Jenkins is an open-source automation server that facilitates the continuous integration and continuous delivery (CI/CD) of software projects. It enables developers to automate various tasks in the software development lifecycle, such as building, testing, and deploying applications. Jenkins provides a wide range of plugins and integrations to support various tools, making it a popular choice for automating repetitive tasks and streamlining the development process.
With Jenkins, you define pipelines that describe how your software should be built, tested, and deployed. These pipelines can be configured as code using a domain-specific language called “Pipeline DSL” or by creating a Jenkinsfile, which is a text file that defines the stages, steps, and actions of your pipeline. Jenkins can be set up on your own infrastructure or in the cloud.
This section describes the steps to integrate Docker Scout with the Jenkins CI platform. For demo purposes, we will leverage Jenkins running inside a Docker container. Let’s proceed
Getting Started
Set up a custom Docker network
The command docker network create jenkins is used to create a custom Docker network named “jenkins”.
$ docker network create jenkins
Running a Docker-in-Docker(DinD) container
Creating a Jenkins container on its own is certainly possible and commonly done for running Jenkins in a CI/CD environment. However, using Docker-in-Docker (DinD) has specific use cases where you want Jenkins to have the ability to build and manipulate Docker images as part of your CI/CD pipeline.
The docker run command you provided is used to run a Docker-in-Docker (DinD) container named “jenkins-docker.” This setup allows you to have a Jenkins container that can also interact with other Docker containers. This setup is often used in Jenkins pipelines where you need to build and interact with Docker images as part of your CI/CD process.
docker run \
--name jenkins-docker \
--rm \
--detach \
--privileged \
--network jenkins \
--network-alias docker \
--env DOCKER_TLS_CERTDIR=/certs \
--volume jenkins-docker-certs:/certs/client \
--volume jenkins-data:/var/jenkins_home \
--publish 2376:2376 \
docker:dind \
--storage-driver overlay2
Here’s a breakdown of the command and its options:
- –name jenkins-docker: Specifies the name of the container as “jenkins-docker.”
- –rm: Removes the container automatically once it’s stopped.
- –detach: Run the container in the background.
- –privileged: Gives the container extended privileges.
- –network jenkins: Connect the container to the “jenkins” network that you’ve created.
- –network-alias docker: Sets the network alias for the container as “docker.”
- –env DOCKER_TLS_CERTDIR=/certs: Sets the environment variable for Docker TLS certificate directory.
- –volume jenkins-docker-certs:/certs/client: Mounts the volume for Docker TLS certificates.
- –volume jenkins-data:/var/jenkins_home: Mounts the volume for Jenkins data.
- –publish 2376:2376: Publishes the container’s port 2376 to the host’s port 2376, allowing remote Docker API access.
- docker:dind: Specifies the Docker image to run (DinD image).
- –storage-driver overlay2: Specifies the storage driver to use (overlay2 in this case).
Dockerfile
FROM jenkins/jenkins:2.414.1-jdk17
USER root
RUN apt-get update && apt-get install -y lsb-release
RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc \
https://download.docker.com/linux/debian/gpg
RUN echo "deb [arch=$(dpkg --print-architecture) \
signed-by=/usr/share/keyrings/docker-archive-keyring.asc] \
https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
RUN apt-get update && apt-get install -y docker-ce-cli
USER jenkins
RUN jenkins-plugin-cli --plugins "blueocean docker-workflow"
The Dockerfile shown below is used to create a custom Jenkins image that includes the Docker CLI and specific plugins. Let me explain the contents of this Dockerfile step by step:
- FROM jenkins/jenkins:2.414.1-jdk17: This line specifies the base image to use for building your custom Jenkins image. The tag 2.414.1-jdk17 indicates a specific version of the Jenkins image that includes Java 17.
- USER root: This switches the user context to the root user in the container. This is necessary because installing software requires administrative privileges.
- RUN apt-get update && apt-get install -y lsb-release: This updates the package repository information and installs the lsb-release package, which provides information about the Linux distribution.
- RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc …: This retrieves the GPG keyring for the Docker repository and saves it to /usr/share/keyrings/docker-archive-keyring.asc.
- RUN echo “deb [arch=$(dpkg –print-architecture) …”: This adds the Docker repository to the list of package sources in the /etc/apt/sources.list.d/docker.list` file. It uses the GPG keyring downloaded earlier to verify the repository.
- RUN apt-get update && apt-get install -y docker-ce-cli: This updates the package repository again and installs the Docker CLI (docker-ce-cli) from the added repository.
- USER jenkins: This switches back to the jenkins user context.
- RUN jenkins-plugin-cli –plugins “blueocean docker-workflow”: This uses the jenkins-plugin-cli tool to install Jenkins plugins. The plugins being installed are “blueocean” (for the Blue Ocean UI) and “docker-workflow” (for Docker integration in Jenkins pipelines).
Building the Docker image
docker build -t myjenkins-blueocean:2.414.1-1 .
