How can I disable security checks for Jenkins pipeline builds
I\'m running Jenkins in a local trusted environment where I\'m trying to run this pipeline. This Jenkinsfile is checked into git.
#!groovy
node(\'master\')
-
You can solve the problem by following steps:
- install Permissive Script Security plugin (version 0.3 or newer)
- If you are using a pipeline script, make sure
Use Groovy Sandboxis checked. This can be done in the configuration of the job. - add
permissive-script-security.enabledcommand line parameter to Jenkins master with value:
trueif you want to disable the need to approve scripts, but potentially dangerous signatures will be logged:-Dpermissive-script-security.enabled=trueno_securityif you want to disable the need to approve scripts and disable also logging of the potentially dangerous signatures:-Dpermissive-script-security.enabled=no_security
讨论(0) -
As answered above: in the newer Jenkins versions Script Security has been tightened. However for the specific use case of reading a version from Maven's
pom.xmlone could usereadMavenPomfrom the Pipeline Utility Steps Plugin:pom = readMavenPom file: 'pom.xml' pom.versionWith some other solutions in this StackOverflow question as well.
讨论(0) -
I'd like to offer up a hack that I ended up implementing after scouring the interwebs for a solution and trying some of the solutions proposed here.
A little background on my setup:
- Jenkins master (no slaves)
- Dockerized Jenkins instance with a persistent volume for the jenkins_home directory
- Jenkins jobs are delivered via the Jenkins Job DSL plugin with jobs written in .groovy
My scenario: Anytime someone modified an existing Jenkins pipeline (via groovy) and introduced new functionality that used some custom groovy, Jenkins would fail the job and flag the code snippet for approval. Approval was manual and tedious.
I have tried the solutions posted above and they did not work for me. So my hack was to create a Jenkins job that runs a shell job that takes the list of signatures that need approved and then adds them to the /var/jenkins_home/scriptApproval.xml file.
Some gotchas:
- The offending job still has to fail once for me to find/copy the offending code/signature
- To get the change to take effect, you cant "reload from disk" for the file to get picked up. You have to restart the Jenkins process (in our case delete the container and bring it back up). This was not a big pain for me since Jenkins is restarted every morning.
- In our world, we trust the devs who modify our Jenkins jobs so they are free to add signatures that need approval as needed. Plus the job is in source control so we can see who added what.
- My Jenkins container also has xmlstarlet baked in so my shell job uses that for the updating of the file
Example of my Jenkins job's shell command:
#!/bin/bash echo "" #default location of the Jenkins approval file APPROVE_FILE=/var/jenkins_home/scriptApproval.xml #creating an array of the signatures that need approved SIGS=( 'method hudson.model.ItemGroup getItem java.lang.String' 'staticMethod jenkins.model.Jenkins getInstance' ) #stepping through the array for i in "${SIGS[@]}"; do echo "Adding :" echo "$i" echo "to $APPROVE_FILE" echo "" #checking the xml file to see if it has already been added, then deleting. this is a trick to keep xmlstarlet from creatine duplicates xmlstarlet -q ed --inplace -d "/scriptApproval/approvedSignatures/string[text()=\"$i\"]" $APPROVE_FILE #adding the entry xmlstarlet -q ed --inplace -s /scriptApproval/approvedSignatures -t elem -n string -v "$i" $APPROVE_FILE echo "" done echo "##### Completed updating "$APPROVE_FILE", displaying file: #####" cat "$APPROVE_FILE"讨论(0) -
Try the following jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+Security+Plugin It disables the sandbox. Works for me.
讨论(0) -
Currently it is not possible. There is an open ticket for this problem https://issues.jenkins-ci.org/browse/JENKINS-28178
讨论(0)
加载中...
- 热议问题