Simplest Enterprise Continuous Integration Solutions

Saturday, July 20, 2013

Bamboo security: Bamboo 5.0 runs over HTTPS

Bamboo 5.0 runs on http looks like


Configure Bamboo 5.0 runs over HTTPS

# Login as root on Bamboo Linux server.

[root@linux64-bamboo-server ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

# su to bamboo running user

[root@linux64-bamboo-server ~]# su - bamboo

# Change dir to bamboo install directory

[root@linux64-bamboo-server ~]$ cd /opt/atlassian-bamboo-5.0

# Generate a private key

[bamboo@linux64-bamboo-server atlassian-bamboo-5.0]$ $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias jetty
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  linux64-bamboo-server.domain.com
What is the name of your organizational unit?
  [Unknown]:  <my unit>
What is the name of your organization?
  [Unknown]:  <my organization>
What is the name of your City or Locality?
  [Unknown]:  <my city>
What is the name of your State or Province?
  [Unknown]:  <my state>
What is the two-letter country code for this unit?
  [Unknown]:  <my country>
Is CN=linux64-bamboo-server.domain.com, OU=<my unit>, O=<my organization>., L=<my city>, ST=<my state>, C=<my country> correct?
  [no]:  y

Enter key password for <jetty>
        (RETURN if same as keystore password):

# Generate a CSR (Certificate Signing Request)

[bamboo@linux64-bamboo-server atlassian-bamboo-5.0]$ $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias jetty -file certreq.csr
Enter keystore password:

# Submit certreq.csr to a certificate authority

Submit the generated certreq.csr to a Certificate Authority (for example, MY-ENTCASERVER) with “Web Server” Certificate template and download certificate chain (DER encoded or Base 64 encoded), save it as bamboo_Base64.p7b.

# Import signed certificate into keystore

[bamboo@linux64-bamboo-server atlassian-bamboo-5.0]$ $JAVA_HOME/bin/keytool -importcert -alias jetty -file bamboo_Base64.p7b -keystore keystore

# Modify wrapper.conf and jetty.xml as below accordingly

[bamboo@linux64-bamboo-server ~]$ diff -u /opt/atlassian-bamboo-5.0/conf/wrapper.conf.orig /opt/atlassian-bamboo-5.0/conf/wrapper.conf
--- /opt/atlassian-bamboo-5.0/conf/wrapper.conf.orig    2014-08-28 17:48:40.000000000 -0400
+++ /opt/atlassian-bamboo-5.0/conf/wrapper.conf 2014-08-28 17:48:46.000000000 -0400
@@ -7,15 +7,16 @@

# The Bamboo port number - this is the port number the Bamboo web server listens on.
#
-wrapper.app.parameter.2=8085
+#wrapper.app.parameter.2=8085
+wrapper.app.parameter.2=../webapp/WEB-INF/classes/jetty.xml

# The location of the Bamboo web application files
#
-wrapper.app.parameter.3=../webapp
+#wrapper.app.parameter.3=../webapp

# The webapp context path. Which must be of form / or /your-context
#
-wrapper.app.parameter.4=/
+#wrapper.app.parameter.4=/

# Specify which version of java you use to run Bamboo
#


[bamboo@linux64-bamboo-server ~]$ diff -u /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml.orig /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml
--- /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml.orig     2014-08-28 17:06:03.000000000 -0400
+++ /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml  2014-08-28 17:39:03.000000000 -0400
@@ -30,9 +30,17 @@

