Automatic Jenkins udpate using Shellscripts and Jenkins

13 Oct 2020 - tsp
Last update 13 Oct 2020
Reading time 7 mins

__TL;DR__: Auto update Jenkins in Tomcat servlet container by fetching version and web application archive using shellscripts, bypassing user compartmentation between administrative and operative users using sudo and running the jobs using cron or Jenkins.

Whatā€™s this article about?

Whoever has operated Jenkins manually knows this situation - you log into your Jenkins UI and are greeted by a nice notification that upgrades are available for your version. Since youā€™re operating Jenkins as part of your Infrastructure and it is configured to work mostly automated you look at the date at which the notification was raised and see that youā€™ve already missed at least two versions containing important security fixes. To counter that you could log into your Jenkins instance once or twice a day - or automate that task too. Depending on your setup you can use the auto-update method provided by Jenkins itself but usually servlets are - for obvious reasons - not allowed to overwrite themselves.

Since Jenkins is a critical component in my own deployments (itā€™s deploying configurations, firmware files on embedded devices in my own home- and lab automation systems as well as on external systems, it builds libraries for testing and release purposes, rebuilds applications as their dependencies change and redeploys them, builds my lecture notes as well as an unfinished book from LaTeX sources and releases them online, builds this webpage as well as some other webpages and deploys them, executes some periodic system maintenance jobs, tightly interacts with monitoring to re-bootstrap systems from zero with zero manual interaction in case of catastrophic failure, etc.) I decided that I really want to keep Jenkins up to date in an automatic fashion. Note that Jenkins is usually not trusted in my system but itā€™s also a component thatā€™s included in the security relevant chain that also does signature verification on nearly every job that itā€™s executing when processing data retrieved from external systems such as GitHub.

The solution presented in this article is simple and consists of two simple shellscripts. One of them is invoked by a simple pipeline script on a periodic basis, the other is performing an update check and replaces the web application archive inside the servlet container if required. There are some drawbacks of this solution that will also be presented later on. Note that even though this sounds hackish itā€™s a solution thatā€™s similar to what most auto-update systems already do.

The shellscripts

First why use two shellscripts and why is sudo required? On the setup Iā€™m working on write access to web applications is limited to an webappsadmin user for obvious reasons. The web application archives can also be read by the tomcat servlet container user. The basic idea is to provide a script that can be launched passwordless with sudo and run with webappsadmin privileges by any other user on the system. This script will then check the current available Jenkins version, compare that to the currently installed version and if required fetch and simply deploy the new archive.

The jenkinsup script performing the actual update

The actual update script performs some simple steps:

#!/bin/sh

JENKINSVERSIONFILE=/var/db/jenkinsversion.dat
JENKINSTEMPTARGET=/tmp/jenkins_latest.war
JENKINSTARGET=/usr/local/apache-tomcat-9.0/webapps/ROOT.war

JENKINSVERSIONURI="http://mirrors.jenkins.io/war/latest/"
JENKINSDOWNLOADURI="http://mirrors.jenkins.io/war/latest/jenkins.war"

JENKINSLOGFILE=/var/log/jenkinsupdate.log
LOGVERBOSE=1

set -e

getLatestVersion() {
        fetch -o jenkinsversion.tmp "${JENKINSVERSIONURI}"
        LATESTVERSION=`cat jenkinsversion.tmp | grep 'jenkins.war</a>' | awk -F 'right">' '{ print $2; }' | awk -F ' </td>' '{ print $1; }'`
        rm jenkinsversion.tmp
}

logecho() {
        if [ "${JENKINSLOGFILE}" == "" ]; then
                echo ${1}
        else
                echo ${1} >> ${JENKINSLOGFILE}
        fi
}

