Comments (7)
I disagree. The default installation of jenkins.war from the Debian package, the RPM package, and the Windows installer are all unsecured by default. Securing the docker instance by default will then require that I "undo" that security in order to use alternate forms of security.
from docker.
Securing the docker instance by default will then require that I "undo" that security in order to use alternate forms of security.
First, to be sure: I'm not talking about enabling authentication, I'm talking about enabling SSL.
Anyway, could one at least document the security setup? Warn that the default security setup is not safe? Of course you don't need that, but many users do. (Every other configuration step can be done when logged in the instance and doesn't need much explanation). If documenting that's overkill, it's also overkill that it tells me out-of-the-box to enable "security".
Then, why would you need to undo SSL? Replacing the SSL certificate doesn't sound like "undoing". What's the alternate security you're thinking about — enabling SSL through a reverse proxy? I've now learned this would have been a better idea, but I've instead followed some official docs found through Google and ignored ServerFault's suggestions.
from docker.
I don't want the complication of needing to register that self-signed certificate with each of the consumers of my test Jenkins site. I've had problems before that required I take special steps to work around self-signed certificates and their interactions with Java clients. I'd rather not have to apply those special steps for the base Docker instance.
from docker.
I see, thanks for the answer.
Still, any comment on the documentation issue?
from docker.
I don't think the docker instance definition is the right place to document security setup. The official documentation seems like the best place to document the security setup. That improves the chances that others will find the documentation and that others will be able to improve that documentation as they learn more. If you've learned better ways to configure security, please share what you've learned with others on that wiki page.
Jenkins already warns you at startup from the "Manage Jenkins" page that you should configure security. It does not start with security enabled so that you can decide which security method you want to use.
from docker.
You can easily enable SSL using nginx proxy: https://github.com/jwilder/nginx-proxy
- create your certificate and key (jenkins.mydomain.com.key, jenkins.mydomain.com.crt or wildcard one)
- start nginx proxy container with volume /etc/nginx/certs pointing on your certificate folder
- start jenkins container with VIRTUAL_HOST="jenkins.mydomain.com" environment variable
from docker.
This is not a docker image but jenkins issue to run unsecured.
About using https this would be inefficient to implement this from java servlet container while a reverse proxy does the job very well.
So, closing this issue.
from docker.
Related Issues (20)
- apt fails on fips-enabled hosts HOT 6
- apt-get update fails with signatures couldn't be verified because the public key is not available HOT 6
- windowsservercore-2019 image not updated HOT 5
- Ship production build of Java 21 from Eclipse Temurin HOT 3
- Upgrade curl to >=8.4.0 to fix CVE-2023-38545 HOT 3
- CVE-2023-38039, CVE-2023-38408, CVE-2023-38039, CVE-2023-38039, CVE-2023-44487 HOT 4
- Unexpected loss of more precise labels in favor of less precise labels HOT 13
- The directory separator used in the Windows build script is dependent on the OS
- latest with jdk17 & almalinux HOT 2
- Update Docker Hub description with JDK17 images instead of JDK11 HOT 2
- Set JDK17 as the default JDK for Windows image
- Publish a Windows image for each supported Java version HOT 2
- `windowsservercore-2019` images use `windowsservercore-1809` as base image HOT 2
- Windows - There should be a set of weekly and LTS short tags not including Jenkins version in their names HOT 4
- After Jenkins docks with ldap, the first login the next day will display a password error. The second login will be successful, and submitting the pipeline using Jenkins' API will fail. Jenkins logs indicate that the connection to ldap has timed out
- JenkinsProject
- `jenkins-plugin-cli` reports `War not found, installing all plugins: /usr/share/java/jenkins.war` HOT 5
- CVE-2024-23897 still exists in latest LTS version jenkins/jenkins:2.440.1-lts-jdk11 HOT 2
- The repository 'https://packagecloud.io/github/git-lfs/debian bookworm InRelease' is not signed. HOT 1
- CVE-2024-22201 still appears in jenkins/jenkins:2.444-jdk11 image HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker.