FreeBSD project use of Jenkins for OS testing

This is a guest post by Craig Rodrigues


The FreeBSD project produces a modern operating system derived from BSD Unix.

In the past 6 months, we have set up Jenkins at http://jenkins.freebsd.org/, to continuously build FreeBSD as developers add new code to the project. This has helped us identify and fix build breaks very quickly.

We have gone even farther by integrating Jenkins, Kyua, and Bhyve. Kyua is a testing framework for infrastructure software. Bhyve is the native hypervisor that comes with FreeBSD (similar to KVM on Linux).

We use the Build Flow plugin in this example Build flow to do the following:

  1. Build the FreeBSD kernel and userland on amd64 whenever someone checks in new code to http://svn.freebsd.org
  2. Create a bootable FreeBSD disk image with makefs
  3. Boot the image under bhyve

CVE-2014-3566 "poodle" impact on Jenkins

Another day, another SSL vulnerability! Google has announced a vulnerability in SSL v3, and if you are using the "Winstone" servlet container built into Jenkins, and if you are using the HTTPS connector with the --httpsPort option (it is off by default), then you are vulnerable to this problem.

I've just issued a security advisory on this. If you haven't already subscribed to the Jenkins security advisory mailing list, this is a great opportunity to do so.

The advisory includes the target delivery vehicles for the fix and how you can address the problem in the mean time. Inside corporate intranet, where Jenkins is typically used, I suppose there's a degree of trust among participants to make this less of a problem.

Gradle-fy your Jenkins Plugin Project

(This is a guest post from Daniel Spilker)

Jenkins supports building plugins using Gradle for a while now. Last week a new version of the Gradle JPI plugin has been released to iron out some issues.

The Gradle JPI plugin enables a 100% groovy plugin development environment with Groovy as primary programming language, Spock for writing tests and Gradle as build system. Have a look at the Job DSL plugin for an example.

An existing Maven build can be converted to Gradle by using the build.gradle template from the Gradle JPI plugin's README.

CVE-2014-6271 impact on Jenkins

I suspect many of you have been impacted by CVE-2014-6271 (aka "shellshock" bash vulnerability.) We had our share of updates to do for various *.jenkins-ci.org servers.

Java application servers in general (including one that ships in Jenkins) do not fork off processes like Apache does to serve requests, so the kind of CGI attacks you see on Apache does not apply. We are currently unaware of any vulnerabilities in Jenkins related to CVE-2014-6271, and no plan to issue a patch for that.

That said, we did come up with one possible way attackers can exploit vulnerable bash through Jenkins, that you might want to be aware of.

When a build is parameterized, parameters are passed to the processes Jenkins launch as environment variables.

Jenkins in JavaOne 2014

There'll be several talks that touch Jenkins. The first is from me and Jesse called Next Step in Automation: Elastic Build Environment [CON3387] Monday 12:30pm.

Then later Tuesday, there's Building a Continuous Delivery Pipeline with Gradle and Jenkins [CON11237] from Benjamin Muschko of Gradleware.

Thursday has several Jenkins talks. One is The Deploy Factory: Open Source Tools for Java Deployment [CON1880] from Bruno Souza (aka the Java Man from Brazil) and Edson Yanaga. In this same time slot, guys from eBay are doing Platform Upgrades as a Service [CON5685], which discusses how they rely on automation to make platform upgrades painless.