Running the Docker container
docker run --name jenkins-blueocean-agent \
--restart=always \
-d \
--network jenkins \
-e DOCKER_HOST=tcp://docker:2376 \
-e DOCKER_CERT_PATH=/certs/client \
-e DOCKER_TLS_VERIFY=1 \
-p 8080:8080 \
-p 50000:50000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /path/to/docker/certs:/certs/client:ro \
-v jenkins-data:/var/jenkins_home \
myjenkins-blueocean:2.414.1-1
Listing the containers:
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f24a3523c936 myjenkins-blueocean:2.414.1-1 "/usr/bin/tini -- /u…" 6 seconds ago Up 5 seconds 0.0.0.0:8080->8080/tcp, 0.0.0.0:50000->50000/tcp jenkins-blueocean
9cb188d7b587 docker:dind "dockerd-entrypoint.…" 2 minutes ago Up 2 minutes 2375/tcp, 0.0.0.0:2376->2376/tcp jenkins-docker
Grab the password that it displays in the log
Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:
30ca8eXXXXXXXXXX00652aa2e
Access the app via https://localhost:8080 and add the Administrator password as shown:
Choose “Install suggested plugins” as we don’t need any further plugins to install.
Wait for 1-2 minutes till the date all the essential plugins are installed.
Accessing Blue Ocean
Blue Ocean is a modern and user-friendly user interface (UI) for Jenkins that provides a more intuitive and visually appealing experience for managing and monitoring Jenkins pipelines and projects. It is designed to simplify and improve the way you interact with Jenkins, especially when dealing with complex pipeline configurations.
Here are some key features and benefits of Blue Ocean:
- Visual Pipelines: Blue Ocean offers a graphical representation of your pipeline stages, making it easier to visualize the flow of your CI/CD process. This helps in quickly identifying bottlenecks or issues in the pipeline.
- Pipeline Editor: Blue Ocean provides a visual pipeline editor that allows you to create, edit, and visualize pipelines using a graphical interface. This can be particularly useful for those who are not familiar with writing pipeline code in Jenkinsfile syntax.
- Personalization: The UI is designed to focus on what’s most relevant to you. It surfaces information like pipeline status, recent runs, and logs in a clean and organized manner.
- Pipeline Visualization: Blue Ocean’s pipeline visualization shows the status of each stage in the pipeline, making it easy to identify failed or unstable stages.
- Interactive Logs: Logs for each stage are presented in a collapsible, expandable format, allowing you to see detailed information only for the stages you’re interested in.
- GitHub Integration: Blue Ocean offers seamless integration with GitHub repositories, making it easier to set up pipelines for projects hosted on GitHub.
- Pipeline Re-run: You can easily re-run a specific stage or the entire pipeline from within the Blue Ocean interface.
- Plugin Integration: Blue Ocean is extensible and can integrate with Jenkins plugins, allowing you to incorporate additional functionalities into your pipelines.
Configure Pipeline under Blue Ocean UI
Add GitHub Access Token
Ensure that you have set “docker-hub-pat” under Jenkins Dashboard > Manage Jenkins > Credentials.
Here’s a Jenkinsfile that is used for this demonstration. Feel free to modify it based on your namespace
pipeline {
agent any
environment {
IMAGE_TAG_VOTE = 'yournamespace/scout-demo-voting-app-vote'
IMAGE_TAG_RESULT = 'yournamespace/scout-demo-voting-app-result'
IMAGE_TAG_WORKER = 'yournamespace/scout-demo-voting-app-worker'
DOCKER_HUB_PAT = credentials('docker-hub-pat')
DOCKER_HUB_USER = 'yournamespace'
}
stages {
stage('Build and Scout Vote Service') {
steps {
script {
checkout scm
// Install Docker Scout
sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b ~/bin'
// Log into Docker Hub
sh 'echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin'
// Analyze image for CVEs
sh "docker-scout cves ${IMAGE_TAG_VOTE} --exit-code --only-severity critical,high"
// Get recommendations for remediation steps
sh "docker-scout recommendations ${IMAGE_TAG_VOTE}"
}
}
}
stage('Build and Scout Result Service') {
steps {
script {
checkout scm
// Install Docker Scout
sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b ~/bin'
// Log into Docker Hub
sh 'echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin'
// Analyze image for CVEs
sh "docker-scout cves ${IMAGE_TAG_RESULT} --exit-code --only-severity critical,high"
// Get recommendations for remediation steps
sh "docker-scout recommendations ${IMAGE_TAG_RESULT}"
}
}
}
stage('Build and Scout Worker Service') {
steps {
script {
checkout scm
// Install Docker Scout
sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b ~/bin'
// Log into Docker Hub
sh 'echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin'
// Analyze image for CVEs
sh "docker-scout cves ${IMAGE_TAG_WORKER} --exit-code --only-severity critical,high"
// Get recommendations for remediation steps
sh "docker-scout recommendations ${IMAGE_TAG_WORKER}"
}
}
}
}
}
You can find the working Jenkinsfile rightly in our Dockersamples voting app sample application.