authorizationStrategy: unsecured still wants me to create an admin user

[dmolesUC]

I'm running a throwaway instance of Jenkins in a Docker container on a machine that's only accessible to people who in principle would all have admin privileges anyway.

I've tried copying the configuration from UnsecuredAuthorizationStrategyConfiguratorTest.yml, but when I navigate to Jenkins the first thing I get is a prompt to create an admin user. Full jenkins.yaml:

plugins:
  required:
    blueocean: 1.13.1
    configuration-as-code: 1.7

jenkins:
  systemMessage: |
    Jenkins Docker image built from https://github.com/dmolesUC3/mrt-jenkins-docker
  mode: NORMAL
  numExecutors: 2
  scmCheckoutRetryCount: 2
  securityRealm:
    local:
      allowsSignup: false
  authorizationStrategy: unsecured

I tried

  securityRealm: none

but that just got me

java.lang.IllegalArgumentException: No hudson.security.SecurityRealm implementation found for none
Possible solution: Try to install 'configuration-as-code-support' plugin
	at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.findDescribableBySymbol(HeteroDescribableConfigurator.java:148)

What am I missing?

System information

• Jenkins 2.150.3 (jenkins/jenkins:lts Docker image)
• configuration-as-code version 1.7
• macOS (as Docker host)

[dmolesUC]

After creating an admin user, I did a configuration export, and based on that I changed my config to:

  securityRealm:
    local:
      allowsSignup: false
      enableCaptcha: false
      users:
        - id: admin
          password: admin
  authorizationStrategy: unsecured

This kind-of-sort-of worked insofar as it didn't require me to create an admin user when I navigated to Jenkins; however, instead I was presented with the setup wizard. Exiting the setup wizard (with ❌) instead of selecting plugins got me:

Jenkins is ready!

You have skipped the setup of an admin user.

To log in, use the username: "admin" and the administrator password you used to access the setup wizard.
You have skipped the configuration of the Jenkins URL.

To configure the Jenkins URL, go to "Manage Jenkins" page.
Your Jenkins setup is complete.

This manages to be marginally more annoying than having to create a user, leading me to revert to the previous configuration.

[dmolesUC]

(For clarity, my goal here is

Fully working Jenkins master with:

• no hands on keyboard
• no click on UI

as promised on the CASC homepage.)

[jetersen]

To skip setup wizard, add this to your dockerfile.

ARG jenkins_home=/usr/share/jenkins/ref
RUN echo $JENKINS_VERSION | tee \
    $jenkins_home/jenkins.install.UpgradeWizard.state \
    $jenkins_home/jenkins.install.InstallUtil.lastExecVersion

Read the initial exception you posted again, it clearly tells you the solution.

[jetersen]

I suggest your read the readme located here for some of the docker tips: https://github.com/jenkinsci/docker

[dmolesUC]

Ah, I misread configuration-as-code-support as configuration-as-code, thank you.

It would be helpful if the purpose of the -support plugin was documented more prominently, as the only reference I saw to it was this one:

Those running Jenkins as a Docker container (and maybe also pre-installing plugins), do include Configuration as Code plugin and optionally the Configuration as Code Support plugin if you use one of the credentials plugins or the job-dsl (see link).

I take it this is meant to mean,

If you're using one of the credentials plugins or the job-dsl, which are optional, you should install Configuration As Code Support.

but I understood it to mean

If you're using one of the credentials plugins or the job-dsl, you might, optionally, want to install Configuration As Code Support.

I'm not sure which link is meant by "(see link)", but the Configuration As Code Support plugin page doesn't give any information as to why one might or might not want it.

That said, adding configuration-as-code-support doesn't allow securityRealm: none, it just suppresses the Possible solution: message. Removing the securityRealm section entirely did seem to work.

The jenkins.install.UpgradeWizard.state / jenkins.install.InstallUtil.lastExecVersion trick didn't work, possibly broken in some recent-ish Jenkins version -- it looked as though the jenkins.install.InstallUtil.lastExecVersion file somehow got deleted between the time it was written and the time I navigated to Jenkins in the browser. However, adding

ENV JAVA_OPTS -Djenkins.install.runSetupWizard=false

to the Dockerfile and removing the securityRealm section entirely does seem to do the trick.

[ringerc]

The advice from @Casz here on skipping the setup wizard may be outdated/incomplete. In any case, it didn't do any good for me using the dockerhub jenkins/jenkins:lts image. However, invoking the container with --env JAVA_OPTS="-Djenkins.install.runSetupWizard=false" did.

[jetersen]

@ringerc again not a JCasC issue this will do the trick too inside docker.

ENV JAVA_OPTS="jenkins.install.runSetupWizard=false ${JAVA_OPTS}"