Jenkins with Docker Compose and Configuration as Code

Project Overview

This repository demonstrates how to create a Jenkins server using Docker Compose and Jenkins Configuration as Code (JCasC). The setup includes plugins, and supports both ARM and AMD architectures.

Features

Jenkins running in Docker - Containerized Jenkins server with persistent storage
Configuration as Code (JCasC) - Automated setup with declarative configuration
Pre-installed plugins:
- Blue Ocean
- Docker Pipeline
- Configuration as Code
- Docker Plugin
- Workflow Aggregator
- Matrix Authorization Strategy
Multi-architecture support - ARM64 and AMD64 platforms
Pre-configured users - Admin and devops users with role-based permissions
Secrets-based password management - Secure password handling via Docker Compose secrets
Automated setup script - Streamlined setup with setup-jenkins.sh
Docker-in-Docker support - Build Docker images from Jenkins pipelines

Prerequisites

Docker Engine 20.10 or later
Docker Compose 2.0 or later
Docker Buildx (included with Docker Desktop) - For multi-arch builds

Core Components

Jenkins - Latest LTS with JDK 21
Docker Compose - Container orchestration
Jenkins Configuration as Code (JCasC) - Declarative configuration management
Docker Cloud - Dynamic agent provisioning
Docker-in-Docker - Docker socket mounting for pipeline builds

Getting Started

Automated Setup (Recommended)

Use the setup-jenkins.sh script for automated setup:

./setup-jenkins.sh

The script will:

Prompt for Jenkins URL and admin email
Generate secure passwords automatically
Create the .env file
Optionally build the image
Start Jenkins with Docker Compose

Manual Setup

Step 1: Create Secrets

Create the secrets directory and generate secure passwords:

mkdir -p secrets
chmod 700 secrets
openssl rand -base64 32 > secrets/jenkins_admin_password
openssl rand -base64 32 > secrets/jenkins_devops_password
chmod 600 secrets/jenkins_admin_password secrets/jenkins_devops_password

Step 2: Create .env File

Recommended: Use setup-jenkins.sh which automatically detects the Docker socket path.

Alternatively, create a .env file manually:

JENKINS_URL=http://localhost:8080/
JENKINS_ADMIN_EMAIL=admin@example.com
DOCKER_SOCK_PATH=/var/run/docker.sock

Note: The Docker socket path is automatically detected from your active Docker context. For VM-based Docker (Colima/Lima), the setup script handles this automatically.

Step 3: Build and Start

For single architecture (your current platform):

docker compose up -d --build

For multi-architecture support (ARM64 and AMD64):

./build-multiarch.sh
docker compose up -d

Quick Start Commands

Action	Command
Start Jenkins	`docker compose up -d`
View logs	`docker compose logs -f jenkins`
Stop Jenkins	`docker compose down`
Restart Jenkins	`docker compose restart jenkins`
Remove volumes (⚠️ deletes data)	`docker compose down -v`

Configuration

Jenkins Configuration as Code

The Jenkins configuration is defined in jenkins.yaml. This file includes:

Security Realm: Local user authentication with admin and devops users
Authorization: Role-based access control with fine-grained permissions
Docker Cloud: Configured for dynamic agent provisioning via Docker socket
System Settings: Admin email, URL, and other system configurations (loaded from environment variables)

For detailed explanation: See JENKINS_CONFIG.md

Docker Compose Configuration

The docker-compose.yaml file orchestrates the Jenkins container and includes:

Service Configuration: Jenkins service with build, ports, volumes, and health checks
Secrets Management: Docker Compose secrets for password handling
Volume Mounts: Persistent storage and configuration file mounting
Docker Socket: Mounted for Docker-in-Docker support
Networking: Custom network for service isolation

For detailed explanation: See DOCKER_COMPOSE_CONFIG.md

Environment Variables

Variable	Source	Purpose
`JENKINS_ADMIN_PASSWORD`	Docker Compose secret	Admin user password (loaded from `secrets/jenkins_admin_password`)
`JENKINS_DEVOPS_PASSWORD`	Docker Compose secret	DevOps user password (loaded from `secrets/jenkins_devops_password`)
`JENKINS_URL`	`.env` file	Public URL of Jenkins instance (required, e.g., `http://localhost:8080/`)
`JENKINS_ADMIN_EMAIL`	`.env` file	Admin email address (required, e.g., `admin@example.com`)
`DOCKER_SOCK_PATH`	`.env` file	Docker socket path on host (automatically detected by `setup-jenkins.sh`)

Customizing Configuration

Edit jenkins.yaml to customize:

User accounts and permissions
Jenkins system settings
Docker cloud configuration
Global libraries
Tool installations

Important: Passwords are managed through Docker Compose secrets stored in the secrets/ directory. To change passwords, regenerate the secret files and restart Jenkins:

openssl rand -base64 32 > secrets/jenkins_admin_password
openssl rand -base64 32 > secrets/jenkins_devops_password
docker compose restart jenkins

Architecture

Docker Cloud

Docker Cloud is a Jenkins feature that allows Jenkins to dynamically provision Docker containers as build agents on demand, rather than using static build agents.

