-
-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document skipping initial setup wizard #833
base: master
Are you sure you want to change the base?
Conversation
Documented steps to skip setup wizard didn't appear to work on `jenkins/jenkins:latest` or `jenkins/jenkins:latest`. Neither did variants of them that tried to cope with volume-mounting etc, like: ``` RUN echo $JENKINS_VERSION | tee \ /usr/share/jenkins/ref/jenkins.install.UpgradeWizard.state \ /usr/share/jenkins/ref/jenkins.install.InstallUtil.lastExecVersion ``` Instead, recommend use of a system property that is known to work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me overall, just minor suggestions
|
||
This will disable creation of the default admin user and password, and will leave Jenkins in an unsecured configuration where anyone who can connect has full admin rights. So it should generally be coupled with automation to install plugins and to configure the server. | ||
|
||
Note: Some documentation suggested creating `jenkins.install.UpgradeWizard.state` and/or `jenkins.install.InstallUtil.lastExecVersion`. Using the system property is simpler and more reliable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is
which may be inappropriate. | ||
docker run ..otheroptions... --env JAVA_OPTS="-Djenkins.install.runSetupWizard=false" jenkins/jenkins:lts` | ||
|
||
This will disable creation of the default admin user and password, and will leave Jenkins in an unsecured configuration where anyone who can connect has full admin rights. So it should generally be coupled with automation to install plugins and to configure the server. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will disable creation of the default admin user and password, and will leave Jenkins in an unsecured configuration where anyone who can connect has full admin rights. So it should generally be coupled with automation to install plugins and to configure the server. | |
Unless you use some kind of Configuration-as-Code to configure the instance (Groovy Hooks, JCasC plugin, etc.), | |
this will disable creation of the default admin user and password, and will leave Jenkins in an unsecured configuration where anyone who can connect has full admin rights. So it should generally be coupled with automation to install plugins and to configure the server. |
|
||
Note: Some documentation suggested creating `jenkins.install.UpgradeWizard.state` and/or `jenkins.install.InstallUtil.lastExecVersion`. Using the system property is simpler and more reliable. | ||
|
||
## Applying an initial server configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it worth referencing https://speakerdeck.com/onenashev/docker-and-jenkins-as-code or a similar slidedeck
which may be inappropriate. | ||
docker run ..otheroptions... --env JAVA_OPTS="-Djenkins.install.runSetupWizard=false" jenkins/jenkins:lts` | ||
|
||
This will disable creation of the default admin user and password, and will leave Jenkins in an unsecured configuration where anyone who can connect has full admin rights. So it should generally be coupled with automation to install plugins and to configure the server. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additionally, several other security-related settings will not be enabled by default. While I don't think we should provide an exhaustive list that might easily become outdated, it's important to point this out.
FWIW the "documented" (in this repo only) steps have always been an unsupported hack and I don't understand how they became preferable over the intended method. Perhaps because it didn't require changing how to invoke Re-reading the discussion in JENKINS-40279 makes apparent that many users involved do not properly distinguish between the setup wizard and the upgrade wizard.
Perhaps that could explain part of this? The system property does not help with the latter? |
None of the proposed methods work with the latest LTS (2.277.1) |
@NorseGaud Are you referring to 2.277.1? |
@slide Yep -- it seems like |
@@ -164,6 +172,10 @@ FROM jenkins/jenkins:lts | |||
COPY custom.groovy /usr/share/jenkins/ref/init.groovy.d/custom.groovy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
COPY custom.groovy /usr/share/jenkins/ref/init.groovy.d/custom.groovy | |
```dockerfile | |
FROM jenkins/jenkins:lts | |
COPY custom.groovy /usr/share/jenkins/ref/init.groovy.d/custom.groovy |
Documented steps to skip setup wizard didn't appear to work on
jenkins/jenkins:latest
orjenkins/jenkins:latest
. Neither did variants of them that tried to cope with volume-mounting etc, like:Instead, recommend use of a system property that is known to work.