# Get latest version and verify if it has changed (/var/db/jenkinsver.dat)

getLatestVersion

UPDATE=0
if [ ! -e ${JENKINSVERSIONFILE} ]; then
        UPDATE=1
else
        KNOWNVERSION=`cat ${JENKINSVERSIONFILE}`
        if [ "${KNOWNVERSION}" == "${LATESTVERSION}" ]; then
                if [ ${LOGVERBOSE} -gt 0 ]; then
                        logecho "Version ${KNOWNVERSION} already known, not updating"
                fi
        else
                UPDATE=1
        fi
fi

if [ ${UPDATE} -eq 1 ]; then
        logecho "Trying to update to ${LATESTVERSION}"

        fetch -o ${JENKINSTEMPTARGET} "${JENKINSDOWNLOADURI}"
        echo "${LATESTVERSION}" > ${JENKINSVERSIONFILE}
        logecho "Fetched successfully, Deploying"

        cp ${JENKINSTEMPTARGET} ${JENKINSTARGET}
        logecho "Done"
        logecho " "
fi

As usual the script has to be made executable and since weā€™re also running it using sudo later on it should be read only. Iā€™ve stored the script at /root/tools/jenkins/jenkinsup. In this case one requires

chmod 555 /root/tools/jenkins/jenkinsup

Running using cron

This script is already sufficient for upgrading Jenkins on a periodic basis. One could simply add that script to /etc/crontab to check daily for updates:

15	05	*	*	*	webappsadmin	/root/tools/jenkins/jenkinsup

Running using Jenkins

It might also be nice to run the update script using Jenkins itself because of different trigger methods (cron, AMQP/MQTT messages, REST requests, etc.) and the ability to execute the job only when all nodes are idle. In this case Iā€™m currently using a separate script /root/tools/jenkins/runjenkinsup thatā€™s simply executing the script using sudo:

#!/bin/sh

sudo -u webapps nohup /root/tools/jenkins/jenkinsup &

As usual the script has to be owned by the administrative user, made executable and read only.

To work correctly the tomcat user - called wwww on my deployment - will be required to passwordless perform that sudo call into the webapps context. To allow that one has to modify /usr/local/etc/sudoers which is usually done using the visudo command. Then one has to append the line

www ALL=(webappsadmin) NOPASSWD: /root/tools/jenkins/jenkinsup

This allows the www user to execute the /root/tools/jenkins/jenkinsup script without any password prompt as webappsadmin and thus introduces the required privilege escalation channel to bypass security compartmentation between the administrative and operative users.

Now one just has to configure a Jenkins Job with the required triggers. For example one could realize the same as the above shown cronjob by setting a time sheduled build with the specification

H 5 * * *

The pipeline script is really simple:

pipeline {
    agent {
        label 'master'
    }
    stages {
        stage('Execute upgrade script') {
            steps {
                sh '/root/tools/jenkins/runjenkinsup'
            }
        }
    }
}

This article is tagged:

Related articles

Accessing Jenkins RSS/ATOM feed programmatically

In case one wants to push one's Jenkins RSS feeds to some internal devices or publish them with different credentials than are needed to access the Jenkins server this is a simple scripted solution on how to do this.

When Simplicity Dies in a Container: Why Docker May Be Overkill on a Single Server

Docker is praised for its portability and reproducibility - but does it actually simplify anything for small-scale deployments? This critical article explores how containerization, often touted as a silver bullet, can introduce unnecessary complexity, obscure logs, fragment configuration, and increase operational overhead when all you're running is a handful of stable services on a single machine. From tangled networks and ephemeral volumes to questionable security defaults and brittle image updates, the article challenges the assumption that Docker is always the right tool. For sysadmins who value clarity, control, and long-term maintainability, it argues that the native power of traditional Unix tools may offer a cleaner, more transparent path - without the scaffolding.

mini-apigw: A Lightweight Gateway for Multi-Model AI Infrastructure

mini-apigw is a lightweight, locally controlled OpenAI-compatible API gateway that unifies multiple AI backends such as OpenAI, Anthropic, Ollama, vLLM, and Fooocus under one clean endpoint. It restores sanity in a world where every AI service assumes exclusive control of your GPU by adding arbitration, per-app governance, and transparent configuration through simple JSON files - no dashboards, no Kubernetes, no bloat. Designed for small labs, research environments, and hobby clusters, mini-apigw behaves like an old-school UNIX daemon: minimal, reliable, and easy to reason about. It lets you run modern LLMs and image models side by side with full control over access, security, and resources - all while keeping your infrastructure as lean and transparent as possible and using just a single API.