     <Call name="addConnector">
         <Arg>
+<!--
             <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
                 <Set name="host"><Property name="jetty.host" /></Set>
                 <Set name="port"><Property name="jetty.port" default="8085"/></Set>
+-->
+            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
+                <Set name="Port">8443</Set>
+                <Set name="Keystore"><SystemProperty name="jetty.home" default=""/>keystore</Set>
+
+                <Set name="Password">bamboo</Set>
+                <Set name="KeyPassword">bamboo</Set>
                 <!--<Set name="Host">127.0.0.1</Set>-->
                 <!--<Set name="ConfidentialPort">8443</Set>-->
                 <!--<Set name="IntegralPort">8443</Set>-->
@@ -60,7 +68,7 @@
                     <!--SystemProperty name="bamboo.webapp" default="/opt/dev/src/atlassian/bamboo-trunk/components/bamboo-web-app/src/main/webapp"/-->
                     <SystemProperty name="bamboo.webapp" default="./webapp"/>
                 </Arg>
-                <Arg name="contextPath">/bamboo</Arg>
+                <Arg name="contextPath">/</Arg>
                 <!--<Set name="parentLoaderPriority">true</Set>-->
                 <Set name="defaultsDescriptor">webdefault.xml</Set>
                 <Get name="sessionHandler">

# Restart bamboo service

# Bamboo runs over HTTPS looks like


# Bamboo signed own SSL certificate looks like




Enterprise Linux: Subversion Edge + own SSL Certificate

By default, Subversion Edge has self-signed certificate

Subversion Edge out of the box comes with the Apache Subversion Server https configuration, simply by selecting the check box "Apache Encryption" for "Subversion Server should serve via https." from CSVN Console Administration tab, installs an initial self-signed certificate provided with Subversion Edge.



Because above Subversion Edge self-signed certificate hostname, svnedge.collab.net, is always different from your svn repository server hostname (for instance, linux64-svn-server). In this way, your imported Java keystore always contains wrong hostname about your svn reposiotory server hostname.

Procedures to use own SSL certificate

# Backup existing "server.key", "server.crt" and "svnedge.jks"

By default, those files are located as below:
/opt/csvn/data/conf/server.key
/opt/csvn/data/conf/server.crt
/opt/csvn/appserver/etc/svnedge.jks

# Make sure openssl and openssl-devel RPMs installed 

# Generate a private key

[root@linux64-svn-server ~]# cd /opt/csvn/data/conf
[root@linux64-svn-server conf]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
................++++++
e is 65537 (0x10001) 

# Generate a CSR (Certificate Signing Request)

[root@linux64-svn-server conf]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:<my_country>
State or Province Name (full name) [Berkshire]:<my_state>
Locality Name (eg, city) [Newbury]:<my_city>
Organization Name (eg, company) [My Company Ltd]:<my_org>
Organizational Unit Name (eg, section) []:<my_unit>
Common Name (eg, your name or your server's hostname) []:linux64-svn-server.domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# check server.csr 

[root@linux64-svn-server conf]# openssl req -noout -text -in server.csr 

# Remove Passphrase from key

[root@linux64-svn-server conf]# cp server.key server.key.org
[root@linux64-svn-server conf]# openssl rsa -in server.key.org -out server.key
writing RSA key 

# Generate a Self-Signed Certificate

[root@linux64-svn-server conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Or

# Submit server.csr to a certificate authority

Submit the generated server.csr to a Certificate Authority (for example, MY-ENTCASERVER) with “Web Server” Certificate template and download certificate in Base64 format, save it as server.crt.

# Check server.crt

[root@linux64-svn-server conf]# openssl x509 -in server.crt -text -noout 

# Convert the Apache certificate into PKCS#12 format

[root@linux64-svn-server conf]# openssl pkcs12 -export -in /opt/csvn/data/conf/server.crt -inkey /opt/csvn/data/conf/server.key -name svnedge –out /opt/csvn/data/conf/server.p12
Enter Export Password:
Verifying - Enter Export Password:

# Check server.p12

[root@linux64-svn-server conf]# openssl pkcs12 -info -in server.p12 

# Create the java keystore to store the certificate

[root@linux64-svn-server conf]# $JAVA_HOME/bin/keytool -importkeystore -srckeystore /opt/csvn/data/conf/server.p12 -srcstoretype PKCS12 -destkeystore /opt/csvn/data/conf/svnedge.jks
Enter destination keystore password:
Enter source keystore password:
Entry for alias svnedge successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

