It is a good idea to keep the Jenkins workspace data in a directory structure other than the Jenkins home (typically /var/lib/jenkins). So we can set up an execution node on the local Jenkins host under a separate user account. This has the added benefit that a user who needs direct access to the workspaces, does not have to have access to the Jenkins home.
The setup consist of
- On the Linux OS
- Linux user account with a Jenkins working directory. This is the “worker” account.
- RSA key pair for the Linux account that owns Jenkins.
- In Jenkins
- A credential so Jenkins can connect to the worker account.
- A node for the local host using the new credential.
In our case, the Jenkins installation is owned by the Linux user jenkins.
Create a key pair (or re-use one you already have).
jenkins@myhost$ ssh-keygen -t rsa
Follow the prompts. The default keys are id_rsa (private key) and id_rsa.pub (public key).
Output the public key and copy it to the clip board
jenkins@myhost$ cat ~/.ssh/id_rsa.pub
Create the “worker” user (must be root):
root@myhost$ useradd jworker -m root@myhost$ sudo su - jworker jworker@myhost$
Add directories and authorized_keys file (as jworker):
jworker@myhost$ mkdir -p ~/jenkins/workspaces jworker@myhost$ mkdir .ssh jworker@myhost$ touch .ssh/authorized_keys jworker@myhost$ chmod 600 .ssh/authorized_keys
Edit the authorized_keys file and paste the public key from above in it and save it.
Test whether the jenkins user can connect as jworker:
jenkins@myhost$ ssh jworker@localhost
When prompted for whether to add the new connection to the known hosts file answer yes.
Copy the private RSA key to the clipboard.
jenkins@myhost$ cat ~/.ssh/id_rsa
Log into the Jenkins UI and navigate to Mangage Jenkins -> Manage Credentials.
On the breadcrumb menu click the down-arrow on credentials and select System.
Then click the Global credentials link.
Then click Add Credentials.
Configure the private key as SSH Username with private key. Pasted the private key previously copied into the Private Key field. Specify the passphrase unless you did not configure with one.
Click OK to save the credential.
Navigate back to the Jenkins dashboard, then navigate to Manage Jenkins -> Manage Nodes and Clouds.
Click New Node
Configure the new node like this:
Save the configuration.
On the node page click the Launch agent button.
Now try to run a job. It should execute using the jworker1 node.
To see the workspace files, log into the OS as the jworker user and list the contents of the ~/jenkins directory and the directories below.
Special thanks to Daniel Ortmann to help me work this out.