Disable Jenkins CLI Across All Masters

Issue

  • I would like to disable the Jenkins CLI across all my masters.

Environment

  • CloudBees Jenkins Operations Center
  • Private Saas Edition

Resolution

Please make sure that all Jenkins masters are connected to your CloudBees Jenkins Operations Center.

Click “New Item”:

Next click on Cluster Operation:

Under the Operation center configuration screen select Add Operation and select Managed Masters:

Then select From Operations Center Root and under the Filters select Is Online:

In the Steps section click on Add Step and select Execute Groovy Script on Master:

Then paste the following:

import java.nio.file.Files
import java.nio.file.Paths


def env = System.getenv()
def jhome = env['JENKINS_HOME']
def initDir = "$jhome/init.groovy.d"
def initDirPath = Paths.get(initDir)
def groovyFile = "$initDir/cli-shutdown.groovy"


// Create directory if it doesn't already exist
def sout = new StringBuilder(), serr = new StringBuilder()
if (!Files.exists(initDirPath)) {
  println "Creating Post-Initialization directory '${initDir}'..."
  def proc = "mkdir -p $initDir".execute()
  proc.consumeProcessOutput(sout, serr)
  proc.waitForOrKill(1000)
}


// This is the code that removes the CLI protocol
def codestr="""
/*
The MIT License
Copyright (c) 2015, Kohsuke Kawaguchi
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
import jenkins.*
import jenkins.model.*
import hudson.model.*
import java.util.logging.Logger

Logger logger = Logger.getLogger("cli-shutdown.groovy")
logger.info("Disabling the Jenkins CLI...")

// disabled CLI access over TCP listener (separate port)
def p = AgentProtocol.all()
p.each { x ->
    if (x.name?.contains("CLI")) {
        logger.info("Removing protocol \${x.name}")
        p.remove(x)
    }
}

// disable CLI access over /cli URL
def removal = { lst ->
    lst.each { x ->
        if (x.getClass().name.contains("CLIAction")) {
            logger.info("Removing extension \${x.getClass().name}")
            lst.remove(x)
        }
    }
}
def j = Jenkins.instance
removal(j.getExtensionList(RootAction.class))
removal(j.actions)
logger.info("CLI disabled")
"""


try {
  // Persist in an initialization file so that CLI protocols
  // get removed upon Jenkins master restarting
  println "Creating Post-Initialization script '${groovyFile}'..."
  File file = new File(groovyFile)
  file.text = codestr
} catch (all) {
  println "Unable to create '$groovyFile'. " +
          "If master restarts, must apply this script again"
}


// Execute the same logic in place
GroovyShell shell = new GroovyShell(binding);
shell.evaluate(codestr);

Then click Save.
Finally execute the cluster operation by clicking run:

This should then run the script on all of the masters.

If you would like to run this on the CJOC instance as well, then please follow the guide Disable Jenkins CLI.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.