Why one should use version control like GIT or SVN for nearly everything

This is an opinion article on why I think one should use version control systems such as git or SVN for everything including writing tasks for thesis, books or articles as well as websites and other stuff in addition to software development.

Using Git / Git Cheatsheet

A short cheat sheet on how to use the git version control system (most basic operations)

Using ancient PHP versions from FreeBSD ports with suphp

This concise article provides a detailed guide on installing and running multiple outdated PHP versions on a FreeBSD system using suphp. It covers essential steps such as retrieving specific ports tree revisions, configuring distinct installation paths to prevent version conflicts, and setting up suphp for handling different PHP versions. Emphasizing strict security precautions, the article strongly advises against using this setup in public-facing systems and suggests its use solely for isolated, non-public applications.

Automatically Publishing Static Site Blog Articles to a Facebook Page

This article explores the development and implementation of a Python-based script that automates the publication of blog articles from a static website to a Facebook page. By integrating OpenGraph metadata extraction, lightweight database tracking, and interaction with the Facebook Graph API, the script simplifies the process of managing social media content. It ensures that new or updated articles are identified, published, or updated efficiently, while also limiting the number of posts per run to maintain audience engagement and avoid spamming. This practical solution streamlines social media workflows and is particularly suited for static site blogs looking to enhance their online presence with minimal manual effort.

How this site is built with Jekyll and Jenkins

A short summary on how this page is built using the Jekyll static website generator as well as a really simple Jenkins job that's triggered by a GitHub webhook.

Also on this blog

The Urge to Be Invisible at Work: An Autistic Perspective (ASD Level 1 / Aspergerā€™s)

In todayā€™s collaborative, fast-paced workplaces, visibility is often equated with engagementā€”but for autistic individuals with Aspergerā€™s (ASD Level 1), being constantly perceived can be overwhelming, distracting, and even harmful. This article dives into the deeply misunderstood urge not to be observed while workingā€”a core coping mechanism for managing sensory overload, social anxiety, and the exhausting daily performance of masking. We explore how modern office environments, from open plans to spontaneous meetings, often sabotage focus and well-being for autistic employeesā€”leading to burnout, underemployment, and systemic exclusion. Instead of treating these needs as quirks or inconveniences, we offer a framework for building truly inclusive spaces where neurodivergent people can work productively, healthily, and without compromise.

FDM Printed PLA in Cryogenic Environments

Can 3D-printed PLA handle extreme cryogenic conditions? In this article, I explore how FDM-printed PLA performs when exposed to liquid nitrogen at 77K (-196Ā°C). I tested two different crucible designs, with (not so) surprising resultsā€”one even allowed safe handling with bare hands! Learn about the experimental setup, design insights, and what this might mean for using PLA in unconventional cryogenic applications.

How to use Frama-C to proof correctness of AVR microcontroller code

This is a short article that shows how one can use Frama-C and the WP plugin to proof correctness or some properties of ANSI C code written for AVR microcontrollers.

Configuring ADSL PPTP connection (for example with Austrian DSL providers) on FreeBSD with mpd5

A short summary on how to configure mpd5 to authenticate against an external PPP provider for PPPoA usage (via PPTP). This is required for authentication with most Austrian (A)DSL providers when using their modems in single user mode.

Data protection policy

Dipl.-Ing. Thomas Spielauer, Wien (webcomplainsQu98equt9ewh@tspi.at)

This webpage is also available via TOR at http://rh6v563nt2dnxd5h2vhhqkudmyvjaevgiv77c62xflas52d5omtkxuid.onion/

Valid HTML 4.01 Strict Powered by FreeBSD IPv6 support