What it does

Instead of maintaining permanent build agents, Jenkins can:

Spin up Docker containers as build agents when jobs need them
Run builds in isolated containers with clean environments
Automatically tear down containers when builds complete (after idle timeout)
Scale agents dynamically based on workload

Configuration

The Docker Cloud is configured in jenkins.yaml with the following settings:

Instance Cap: Up to 10 containers can run simultaneously
Agent Image: Uses jenkins/inbound-agent:lts-jdk21 for build agents
Label: Jobs can request agents with the docker label
Idle Timeout: Agents are removed after 5 minutes of inactivity
Docker Socket: Connects to host Docker daemon via dynamically detected socket path

Example Pipeline Usage

pipeline {
    agent {
        label 'docker'
    }
    stages {
        stage('Build') {
            steps {
                sh 'echo "Building in Docker agent"'
            }
        }
    }
}

Docker-in-Docker

This setup includes Docker-in-Docker support, allowing Jenkins pipelines to build Docker images. The Docker socket is mounted from the host, enabling Jenkins to use the host's Docker daemon.

Note: The Jenkins container runs as the jenkins user (non-root) with docker group membership for secure Docker socket access. For production environments, consider using Docker-in-Docker containers or a separate Docker daemon.

Volumes

jenkins_home: Persistent storage for Jenkins data, configurations, and build history
jenkins.yaml: Mounted as read-only configuration file for JCasC
Docker Socket: Mounted from host for Docker-in-Docker support

Ports

8080: Jenkins web interface
50000: Jenkins agent communication port

Networks

Jenkins runs on a custom Docker network (jenkins-network) for service isolation. This allows for future expansion with additional services (databases, reverse proxies, etc.) that can communicate using service names as hostnames.

Documentation

Core Documentation

README

Project overview, features, quick start guide, and usage instructions

Jenkins Configuration

Detailed explanation of JCasC configuration file and all settings

Docker Compose Configuration

Complete guide to Docker Compose setup, volumes, networks, and secrets

PRD Requirements

Product requirements document with setup instructions and file structure

Testing Documentation

Test Documentation

Comprehensive unit tests for Jenkins configuration, authentication, and permissions

Additional Resources

Changelog

All notable changes to the project, organized by version

License

MIT License - Full license text

Accessing Jenkins

Web Interface

URL: http://localhost:8080

After starting Jenkins with Docker Compose, access the web interface at the configured URL (default: http://localhost:8080).

Default Credentials

Two pre-configured users are available:

Admin User

Username: admin
Password: Stored in secrets/jenkins_admin_password
Permissions: Full administrative access (Overall/Administer)

DevOps User

Username: devops
Password: Stored in secrets/jenkins_devops_password
Permissions: Extensive job, agent, and credential management (but not Overall/Administer)

To view passwords:

cat secrets/jenkins_admin_password
cat secrets/jenkins_devops_password

Blue Ocean

URL: http://localhost:8080/blue

Blue Ocean provides a modern, intuitive user interface for Jenkins pipelines. It should be accessible after installation.

Verification

Blue Ocean should be accessible at: http://localhost:8080/blue
Docker Pipeline plugin should be available in pipeline configurations
Configuration as Code plugin should show the applied configuration
Docker Cloud should be configured in: Manage Jenkins → Nodes and Clouds → Clouds

Security Considerations

Key Security Features

Secrets Management: Passwords managed via Docker Compose secrets stored in the secrets/ directory (git-ignored). Never commit plain-text passwords to version control.
Non-Root User: Jenkins container runs as the jenkins user (non-root) with docker group membership for secure Docker socket access.
Docker Socket Security: Docker socket is mounted with appropriate permissions. The container's docker group uses GID 999 (standard).
Read-Only Configuration: JCasC configuration file (jenkins.yaml) is mounted as read-only to prevent accidental modification.
Health Checks: Container health monitoring ensures Jenkins is running correctly.
Log Rotation: Log files are rotated to prevent disk space issues and maintain security.

Best Practices

Use the setup script: setup-jenkins.sh automatically generates secure passwords using openssl rand -base64 32
Rotate passwords regularly: Regenerate secret files and restart Jenkins periodically
Never commit secrets: The secrets/ directory and .env file are git-ignored
Review permissions: Regularly review user permissions in jenkins.yaml
Keep updated: Regularly update Jenkins and plugins to patch security vulnerabilities
Production considerations: For production, consider using Docker-in-Docker containers or a separate Docker daemon instead of mounting the host socket

Docker Socket Permissions

The Docker socket should be owned by root:docker with permissions srw-rw---- (typically mode 0660). Check with:

ls -l $DOCKER_SOCK_PATH

Or check your .env file for the detected path.

Contributing & Support

Troubleshooting

Common issues and solutions:

Jenkins won't start: Check logs with docker compose logs jenkins, verify Docker socket permissions, ensure ports 8080 and 50000 are not in use
Configuration not applied: Check JCasC logs in Jenkins (Manage Jenkins → System Log → Configuration as Code), verify jenkins.yaml syntax
Docker socket permission denied: Verify socket ownership and permissions, check Docker group GID matches (999)
Multi-arch build issues: Ensure Docker Buildx is installed, create a new builder with docker buildx create --name multiarch --use

For detailed troubleshooting information, see the Troubleshooting section in the README.

Tests

This repository includes comprehensive unit tests for the Jenkins configuration, covering:

User authentication (admin and regular users)
Admin permissions (Overall/Administer)
User permissions (Job/Read, Job/Build, Job/Cancel, Job/Workspace, View/Read)
Container health checks

For detailed information about running and maintaining the tests, see TEST_README.md.

Repository

GitHub Repository: docker-compose-and-jenkins-casc

License

This project is licensed under the MIT License.

See the LICENSE file for details.