Setting Up A Jenkins Server On NetBSD

03 Oct, 2020

I've been working on improving Nim's BSD support for a little while now, first by adding continuous integration running on FreeBSD and then on OpenBSD. The next step was obvious: running CI on NetBSD. Unfortunately, I couldn't find any CI services currently offering NetBSD as an option, so off I went down the rabbit hole of setting up a Jenkins install myself on NetBSD. In this post, I'll run through the process of doing so, as it's not as obvious as it may be on other platforms.

The first step is obvious: get NetBSD installed. I wanted to run it on a VPS rather than dedicating some local hardware to the cause, so my first step was actually finding a host that supported either installing NetBSD from a pre-built image or installing from an ISO. Fortunately, BuyVM KVM slices support custom ISOs and have a NetBSD 9.0 ISO readily available. I installed a clean copy of NetBSD 9.0 using the standard installation procedure.

During the install, I went for a full installation rather than a minimal install. I also took the chance to use some of the final optional steps such as setting up networking, setting up binary package installation, setting up pkgsrc, adding a user, etc. It's worth doing these at install time just to save some effort at a later date.

Initial set up

There are a few initial set up steps I like to do on any system before we even get to installing Jenkins or anything else. These are mostly for convenience, and are entirely up to you.

The first steps should be ran in a root shell:

• Install some standard packages that are useful:

  pkgin install sudo nano htop git fish mozilla-rootcerts
  

• Set up Mozilla's root cetificate bundle, which is used for SSL certificate verification:

  mozilla-rootcerts install
  

• Configure sudo to allow members of the wheel group to execute commands:

  visudo
  # find the line `# %wheel ALL=(ALL) ALL` and un-comment it
  

Now that I had sudo set up I dropped back to my standard user's shell, which was added to the wheel group during install, and ran some further steps:

• Configure fish with some standard variables and functions: mkdir -p $HOME/.config/fish

  echo 'set fish_greeting ""
  
  set -gx EDITOR (which nano)
  set -gx VISUAL $EDITOR
  
  function sudo!
      set -l cmd $history[1]
      echo "sudo $cmd" 1>&2
      eval sudo $cmd
  end' > $HOME/.config/fish/config.fish
  

• Set my shell to fish:

  chsh -s $(which fish)
  

• Set up my SSH public key:

  mkdir -p $HOME/.ssh
  chmod 0700 $HOME/.ssh
  echo 'my-ssh-public-key' > $HOME/.ssh/authorized_keys
  chmod 0600 $HOME/.ssh/authorized_keys
  

• Configure SSH to deny root login, disallow password authentication, disable X11 forwarding and a few other tweaks:

  sudo sed -i 's/^LoginGraceTime .*/LoginGraceTime 60/g' /etc/ssh/sshd_config
  sudo sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config
  sudo sed -i 's/^#MaxAuthTries 6/MaxAuthTries 3/g' /etc/ssh/sshd_config
  sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
  sudo sed -i 's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
  sudo sed -i 's/^#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config
  sudo sed -i 's/^#UseDNS no/UseDNS no/g' /etc/ssh/sshd_config
  sudo service sshd restart
  

• Configure some basic firewall rules for NPF to block all incoming traffic except SSH, HTTP and HTTPS. Note that the network interface here may be different:

  sudo touch /etc/npf_blacklist
  echo '# NOTE: change the `wm0` to the name of your external network interface
  $public_if = ifaddrs(wm0)
  
  # create 2 tables - one for blacklisted IPs, the other for suspicious traffic
  table  type ipset file "/etc/npf_blacklist"
  table  type lpm
  
