Following up from my earlier blog post, I was able to get a Dockerized ZAP-CLI up and running in a Jenkins instance!
I’ll break this down into five main parts, as follows:
-
Installing Jenkins
-
Installing Docker
-
Configuring and running ZAP-CLI within Jenkins
-
Configuring Docker further
-
Running the build
Installing Jenkins
I followed the directions from this page: https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+Red+Hat+distributions
Before I could use wget to grab the Jenkins install script, I had to get wget itself, like so:
$ sudo dnf install wget
Next, it was just a matter of:
$ sudo wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat-stable/jenkins.repo
Then:
$ sudo rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key
$ sudo dnf install jenkins
And now, even though Jenkins is installed, I also needed to install Java, which I did:
$ sudo dnf install java
And, finally
$ sudo service jenkins start
$ sudo chkconfig jenkins on
Installing Docker
From the official instructions on Docker’s Installation on Fedora page, I chose the “Install with the script” option.
$ sudo dnf update
$ curl -fsSl https://get.docker.com/ | sh
$ sudo systemctl start docker
$ sudo docker run hello-world
$ sudo groupadd docker
$ sudo usermod -aG docker jenkins
The following command enables Docker on system startup:
$ sudo systemctl enable docker
Separately, now, both Jenkins and Docker (in that order) should be set up and ready. However, a few more installations of binaries and plugins are needed to make the two work together.
Configuring and running ZAP-CLI within Jenkins
To configure Jenkins to pull and run the docker-zap shell script, let’s do the following.
- Load our Jenkins URL (with default :8080 port)
- Click on New Item
- In the “Item name” field, I’ll choose “docker-zap-cli” and choose “Freestyle project”
- Oops! We know that we’ll be using a GitHub (and thus, Git) project, so we’ll need a Git/GitHub binary/executable, as well as its Jenkins plugins
- OK, so from the command-line, let’s do (from How to Install and Configure Git on Fedora 23)
$ dnf -y install git
- Type
which git
to let us know where it installed to, successfully. That should be:
/usr/bin/git
- Now, let’s go to “Manage Jenkins”
- Click on “Manage Plugins”
- Click on the “Available” tab
- In the top-right’s “Filter” textfield, let’s type “git” and see what it offers us
- We need: Git client plugin, Git plugin, GitHub API Plugin, and the GitHub Authentication Plugin
- Let’s choose those, and then choose “Download now and install after restart,” just to be safe
- (There will be a full list of other dependencies which will also be installed, and that’s expected.)
- Let’s make sure our Git binary installation works. Under the /configure URL, in “Git” let’s provide the “Path to Git executable” which, as we’ve seen above, should be
usr/bin/git
- Now, let’s go back to our “docker-zap-cli” job in Jenkins, and choose “Configure”
- Under Source Code Management, now, we should see a “Git” option. Click on that and enter https://github.com/stephendonner/docker-zap.git
- Scroll down to the “Build” option, choose “Add build step” and pick “Execute shell”
- In the “Command” textfield, let’s put
./run-docker.sh
- Click “Save”
- Now, let’s click “Build Now”
- If you see any “permission denied” errors, particularly with
/bin/docker
and can confirm with the SELinux audit log, then try the following:
Disabling SELinux support
I should note that, once I identified the SELinux-related issues with Docker in Fedora, I didn’t spend much time trying to fully understand how to make them work. I do plan on returning to this in future work, as disabling SELinux is *NOT* recommended. There’s an official FAQ here: https://fedoraproject.org/wiki/SELinux_FAQ. (In fact, the Docker Daemon docs reference the –selinux-enabled option.) However, to go about disabling SELinux on a test system, per RedHat’s docs, we need to change
SELINUX=enforcing
to read
SELINUX=disabled
in
/etc/selinux/config
So do:
$ sudo vi /etc/selinux/config
and make the edit.
We need a logout/restart, here, so let’s do:
$ systemctl stop jenkins.service
$ systemctl stop docker.service
$ shutdown -r now
Configuring Docker further
Now, because we’re using a Fedora version which has systemd, we want to configure Docker using systemd.
We want to put in the following:
$ sudo mkdir /etc/systemd/system/docker.service.d
$ sudo vi /etc/systemd/system/docker.service.d/docker.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY
ExecStart=
ExecStart=/usr/bin/dockerd -D -H tcp://127.0.0.1:2375
Now we also want to make Docker available via that TCP port we specified, 2375:
$ sudo vi /etc/systemd/system/docker-tcp.socket
Put in the following:
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=2375
BindIPv6Only=both
Service=docker.service
[Install]
WantedBy=sockets.target
Now, let’s enable and start Docker’s binding to TCP:2375:
$ systemctl stop docker.service
$ systemctl enable docker-tcp.socket
$ systemctl start docker-tcp.socket
$ systemctl start docker.service
(Here’s also a nice article for more in-depth info on the above.)
Running the build
Now that we’ve installed and configured Jenkins, Docker, and Git and other necessary plugins, it’s time to build!
- In Jenkins, for the docker-zap-cli job view, click on “Build” in the left
- If all goes well, you should see something very close to the following:
GitHub-repo pulling...
20:47:20 [INFO] Accessing URL https://www.allizom.org/en-US/firefox/
20:47:34 [INFO] Running spider...
20:49:15 [INFO] Running an active scan...
6310 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 127.0.0.1:2375
43023 [Thread-9] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on SpiderApi-0 at Tue Jun 28 20:47:34 UTC 2016
43028 [Thread-9] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
43055 [Thread-9] INFO org.zaproxy.zap.spider.Spider - Starting spider...
105166 [pool-1-thread-2] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
105174 [Thread-10] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true
20:49:35 155113 [Thread-12] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host https://www.allizom.org in 11.491s
20:49:35 155115 [Thread-11] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 11.532s
20:49:35 c7017c8e9ca40054acf9e1a88dc36c14d1866419da6ca974efd61298b423c43f
20:49:35 Finished: SUCCESS
Here's a Pastebin entry with the full output.
In fact, the output should very nearly match that in https://blog.mozilla.org/webqa/2016/05/11/docker-owasp-zap-part-one/ , since Docker is just executing the commands we've already set up.
I plan on continuing to work further in my GitHub repository, so keep an eye on and/or add to Issues/Pull Requests!
I'd absolutely love more help and feedback on how to make this more useful; thanks!
No comments yet
Post a comment