The Wall

QOTW Security

QOTW: Turn off execution on your Jenkins masters

Welcome to our first question of the week (QOTW) post. I talked at DevOps Exchange in Bournemouth #DOXMOUTH and I had many excellent questions but wanted to share this particular one because it potentially impacts the security of your Jenkins Masters. To our customers we already disable execution on the master so you don’t need to do anything…

For security reasons we recommend turning off execution on a Jenkins Master. We often get asked about how this impacts shared libraries. Here is the answer;

Shared libraries will still work they do not use this feature however please note it will be impossible to execute a script on the master in a shared library. For security this is great!

We see issues when a user creates a shared library that does not account for the delegation of work to the agent. For example;

A for loop in a shared library will execute on the master and its non-serialisable;

  • The contents of the for loop will execute on the agent and is serialisable (i.e non-cps).
  • The master is controlling the sequence of execution.
  • The master provides access to some Jenkins core classes.
  • It is impossible to execute a bash, python script (or any script for that matter) on the master in a shared library.
  • Groovy shared library features can increase utilisation on the master in some cases it’s better to use other approaches to achieve a similar objectives.

Have any questions please get in touch and we’ll answer them in our question of the week (i.e QOTW).