are crucial to follow correctly, because it’s easy to lock yourself out of Jenkins. If this happens, you can follow these steps to gain access again.

The first thing you need to do, is set your security realm. The easiest one is to have Jenkins have his own user database by marking the checkbox in front of Jenkins' own user database. Make sure the allow users to sign up option is also enabled. Now save your configuration by clicking save.

You should now be able to see a sign up link at the top right corner of the page. Click this link and fill in the form to sign up. When done, log in with your newly created account.

Go back to the security settings by clicking Manage Jenkins and then clicking Configure Global Security. You should now uncheck the allow users to sign up checkbox to make sure no new accounts can be created without your permission.

Next we are going to set the authorization. The best options for you are either matrix based security or Project-based Matrix Authorization Strategy. This allows you to set per user which actions they can and cannot perform. If you choose the latter option, you will be able to even set this per project. For now, I am going to pick the matrix based security.

A table with permissions is now displayed. You will only see one table row in which you can define what an anonymous user can do. However, we want to set permissions for our own user account. So fill in your username in the box below and click Add. To make sure you have access to everything, you can check them all.

In the end, this is what it looks like.

Note: Be careful with capitalized letters. Peter and peter are 2 different user accounts, so make sure you fill in the correct username in both cases else you will be locked out of the system.

When saving, you will automatically get logged out. Note that you don’t see anything anymore except a login form. After logging in, you should have access to everything like before. If you get a permission error, you made a mistake and you either have to change the settings or you got yourself locked out of Jenkins. In the latter case, see the link above.

Preparing Jenkins

So far, we have been busy installing and securing Jenkins. Now it’s time to configure Jenkins so we can start building and analyzing our PHP projects. Sebastian Bergmann created an excellent website showing you how to set up Jenkins for PHP. We are going to do the same steps as documented, but in a slightly different order.

Installing plugins

First we need to install several plugins into Jenkins. Plugins are small extensions to Jenkins which can perform tasks for you like analyzing a report and converting it to a graph. We will need the following list of plugins to get started.

• checkstyle
• cloverphp
• crap4j
• dry
• htmlpublisher
• jdepend
• plot
• pmd
• violations
• xunit

We are going to install these plugins through the interface. If you feel more experienced or comfortable with the command line, you can check out this documentation to see how to install them via the command line. Also, that page will give you a short explanation about what every plugin will do.

Within Jenkins, go to Manage Jenkins and then to Manage Plugins. Click the tab named available. Here you will see a complete list of all available plugins. With the filter at the top right corner, you can quickly search for every plugin. Make sure you install the complete list of the plugins mentioned above by checking the checkboxes.

Check the checkbox in front of Restart Jenkins when installation is complete and no jobs are running to restart Jenkins when everything is done. After the restart, all the required plugins have been installed correctly.

Creating a template

When Jenkins is set up, we normally start by creating a project, sometimes called a job. A project is typically one PHP project you got. Within a project, you will have several builds. You can configure Jenkins to analyze (build) your code at certain moments. This can be scheduled intervals or on pull requests from contributors, for example. So a project contains several builds over time, each being a separate analysis of your code. Thanks to the plugins we installed, you will be able to see the results of those builds in nice graphs. Within these graphs you can quickly spot if a certain build increased or decreased the quality of your project. We can also see where we need to improve our code according to all of our tools.

We could now create a new project. However, we also would need to configure this project. For example, we could configure that each time PHPUnit is run, a code coverage page should be created so we can see which code is tested and which code is untested. There’s a lot of tests we would need to configure on a new project, and this would likely be time consuming. Luckily, Sebastian Bergmann also created a template which we’re going to use.

We need to open up the command line to be able to install this template. The easiest way would be to download the CLI tool Jenkins provided. The problem however is the fact that we secured our Jenkins installation earlier. This would mean we have to open up security back to anonymous or connect public/private key to our account.

In this case, we are going for an alternative method of installing the template. First, log in as user Jenkins on the command line and go to the home directory.

<span>sudo apt-get install jenkins</span>

Within the home directory, go into the jobs directory and create a new directory named php-template.

<span>wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key | sudo apt-key add -</span>

Now we are going to enter this directory and add the configuration file.

<span>deb http://pkg.jenkins-ci.org/debian binary/</span>

Now, we need Jenkins to reload its configuration. You can do this by going back to the web interface, click Manage Jenkins and click on Reload Configuration from Disk. Jenkins will now reload its configuration. When done, you should see the php-template project on the main overview page.

Jenkins is now ready. We can create new projects based on this template.

Conclusion

Within this article we installed, secured and prepared Jenkins to start analyzing our PHP project. In the next part, we will add our project, prepare it, and of course analyze it.

Frequently Asked Questions (FAQs) on Installing and Securing Jenkins

What are the best practices for securing Jenkins?

Securing Jenkins involves several steps. First, ensure that Jenkins is running in its own user account with limited privileges to minimize potential damage in case of a security breach. Second, enable security in the Configure Global Security section and choose the security realm for authentication. Third, use the Matrix-based security or Project-based Matrix Authorization Strategy for authorization. Fourth, ensure that all Jenkins plugins and the Jenkins core are always up-to-date. Lastly, regularly backup your Jenkins setup to prevent data loss.

How can I enable security in Jenkins?

To enable security in Jenkins, navigate to Manage Jenkins > Configure Global Security. Check the Enable security box. In the Access Control section, choose the security realm for authentication. Jenkins provides several options, including Jenkins’ own user database, LDAP, and others.

What is the Matrix-based security in Jenkins?

Matrix-based security is an authorization strategy in Jenkins that allows specifying different permissions for each user or group. It provides fine-grained control over what actions a user or a group can perform. To use it, you need to have the Role-Based Authorization Strategy plugin installed.

How can I keep my Jenkins plugins and core up-to-date?

Jenkins provides an easy way to update plugins and the core. Navigate to Manage Jenkins > Manage Plugins > Updates tab. Here, you can see the available updates for your installed plugins. To update the Jenkins core, go to Manage Jenkins > Manage Plugins > Advanced tab and click on the Check now button in the Update Site section.

How can I backup my Jenkins setup?

Regularly backing up your Jenkins setup is crucial to prevent data loss. You can use the ThinBackup plugin to backup your Jenkins setup. It allows scheduling backups and restoring from backups.

How can I limit the privileges of the Jenkins user account?

To limit the privileges of the Jenkins user account, create a new user account specifically for running Jenkins. This user account should not have sudo privileges or be able to log in to the system.

What is the Project-based Matrix Authorization Strategy in Jenkins?

The Project-based Matrix Authorization Strategy is an extension of the Matrix-based security that allows specifying different permissions for each job. It provides even more fine-grained control over what actions a user or a group can perform.

How can I install the Role-Based Authorization Strategy plugin in Jenkins?

To install the Role-Based Authorization Strategy plugin, navigate to Manage Jenkins > Manage Plugins > Available tab. Search for the Role-Based Authorization Strategy plugin, select it, and click on the Install without restart button.

What is the security realm in Jenkins?

The security realm in Jenkins is used for authentication. It determines how users are authenticated. Jenkins provides several options, including Jenkins’ own user database, LDAP, and others.

How can I secure Jenkins against cross-site request forgery (CSRF)?

To secure Jenkins against CSRF, navigate to Manage Jenkins > Configure Global Security. In the CSRF Protection section, check the Prevent Cross Site Request Forgery exploits box and choose the default Crumb Issuer.

The above is the detailed content of Installing and Securing Jenkins. For more information, please follow other related articles on the PHP Chinese website!