容器中运行
Master
如果使用 nginx 作为反向代理,并设置 context path 为 /jenkins,需要向容器传入环境变量 --env JENKINS_OPTS="--prefix=/jenkins"
在主机上创建 /var/jenkins_home 目录并修改权限,使得 container 中的 jenkins user 可以访问
mkdir /var/jenkins_home
chown -R 1000:1000 /var/jenkins_home
- 无证书访问,启动端口为 8080
docker run -it --name jenkins-master -v /var/jenkins_home:/var/jenkins_home -p 8080:8080 -p 50000:50000 --restart=on-failure -e JENKINS_OPTS="--prefix=/jenkins" jenkins/jenkins:lts-jdk11
docker-compose.yaml
Jenkins 容器安装 plugins 需要访问外网,如果通过代理访问,容器中的环境变量 http_proxy 和 https_proxy 无法被 Jenkins 识别,因为 Jenkins 使用的是 JVM,因此需要向容器传递 JAVA_OPTS 环境变量来设置 JVM 的代理 (Passing JVM parameters)。
services:
jenkins-master:
image: "jenkins/jenkins:lts-jdk11"
container_name: jenkins-master
restart: on-failure
environment:
JENKINS_OPTS: "--prefix=/jenkins"
JAVA_OPTS: -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=7890 -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=7890
ports:
- "8080:8080"
- "50000:50000"
volumes:
- "/var/jenkins_home:/var/jenkins_home"
networks:
- devops
networks:
devops:
name: devops
- 有证书访问,启动端口为 8083,需要将私钥和证书复制到 Jenkins image 中。
FROM jenkins/jenkins:lts-jdk11
COPY --chown=jenkins:jenkins https.pem /var/lib/jenkins/cert
COPY --chown=jenkins:jenkins https.key /var/lib/jenkins/pk
ENV JENKINS_OPTS --prefix=/jenkins --httpPort=-1 --httpsPort=8083 --httpsCertificate=/var/lib/jenkins/cert --httpsPrivateKey=/var/lib/jenkins/pk
EXPOSE 8083
然后执行
docker run -it --name jenkins -v /var/jenkins_home:/var/jenkins_home jenkins -p 8083:8083 -p 50000:50000 --restart=on-failure jenkins/jenkins:lts-jdk11
nginx 反向代理配置
假设 nginx 起在 docker 容器并且有以下端口映射
docker run --name nginx -p 8088:80 -p 8443:443 -d nginx
则相应的 nginx 代理设置如下,应注意 proxy_set_header Host $host:8088; 需要把 nginx 端口加入到 Host header 中
server {
listen 80 default_server;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /jenkins/ {
proxy_pass http://jenkins:8080;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Host $host:8088;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
#this is the maximum upload size
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
proxy_request_buffering off; # Required for HTTP CLI commands
proxy_set_header Connection ""; # Clear for keepalive
}
}
Inbound-Agent
docker run --init jenkins/inbound-agent -url http://jenkins-server:port -workDir=/home/jenkins/agent <secret> jenkins-inbound-agent
secret 需要从 master jenkins 配置的 inbound agent 中得到。
docker-compose.yml
version: "3.7"
services:
jenkins-inbound-agent:
image: jenkins/inbound-agent
container_name: jenkins-inbound-agent
init: true
restart: on-failure
environment:
JENKINS_URL: "https://reverse-proxy/jenkins"
JENKINS_TUNNEL: "jenkins-master:50000"
JENKINS_SECRET: "62a8c05436d4dcc91a20d9cd7bc4102e63b38e0bcc12c45158149446bfa380dd"
JENKINS_AGENT_NAME: "inbound-agent"
JENKINS_AGENT_WORKDIR: "/home/jenkins/agent"
注意:init 选项是在 compose file 3.7 版本后引入,所以这里必须指定 version: "3.7" 或以上版本。
如果以 https 访问 Jenkins Master, 需要将证书添加到 Agent 的镜像中。
FROM jenkins/inbound-agent
COPY *.pem /tmp/
USER root
RUN keytool -import -trustcacerts -cacerts -storepass changeit -file /tmp/rootca.pem -alias rootca -noprompt
RUN keytool -import -trustcacerts -cacerts -storepass changeit -file /tmp/intermediateca.pem -alias intermediateca -noprompt
RUN keytool -import -trustcacerts -cacerts -storepass changeit -file /tmp/issuingca.pem -alias issuingca -noprompt
RUN keytool -import -trustcacerts -cacerts -storepass changeit -file /tmp/devops.pem -alias devops-vip -noprompt
USER jenkins
# RUN chmod 644 /usr/local/share/ca-certificates/devops.pem && update-ca-certificates
docker build -t my-inbound-agent .