hudson

Created Tuesday 4/8/2009

Hudson (hudson.dev.java.net) is a continous integration tool and as such provides SCCM integration (polling or scheduled), build processes and task execution. Hudson provides a bunch of additional plugins to integrate with various libraries and systems.

Todo: Add a comment on winstone (doesn't require servlet container like tomcat, etc)

1. Configuration

The preferred setup is run hudson as it's own user (e.g., hudson, perhaps in group hudson). Starting and stopping hudson is done by the init.d script (/etc/init.d/hudson)

2. Jobs

Todo: This is trivial, but explain and expand

3. Tasks

Todo: This is trivial, but explain and expand

4. Plugins

Todo: This is trivial, but explain and expand

5. Enabling security

By default, hudson provides anonymous access to the hudson environment and allows system changes to be made by this user. Hudson provides many authentication options, such as hudson's own user management, integration with LDAP or integratin with Linux-pam (pluggable authentication module). This section discusses enabling security with Linux-PAM.

5.A Linux PAM

Authentication is enabled by enabling the Enable security checkbox within the hudson system configuration page (Hudson─▶Manage Hudson─▶Configure System). Checking Enable security presents the user with Access Control options, which allow a number of different options (integration with PAM or LDAP, etc).

Choose Unix user/group database as the Security Realm of the Access Control options and then select the Advanced button and provide sshd as the Service Name (this is actually the default, but is added to this document for clarity).

Next, configure the Authorizations. There are a number of self-explanatory options such as Logged-in users can do anything or Anyone can do anything. Presumably, security has been enabled for a reason and so we discuss Matrix-based security. Once Matrix-based security has been selected, a table is presented with the rules for user Anonymous. It's recommended that only Read for Overall and Job be enabled.

To create group based admin access, type the name of the group to which hudson belongs the text field labled User/group to add: and then select all the checkboxes options.

CAVEAT: If hudson is not running as root (and it's recommended that it's not) then there is bug with PAM authentication, which has the following work around (from Jeffrey Metcalf-2 (nabble.com)).

Hudson will invoke unix_chkpwd(8) in order to confirm the user against /etc/shadow. However, unix is setuid and, if hudson is running non-root, it will not able to read the file as /etc/shadow is mode 0400 by default. To get around this problem, a simple solution is to create a new group perhaps called shadow or shadowreader and add user hudson to that. Then chgrp(1) /etc/passwd and chmod(1) as 0440 (which will permit unix_chkpwd to read the file when running setuid(2) as hudson.

The other (less desirable) options are (again, from Jeffrey Metcalf-2 (nabble.com)).:

• Run Hudson as root. This is unacceptable in many enterprise environments will not permit this as it can be a major security issue and is dependent on the configuration of the underlying Java policy.
• Modify /sbin/unix_chkpwd (or provide a different helper binary) so that it does not change euid from 0 to real uid when it detects that the real uid does not match the authenticating username.

Stuart Moorfoot \copy 4 August 2009 foo@bund.com.au