Notes on the Jenkins Configuration [OBSOLETE]

A Jenkins build system has been installed and configured for the LHCb Nightly builds, at the follwoing address:

https://buildlhcb.cern.ch/jenkins

It consists of an Apache Tomcat5 server, running the Jenkins Web application, behind an Apache HTTP server.

Authentication is done using the CERN Single-Sign-On service, via an apache module. Read access is limited to "lhcb-general" egroup.

Apache configuration

The system http server is used, and several configurations can be found in /etc/httpd/conf.d/build.conf

The server takes all requests for Jenkins via HTTPS, the CDash requests are served via HTTP:

<VirtualHost *:80>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        ReWriteCond %{REQUEST_URI} !^/CDash/submit.php$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

The main features are that: The http server forwards the requests to tomcat via the AJP13 protocol, using the mod_proxy_ajp plugin, configured thsi way:

ProxyRequests Off
ProxyPass       /jenkins ajp://localhost:8009/jenkins
ProxyPassReverse    /jenkins ajp://localhost:8009/jenkins

Apache relies on Shibboleth (apache module + plugin) configured this way:

<Location /jenkins>
Order allow,deny
Allow from all
SSLRequireSSL   # The modules only work using HTTPS 
AuthType shibboleth
ShibRequireSession On
ShibRequireAll On
ShibExportAssertion On
ShibUseHeaders On
Require valid-user
Require ADFS_GROUP "lhcb-general" 
</Location>

It would also be possible to authenticate the users using LDAP using for example:

<Location /test>
Order allow,deny
Allow from all
SSLRequireSSL   # The modules only work using HTTPS 
AuthName "LDAPTest"
# Authorization LDAP
AuthType Basic
AuthBasicProvider        ldap
AuthLDAPURL              "ldap://cerndc.cern.ch/dc=CERN,dc=CH?cn?sub?(objectClass=User)" SSL
AuthLDAPBindDN           "CN=<service_account>,OU=Users,OU=Organic Units,DC=cern,DC=ch"
AuthLDAPBindPassword     "<password>"
AuthzLDAPAuthoritative   on
require valid-user
</Location>

One trick put in place is to logout from the SSO via the jenkins logout button:

<Location /jenkins/logout>
Redirect /jenkins/logout https://login.cern.ch/adfs/ls/?wa=wsignout1.0
</Location>
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2017-08-31 - BenjaminCouturier
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LHCb All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback