Last active
March 1, 2016 20:38
-
-
Save programmerq/6da3890f8fc9fbde8cc7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tldr; use docker-machine to set up TLS for you. copy the client stuff to your jenkins container and then use it there. | |
First, provision a machine using docker-machine. It doesn't matter what driver you use, the end result is the same. | |
For a digitalocean box: | |
$ docker-machine create -d digitalocean \ | |
--digitalocean-region sfo1 \ | |
--digitalocean-size 2gb \ | |
--digitalocean-access-token=abcdefgh1234567890345678 \ | |
tls | |
Or if you have a manually provisioned metal box or VM that you have ssh access to, you can do the following. Make sure the ssh user has passwordless sudo for this step to complete successfully. | |
$ docker-machine create -d generic\ | |
--generic-ssh-user ubuntu \ | |
--generic-ssh-port 22 \ | |
--generic-ssh-key ~/.ssh/id_rsa \ | |
--generic-ip-address 1.2.3.4 \ | |
tls | |
So now, I can see what environment variables need to be set to talk to the docker daemon if I do this: | |
$ docker-machine env tls | |
I can actually set them by doing this: | |
$ eval $(docker-machine env tls) | |
and test it out: | |
$ docker ps | |
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES | |
Great, I now am talking to a remote docker daemon from my workstation. How do I add this to jenkins? The lazy way of course: | |
First, copy everything from my DOCKER_CERT_PATH to a volume on the host. You could just use scp to the remote host and use a host volume too. make sure the stuff ends up owned by `1000:1000` since that's what the jenkins user and group are in the jenkins image. | |
$ docker pull alpine | |
$ docker volume create --name 'jenkins_cert_path' | |
$ tar -C $DOCKER_CERT_PATH -c . | docker run -i --name tmpcp -v jenkins_cert_path:/jcp alpine tar -C /jcp -xv | |
$ docker run --rm -u root -v jenkins_cert_path:/jcp alpine chown -R 1000:1000 /jcp/ | |
$ docker run --rm -v jenkins_cert_path:/jcp alpine ls -lah /jcp | |
Now, when I fire up my jenkins image, I can specify my 'jenkins_cert_path' volume and set my environment variables appropriately: | |
$ docker run --name jenkins -v jenkins_cert_path:/jcp -d -p ... my_jenkins_image | |
So now, in a job, I can do the following: | |
export DOCKER_TLS_VERIFY=1 | |
export DOCKER_HOST="tcp://1.2.3.4:2376" | |
export DOCKER_CERT_PATH="/jcp" | |
docker ps # should work, assuming you installed docker into the jenkins container/image. | |
You could test this by doing `docker exec -it jenkins bash`, export those variables, and try using the docker cli. | |
------- | |
Option 2! | |
Here's my docker-compose.yml for my jenkins service. I simply have the contents of my `$DOCKER_CERT_PATH` written out to something like `/var/jenkins_home/docker-creds`, and then set the path accordingly in my jobs. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jenkins: | |
image: jenkins:latest | |
ports: | |
- "8083" | |
- "50000:50000" | |
volumes: | |
- /var/jenkins_home:/var/jenkins_home | |
- /etc/ssl/private/jenkins.example.com.key:/var/lib/jenkins/pk | |
- /etc/ssl/private/jenkins.example.com.crt:/var/lib/jenkins/cert | |
environment: | |
JENKINS_OPTS: '--httpPort=-1 --httpsPort=8083 --httpsCertificate=/var/lib/jenkins/cert --httpsPrivateKey=/var/lib/jenkins/pk --debug=9' | |
JAVA_OPTS: '-Dorg.apache.commons.jelly.tags.fmt.timeZone=America/Denver' | |
VIRTUAL_HOST: 'jenkins.example.com' | |
VIRTUAL_PORT: 8083 | |
VIRTUAL_PROTO: https | |
restart: unless-stopped |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment