Pass Java arguments to Jenkins master

Passing Java arguments to Jenkins puppet allows to tune Jenkins master Java. This is useful in order to set various Java attributes like Java heap size virtual memory consumption. This is most useful for downstream projects. This patch also enables to workaround Jenkins SECURITY-170 by setting java arguments through hieradata. https://issues.jenkins-ci.org/browse/JENKINS-34885 Change-Id: I745a23b0f177f868d5406639bc8c42e3acacea72 Depends-On: Ice0e4ffa2fffd041d8bcc4a0b323ffae7ba2b0c8
2016-01-03 12:58:26 +02:00 · 2016-01-03 12:58:26 +02:00 · b739c0ecae
parent a1d541f903
commit b739c0ecae
4 changed files with 21 additions and 0 deletions
--- a/contrib/single_node_ci_data.yaml
+++ b/contrib/single_node_ci_data.yaml
@ -8,6 +8,8 @@ project_config_repo: http://your-project-config-repo.example.com/project-config-
 # zuul. However, it has numerous security vulnerabilities, and should only
 # be used for installations that have other means (e.g. firewalls) that block all
 # untrusted access to Jenkins.
+# see SECURITY-170 in:
+# "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"
 #jenkins_version: present
 #jenkins_vhost_name: jenkins
 #jenkins_username: jenkins
@ -18,6 +20,11 @@ jenkins_ssh_private_key: |
  -----END RSA PRIVATE KEY-----
 jenkins_ssh_public_key:  your-jenkins-public-key-no-whitespace
 jjb_git_revision: 1.6.2
+#java_args_override: |
+   # These are the arguments to pass to Java
+   # The recommended value:
+   # "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+   # Please note that using the parameter: keepUndefinedParameters=true is not secure and exposes a potential jenkins security vulnerability
 #jjb_git_url: https://git.openstack.org/openstack-infra/jenkins-job-builder
 #gerrit_server: review.openstack.org
 #gerrit_ssh_host_key:
--- a/contrib/single_node_ci_site.pp
+++ b/contrib/single_node_ci_site.pp
@ -38,6 +38,7 @@ node default {
    jenkins_password            => hiera('jenkins_password', 'XXX'),
    jenkins_ssh_private_key     => hiera('jenkins_ssh_private_key'),
    jenkins_ssh_public_key      => hiera('jenkins_ssh_public_key'),
+    java_args_override          => hiera('java_args_override', undef),
    gerrit_server               => hiera('gerrit_server', 'review.openstack.org'),
    gerrit_user                 => hiera('gerrit_user'),
    gerrit_user_ssh_public_key  => hiera('gerrit_user_ssh_public_key'),
--- a/manifests/jenkins_master.pp
+++ b/manifests/jenkins_master.pp
@ -17,6 +17,7 @@ class openstackci::jenkins_master (
  $jenkins_version         = 'present',
  $manage_jenkins_jobs     = false,
  $jenkins_url             = 'http://localhost:8080',
+  $java_args_override      = undef,
  $jjb_update_timeout      = 1200,
  $jjb_git_url             = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
  $jjb_git_revision        = 'master',
@ -38,6 +39,7 @@ class openstackci::jenkins_master (
    jenkins_ssh_private_key => $jenkins_ssh_private_key,
    jenkins_ssh_public_key  => $jenkins_ssh_public_key,
    jenkins_version         => $jenkins_version,
+    java_args_override      => $java_args_override,
  }

  jenkins::plugin { 'build-timeout':
--- a/manifests/single_node_ci.pp
+++ b/manifests/single_node_ci.pp
@ -56,6 +56,15 @@
 #   The public key should not have any white space. Omit the 'ssh-rsa' prefix
 #   and comment section / e-mail address suffix.
 #
+# [*java_args_override*]
+#   These are the arguments to pass to Java:
+#   "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Set this parameter through hieradata.
+#   To work around the security restrictions that result from upgrading to version > 1.651.2
+#   Add the Java system parameter:
+#   "-Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Please note that adding this parameter is not secure and it exposes a potential jenkins security vulnerability.
+#
 # [*jenkins_version*]
 #   This is a Jenkins version, such as '1.651', 'present' (to install
 #   the most recent, and never upgrade), or latest' (to install the most
@ -158,6 +167,7 @@ class openstackci::single_node_ci (
  $jenkins_password              = undef,
  $jenkins_ssh_private_key       = undef,
  $jenkins_ssh_public_key        = undef,
+  $java_args_override            = undef,
  $jenkins_version               = 'present',
  $jjb_git_revision              = 'master',
  $jjb_git_url                   = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
@ -200,6 +210,7 @@ class openstackci::single_node_ci (
    jenkins_password        => $jenkins_password,
    project_config_repo     => $project_config_repo,
    log_server              => $log_server,
+    java_args_override      => $java_args_override,
    jjb_git_revision        => $jjb_git_revision,
    jjb_git_url             => $jjb_git_url,
  }