Hi,
is there a way to setup HTTPS support in Jenkins without displaying keystore password in the process list?
I’m running Jenkins installed via RPM on Rocky Linux 9. HTTPS support is configured in the unit file which includes:
Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=mypassword"
As soon as I start Jenkins --httpsKeyStorePassword=mypassword is displayed in the ps auxww list which looks like an oversite :(.
You can start jenkins with the --config option. You will need to put all jenkins command line args into this file (java properties format), afaik you can’t mix and have some directly and some in the config file.
httpsPort=8443
httpsKeyStore=/path/to/keystore
httpsKeyStorePassword=mypassword
java -Dfile.encoding=UTF-8 -jar jenkins.war --config=/path/to/config
Thanks @mawinter69 . I tried and improved on your suggestion.
You can mix command line arguments and config file (works at least on my end). I ended up with the following systemd unit file:
[Service]
Environment="JENKINS_PORT=-1"
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment="JENKINS_HTTPS_PORT=443"
Environment="JENKINS_HTTPS_KEYSTORE=/srv/jenkins/keystore.jks"
Environment="JENKINS_OPTS=--config=/srv/jenkins/startup.properties"
This hides keystore password from the process list:
[]# ps aux |grep jenkins
jenkins 72137 14.3 9.6 9407764 1550936 ? Ssl 18:43 3:19 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=-1 --httpsPort=443 --httpsKeyStore=/srv/jenkins/keystore.jks --config=/srv/jenkins/startup.properties
Interesting enough Initial Settings talks about sensitive parameters specifically about --httpsKeystorePassword and recommends to use --paramsFromStdIn but Jenkins’ own systemd starter doesn’t follow that.
I have created an improvement ticket for that → JENKINS-72585. Please vote!