Child pages
  • Jenkins Script Console
42 more child pages

Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 37 Next »

Jenkins Script Console

Jenkins features a nice Groovy script console which allows to run arbitrary scripts on the Jenkins server or on slave nodes. This feature can be accessed from the "manage Jenkins" link, typically at your http://server/jenkins/script.

Security warnings

It is very important to understand all of the following points because it affects the integrity of your Jenkins installation. The Jenkins Script Console:

  • Is a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful language which offers the ability to do practically anything Java can do including create sub-processes and execute arbitrary commands on the Jenkins master and slaves. It can even read files in which the Jenkins master has access to on the host (like /etc/passwd).
  • Offers no administrative controls stop a User once they are able to execute the Script Console from affecting all parts of the Jenkins infrastructure. Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administer rights within Jenkins.
  • Can configure any Jenkins setting. It can disable security, reconfigure security, even open a backdoor on the host operating system completely outside of the Jenkins process.
  • Is so powerful because it was originally intended as a debugging interface for Jenkins developers.

Because of the power offered by the Jenkins Script Console, Jenkins and it's agents should never be run as the root user (on Linux) or system administrator on any other flavor of OS. Access to the Jenkins Script Console is controlled by the RunScripts permission. To better understand the Script Console and how to interact with it see this video presented and recorded by Sam Gleske.

Shortcut key on script console to submit

You can submit a script without mouse. Jenkins has a shortcut key which enables to submit with keyboard.

  • Windows / Linux : Ctrl + Enter
  • Mac : Command + Enter

Remote access

User can execute groovy scripts remotely sending post request to /script/ url or /scriptText/ to have response returned without the html wrapping.

$ curl -d "script=<your_script_here>" http://jenkins/script
$ # or
$ curl -d "script=<your_script_here>" http://jenkins/scriptText

Also, Jenkins CLI offers the possibility to execute groovy scripts remotely using groovy command or execute groovy interactivelly via groovysh. However, once again curl can be used to execute groovy scripts by making use of bash Command Substitution. In the following example somescript.groovy is a groovy script in the current working directory.

$ curl --data-urlencode "script=$(<./somescript.groovy)" http://jenkins/scriptText

If security is configured in Jenkins, then curl can be provided options to authenticate using the curl --user option.

$ curl --user 'username:password' --data-urlencode "script=$(<./somescript.groovy)" http://jenkins/scriptText

Remote access with CSRF protection enabled

There's an extra step which must be performed to configure Jenkins via the Script Console when CSRF Protection is enabled. The extra step is to get a CSRF token. The token provides an extra security measure in Jenkins to ensure the script console is not being configured from an unauthorized source. It basically comes down to a two step process.

  1. Authenticate and get a CSRF token for submitting script console scripts.
  2. Authenticate and use the CSRF token when submitting script console scripts.

Here's an example. Get a CSRF token.

mytoken=$(curl --user 'username:password' -s http://jenkins/crumbIssuer/api/json | python -c 'import sys,json;j=json.load(sys.stdin);print j["crumbRequestField"] + "=" + j["crumb"]')

More examples of getting a CSRF token can be found in the Remote access API wiki page.

Then use the mytoken environment variable to submit the token along with your authentication to the script console.

curl --user 'username:password' -d "$mytoken" --data-urlencode "script=$(<./somescript.groovy)" http://jenkins/scriptText

Additionally, you can curl the root of the Jenkins API to determine if CSRF protection is enabled.

curl --user 'username:password' -s http://jenkins/api/json?pretty=true 2> /dev/null | python -c 'import sys,json;exec "try:\n  j=json.load(sys.stdin)\n  print str(j[\"useCrumbs\"]).lower()\nexcept:\n  pass"'

The above command will return true or false. If CSRF protection is enabled then it will return true.

Sample Groovy scripts

Browse all Scriptler Plugin Groovy Scripts: https://github.com/jenkinsci/jenkins-scripts/tree/master/scriptler

please share your scripts with the Scriptler Plugin

Some scripts at JBoss.org

More Scripts available at Scriptler Web 

Write Groovy scripts for Jenkins with Code completion - The gist of this is to create a Maven project within your IDE and to depend on org.jenkins-ci.main:jenkins-core (and any other plugins that you expect present). You can then write a Groovy script with code completion of Jenkins API objects and methods.

Plugins enabling Groovy usage

  • Page:
    Config File Provider Plugin — Adds the ability to provide configuration files (i.e., settings.xml for maven, XML, groovy, custom files, etc.) loaded through the Jenkins UI which will be copied to the job's workspace.
  • Page:
    Global Post Script Plugin — Execute a global configured groovy script after each build of each job managed by the Jenkins.
    This is typical for cases when you need to do something based on a shared set of parameters, such as triggering downstream jobs managed by the same Jenkins or remote ones based on the parameters been passed to the parameterized jobs.

    Notice: jython script support removed since 1.1.0

  • Page:
    Groovy plugin — This plugin adds the ability to directly execute Groovy code.
  • Page:
    Groovy Postbuild Plugin — This plugin executes a groovy script in the Jenkins JVM. Typically, the script checks some conditions and changes accordingly the build result, puts badges next to the build in the build history and/or displays information on the build summary page.
  • Page:
    Groovy Remote Control Plugin — This plugin provides Groovy Remote Control's receiver, and allows to control external application from Jenkins.
  • Page:
    Matrix Groovy Execution Strategy Plugin — A plugin to decide the execution order and valid combinations of matrix projects.
  • Page:
    Pipeline Classpath Step Plugin — Pipeline DSL step to add path to the groovy classpath
  • Page:
    Scriptler Plugin — Scriptler allows you to store/edit groovy scripts and execute it on any of the slaves/nodes... no need to copy/paste groovy code anymore.
  • Page:
    SnowGlobe Plugin — This plugin provides the ability to define Infrastructure as Code. Create, update and tear down clusters of related docker containers for builds, testing or continuous delivery.

     

    Snowglobe plugin for Jenkins

    This allows Jenkins jobs to control a SnowGlobe instance (see https://nirima.github.io/SnowGlobe/).

    Operations

    The operations are relatively simple:

    Clone

    snowglobe_clone createAction: true, sourceId: 'ci-template', targetId: 'new-globe-name'

    Set Variables

    snowglobe_set_variables globeId: 'my-globe', variables: 'key="value"'

    Get Variables

    data = snowglobe_get_variables  globeId: 'my-globe'

    Apply

    snowglobe_apply createAction: true, globeId: 'my-globe'

    State

    data = snowglobe_state createAction: false, globeId: 'my-globe'

    Destroy

    snowglobe_clone remove: true, globeId: 'my-globe'

    Remove: set to true to also remove the SnowGlobe after destruction.

    In all cases - createAction controls whether to add an action to the build, which will also remove the globe when the CI build is complete.

  • No labels