From: David Galloway <dgallowa@redhat.com>
Date: Thu, 3 Aug 2017 20:55:23 +0000 (-0400)
Subject: ansible: Add ufw to jenkins masters
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9ff28bbb681b7b9525753177cab708fa8df0781a;p=ceph-build.git

ansible: Add ufw to jenkins masters

The jenkins-cli is used to initially configure the Jenkins service.  As
of recent versions, however, anonymous cli access isn't allowed unless
useSecurity is set to false in Jenkins' config.xml.  This opens Jenkins
to the world of course.

By creating some firewall rules, we can just disable nginx, turn of
auth, allow only localhost access to port 8080 and safely make changes using
jenkins-cli.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---

diff --git a/ansible/roles/ansible-jenkins/tasks/jenkins.yml b/ansible/roles/ansible-jenkins/tasks/jenkins.yml
index ac85808f..4adb0601 100644
--- a/ansible/roles/ansible-jenkins/tasks/jenkins.yml
+++ b/ansible/roles/ansible-jenkins/tasks/jenkins.yml
@@ -9,6 +9,10 @@
   tags:
     - letsencrypt
 
+- include: ufw.yml
+  tags:
+    - ufw
+
 - name: Install Jenkins
   apt:
     name: jenkins
diff --git a/ansible/roles/ansible-jenkins/tasks/ufw.yml b/ansible/roles/ansible-jenkins/tasks/ufw.yml
new file mode 100644
index 00000000..d00daf5c
--- /dev/null
+++ b/ansible/roles/ansible-jenkins/tasks/ufw.yml
@@ -0,0 +1,29 @@
+---
+- name: install ufw
+  apt:
+    name: ufw
+    state: latest
+
+- name: only listen to localhost on port 8080
+  ufw:
+    port: 8080
+    src: 127.0.0.1
+    rule: allow
+
+- name: allow custom ssh, http, https, and JNLP slave port
+  ufw:
+    port: "{{ item }}"
+    rule: allow
+  with_items:
+    - 2222
+    - 80
+    - 443
+    - 49187
+
+- name: reload ufw
+  ufw:
+    state: reloaded
+
+- name: start ufw
+  ufw:
+    state: enabled