  # create a variable for the TCP services we wish to allow
  $tcp_services = { http, https }
  
  alg "icmp"
  
  procedure "log" {
      log: npflog0
  }
  
  procedure "normalize" {
      normalize: "random-id", "min-ttl" 64, "max-mss" 1432, "no-df"
  }
  
  group default {
      # pass everything on loopback
      pass final on lo0 all
  
      # block blacklisted IPs
      block in final from 
  
      # block suspicious IPs
      block in final from 
  
      # allow all outgoing
      pass stateful out final all
  
      # allow ICMP
      pass in final proto icmp all
  
      # allow and log ssh
      pass stateful in final proto tcp from any to $public_if port ssh apply "log"
  
      # allow incoming TCP
      pass stateful in final proto tcp to $public_if port $tcp_services apply "normalize"
  
      # reject everything else
      block return in final all apply "log"
  }' | sudo tee /etc/npf.conf
  echo 'npf=YES' | sudo tee -a /etc/rc.conf
  sudo /etc/rc.d/npf reload
  sudo /etc/rc.d/npf start
  

Install and configure Nginx

We're going to use Nginx as a reverse proxy to Jenkins, so let's install that. Luckily, there's a relatively up to date binary package available:

sudo pkgin install nginx

Now let's configure Nginx to start at boot:

# copy the RC script into place
sudo cp /usr/pkg/share/examples/rc.d/nginx /etc/rc.d/nginx
echo 'nginx=YES' | sudo tee -a /etc/rc.conf
echo '/var/log/nginx/access.log nginx:nginx 640 7 * 24 Z /var/run/nginx.pid SIGUSR1
/var/log/nginx/error.log nginx:nginx 640 7 * 24 Z /var/run/nginx.pid SIGUSR1' | sudo tee -a /etc/newsyslog.conf

Then let's do some Nginx configuration to point to where Jenkins will eventually be running:

# take a backup of the existing configuration
sudo tar -czvf /usr/pkg/etc/nginx.tar.gz /usr/pkg/etc/nginx
sudo mkdir -p /usr/pkg/etc/nginx/conf.d
echo 'user nginx nginx;

worker_processes auto;

worker_rlimit_nofile 8192;

events {
    worker_connections 8000;
}

error_log /var/log/nginx/error.log warn;

pid /var/run/nginx.pid;

http {
    server_tokens off;

    include mime.types;

    default_type application/octet-stream;

    charset utf-8;

    charset_types
        text/css
        text/plain
        text/vnd.wap.wml
        text/javascript
        text/markdown
        text/calendar
        text/x-component
        text/vcard
        text/cache-manifest
        text/vtt
        application/json
        application/manifest+json;

    log_format main '\''$remote_addr - $remote_user [$time_local] "$request" '\''
                    '\''$status $body_bytes_sent "$http_referer" '\''
                    '\''"$http_user_agent" "$http_x_forwarded_for"'\'';

    access_log /var/log/nginx/access.log main;

    keepalive_timeout 20s;

    sendfile on;

    tcp_nopush on;

    gzip on;

    gzip_comp_level 5;

    gzip_min_length 256;

    gzip_proxied any;

    gzip_vary on;

    gzip_types
        application/atom+xml
        application/geo+json
        application/javascript
        application/x-javascript
        application/json
        application/ld+json
        application/manifest+json
        application/rdf+xml
        application/rss+xml
        application/vnd.ms-fontobject
        application/wasm
        application/x-web-app-manifest+json
        application/xhtml+xml
        application/xml
        font/eot
        font/otf
        font/ttf
        image/bmp
        image/svg+xml
        text/cache-manifest
        text/calendar
        text/css
        text/javascript
        text/markdown
        text/plain
        text/xml
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-component
        text/x-cross-domain-policy;

    include conf.d/*.conf;
}' | sudo tee /usr/pkg/etc/nginx/nginx.conf
echo 'server {
    listen [::]:80 default_server;
    listen 80 default_server;

    server_name _;

    return 444;
}' | sudo tee /usr/pkg/etc/nginx/conf.d/no-default.conf
echo 'server {
    listen [::]:80;
    listen 80;

    # change this to your actual domain name
    server_name jenkins.euantorano.co.uk;

    location / {
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:8080;
        proxy_read_timeout 90s;