# Copy java keystore int INSTALL)DIR/appserver/etc

[root@linux64-svn-server conf]# cp /opt/csvn/data/conf/svnedge.jks /opt/csvn/appserver/etc/

# Restart csvn console 

[root@linux64-svn-server conf]# service csvn restart

# Subversion Edge own SSL Certificate

get own SSL certificate from https://linux64-svn-server.domain.com:4434/csvn as below


Saturday, July 6, 2013

Software Development: Forge puppet module with an automated processes




1. Developer commits changes about puppet module (for example: with Puppet Geppetto Editor) on VCS (Version Control System, for example: Subversion/Git) branches/trunk accordingly
2. Puppet Forge Automation, which has been enabled with Continue-Integration system (for example: Cruise Control/Jenkins), will be triggered periodically based upon VCS commits to execute "puppet module build" for a new revision of puppet module located under DEV repo (for example: http://pulp-server.local.lab/pulp/puppet/qxc_dev/system/releases/q/qxc)


    if [ -e ${puppet_forge_working_directory} ]; then
      # copy the VCS checkout into ${puppet_forge_modules_folder}
      cp -rf ${puppet_forge_working_directory}/${puppet_forge_author}/* ${puppet_forge_modules_folder}
      # make sure all text file in unix format
      find ${puppet_forge_modules_folder} -type f -exec dos2unix {} \;
      # execute puppet module build
      cd ${puppet_forge_modules_folder}
      for i in `ls`; do puppet module build $i; done
      # publish puppet module to dev repoid
      cd ${puppet_forge_modules_folder}
      for i in `ls`; do pulp-admin -u ${pulp_server_admin_name} -p ${pulp_server_admin_password} puppet repo uploads upload --repo-id ${puppet_forge_dev_repoid} --dir ${puppet_forge_modules_folder}/$i/pkg; done
      pulp-admin -u ${pulp_server_admin_name} -p ${pulp_server_admin_password}  puppet repo publish run --repo-id ${puppet_forge_dev_repoid}
    fi


3. Developer should update a new version for all of Modulefile ready for new changes
4. After puppet module verification successfully, Puppet Forge Automation will promote puppet module into PROD repo (for example: http://pulp-server.local.lab/pulp/puppet/qxc/system/releases/q/qxc) to release.


    # publish module from dev repo to prod repo
    for i in `echo "common thirdparty qxc"`
    do
       pulp-admin -u ${pulp_server_admin_name} -p ${pulp_server_admin_password} puppet repo copy --from-repo-id ${puppet_forge_dev_repoid} --to-repo-id ${puppet_forge_prod_repoid} --str-eq="name=$i" --str-eq="author=${puppet_forge_author}" --str-eq="version=${puppet_forge_version}"
    done
    pulp-admin -u ${pulp_server_admin_name} -p ${pulp_server_admin_password} puppet repo publish run --repo-id ${puppet_forge_prod_repoid}
    
    # create puppet modules tar gz
    if [ -d ${puppet_forge_modules_folder} ];
    then
      rm -rf ${puppet_forge_modules_folder}
    fi
    
    if [ -d /etc/puppet/modules ];
    then
      rm -rf /etc/puppet/modules
    fi
    
    mkdir -p ${puppet_forge_modules_folder}
    mkdir -p ${puppet_forge_modules_folder}/${my_puppet_module_name}/etc/puppet/modules
    cd ${puppet_forge_modules_folder}/${my_puppet_module_name}/etc/puppet/modules
    puppet module install --module_repository http://.:${puppet_forge_prod_repoid}@${pulp_server} ${puppet_forge_author}/${my_puppet_module_name} --version ${puppet_forge_version} -i .
    cd ${puppet_forge_modules_folder}/${my_puppet_module_name}
    tar -zPcvpf ${puppet_forge_tar_gz_folder}/${my_puppet_module_name}-${3_digit_rtm_info}-`date +"%Y%m%d"`.${ci_buildnumber}.tar.gz `find etc -type f`