From b739c0ecaeec6596963765e1012f0bc8d7667c74 Mon Sep 17 00:00:00 2001
From: Isaac Beckman <isaacb@il.ibm.com>
Date: Sun, 3 Jan 2016 12:58:26 +0200
Subject: [PATCH] Pass Java arguments to Jenkins master

Passing Java arguments to Jenkins puppet allows to tune Jenkins
master Java. This is useful in order to set various Java attributes
like Java heap size virtual memory consumption.
This is most useful for downstream projects.

This patch also enables to workaround Jenkins SECURITY-170 by
setting java arguments through hieradata.
https://issues.jenkins-ci.org/browse/JENKINS-34885

Change-Id: I745a23b0f177f868d5406639bc8c42e3acacea72
Depends-On: Ice0e4ffa2fffd041d8bcc4a0b323ffae7ba2b0c8
---
 contrib/single_node_ci_data.yaml |  7 +++++++
 contrib/single_node_ci_site.pp   |  1 +
 manifests/jenkins_master.pp      |  2 ++
 manifests/single_node_ci.pp      | 11 +++++++++++
 4 files changed, 21 insertions(+)

diff --git a/contrib/single_node_ci_data.yaml b/contrib/single_node_ci_data.yaml
index a40bcee..530cdde 100644
--- a/contrib/single_node_ci_data.yaml
+++ b/contrib/single_node_ci_data.yaml
@@ -8,6 +8,8 @@ project_config_repo: http://your-project-config-repo.example.com/project-config-
 # zuul. However, it has numerous security vulnerabilities, and should only
 # be used for installations that have other means (e.g. firewalls) that block all
 # untrusted access to Jenkins.
+# see SECURITY-170 in:
+# "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"
 #jenkins_version: present
 #jenkins_vhost_name: jenkins
 #jenkins_username: jenkins
@@ -18,6 +20,11 @@ jenkins_ssh_private_key: |
   -----END RSA PRIVATE KEY-----
 jenkins_ssh_public_key:  your-jenkins-public-key-no-whitespace
 jjb_git_revision: 1.6.2
+#java_args_override: |
+   # These are the arguments to pass to Java
+   # The recommended value:
+   # "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+   # Please note that using the parameter: keepUndefinedParameters=true is not secure and exposes a potential jenkins security vulnerability
 #jjb_git_url: https://git.openstack.org/openstack-infra/jenkins-job-builder
 #gerrit_server: review.openstack.org
 #gerrit_ssh_host_key:
diff --git a/contrib/single_node_ci_site.pp b/contrib/single_node_ci_site.pp
index 0aafcb3..8dae153 100644
--- a/contrib/single_node_ci_site.pp
+++ b/contrib/single_node_ci_site.pp
@@ -38,6 +38,7 @@ node default {
     jenkins_password            => hiera('jenkins_password', 'XXX'),
     jenkins_ssh_private_key     => hiera('jenkins_ssh_private_key'),
     jenkins_ssh_public_key      => hiera('jenkins_ssh_public_key'),
+    java_args_override          => hiera('java_args_override', undef),
     gerrit_server               => hiera('gerrit_server', 'review.openstack.org'),
     gerrit_user                 => hiera('gerrit_user'),
     gerrit_user_ssh_public_key  => hiera('gerrit_user_ssh_public_key'),
diff --git a/manifests/jenkins_master.pp b/manifests/jenkins_master.pp
index f3c7db9..3146501 100644
--- a/manifests/jenkins_master.pp
+++ b/manifests/jenkins_master.pp
@@ -17,6 +17,7 @@ class openstackci::jenkins_master (
   $jenkins_version         = 'present',
   $manage_jenkins_jobs     = false,
   $jenkins_url             = 'http://localhost:8080',
+  $java_args_override      = undef,
   $jjb_update_timeout      = 1200,
   $jjb_git_url             = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
   $jjb_git_revision        = 'master',
@@ -38,6 +39,7 @@ class openstackci::jenkins_master (
     jenkins_ssh_private_key => $jenkins_ssh_private_key,
     jenkins_ssh_public_key  => $jenkins_ssh_public_key,
     jenkins_version         => $jenkins_version,
+    java_args_override      => $java_args_override,
   }
 
   jenkins::plugin { 'build-timeout':
diff --git a/manifests/single_node_ci.pp b/manifests/single_node_ci.pp
index c768123..8496b90 100644
--- a/manifests/single_node_ci.pp
+++ b/manifests/single_node_ci.pp
@@ -56,6 +56,15 @@
 #   The public key should not have any white space. Omit the 'ssh-rsa' prefix
 #   and comment section / e-mail address suffix.
 #
+# [*java_args_override*]
+#   These are the arguments to pass to Java:
+#   "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Set this parameter through hieradata.
+#   To work around the security restrictions that result from upgrading to version > 1.651.2
+#   Add the Java system parameter:
+#   "-Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Please note that adding this parameter is not secure and it exposes a potential jenkins security vulnerability.
+#
 # [*jenkins_version*]
 #   This is a Jenkins version, such as '1.651', 'present' (to install
 #   the most recent, and never upgrade), or latest' (to install the most
@@ -158,6 +167,7 @@ class openstackci::single_node_ci (
   $jenkins_password              = undef,
   $jenkins_ssh_private_key       = undef,
   $jenkins_ssh_public_key        = undef,
+  $java_args_override            = undef,
   $jenkins_version               = 'present',
   $jjb_git_revision              = 'master',
   $jjb_git_url                   = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
@@ -200,6 +210,7 @@ class openstackci::single_node_ci (
     jenkins_password        => $jenkins_password,
     project_config_repo     => $project_config_repo,
     log_server              => $log_server,
+    java_args_override      => $java_args_override,
     jjb_git_revision        => $jjb_git_revision,
     jjb_git_url             => $jjb_git_url,
   }