        # change this to your actual domain name
        proxy_redirect http://127.0.0.1:8080 http://jenkins.euantorano.co.uk;

        proxy_http_version 1.1;
        proxy_request_buffering off;

    }
}' | sudo tee /usr/pkg/etc/nginx/conf.d/jenkins.conf

And now let's start nginx:

sudo /etc/rc.d/nginx start

Install Java

Jenkins uses Java, which we must install. We'll use the binary package for OpenJDK 8, as OpenJDK 11 on NetBSD currently (at the time of writing) has a bug related to network connections.

sudo pkgin install openjdk8

Install Jenkins

Jenkins is available as a package on NetBSD, but unfortunately the version available is well out of date as of the time of writing (the package version 2.73, while the current version is version 2.259). As such, we'll download the current version from the Jenkins website and use that instead:

sudo mkdir -p /usr/lib/jenkins
sudo mkdir -p /var/lib/jenkins
sudo mkdir -p /var/log/jenkins
sudo chown jenkin:jenkins /var/log/jenkins
sudo ftp -o /usr/lib/jenkins/jenkins.war https://get.jenkins.io/war/latest/jenkins.war
# create a group for jenkins to run under
sudo groupadd jenkins
# create a user for jenkins to run under
sudo useradd -s /sbin/nologin -g jenkins -m -d /home/jenkins jenkins
# Create an RC script for Jenkins
echo '#!/bin/sh

# PROVIDE: jenkins
# REQUIRE: DAEMON

. /etc/rc.subr

JENKINS_USER=jenkins
JENKINS_GROUP=jenkins

JENKINS_HOME=/home/jenkins
export JENKINS_HOME

HOME=$JENKINS_HOME

name="jenkins"
rcvar=$name
pidfile="/var/run/jenkins.pid"
start_cmd="jenkins_start"
stop_cmd="jenkins_stop"
restart_cmd="jenkins_restart"
status_cmd="jenkins_status"
version_cmd="jenkins_version"
extra_commands="status version"

jenkins_start()
{
    su -m jenkins:jenkins -c '\''nohup \
        /usr/pkg/java/openjdk8/bin/java -jar /usr/lib/jenkins/jenkins.war \
            --httpPort=8080 --httpListenAddress=127.0.0.1 \
        </dev/null >> /var/log/jenkins/jenkins.log 2>&1 &
        echo "$!"'\'' > $pidfile
    pid=$(cat "$pidfile")
    echo "Started Jenkins: $pid"
}

jenkins_stop()
{
    if [ -f "$pidfile" ]; then
        pid=$(cat "$pidfile")
        echo "Stopping Jenkins: $pid"
        kill -15 "$pid"
        rm "$pidfile"
    fi
}

jenkins_restart()
{
    jenkins_stop && jenkins_start
}

jenkins_status()
{
    if [ ! -f "$pidfile" ]; then
        echo "Jenkins is not running"
        exit 1
    fi

    pid=$(cat "$pidfile")
    kill -0 "$pid"
    if [ $? -eq 0 ]; then
        echo "Jenkins is running (PID $pid)"
        exit 0
    else
        echo "Jenkins is not running"
        rm "$pidfile"
        exit 1
    fi
}

jenkins_version()
{
    /usr/pkg/java/openjdk8/bin/java -jar /usr/lib/jenkins/jenkins.war --version
}

load_rc_config "$name"
run_rc_command "$1"' | sudo tee /etc/rc.d/jenkins
sudo chmod +x /etc/rc.d/jenkins
echo '/var/log/jenkins/jenkins.log jenkins:jenkins 640 7 * 24 Z /var/run/jenkins.pid SIGUSR1' | sudo tee -a /etc/newsyslog.conf

And now let's start Jenkins:

sudo /etc/rc.d/jenkins start

Finishing up

Jenkins is now running behind Nginx as a reverse proxy, but there are still a few tasks to do, including running through the Jenkins install web UI and setting up build jobs. It's probably a good idea to set up HTTPS too. I'm afraid these are left to the reader for the time being!

#NetBSD