Jenkins 2.332.2 (T307339) Debian package ships a systemd unit, we should probably use that one instead of the home made one in Puppet. If I remember properly I have pointed upstream to our unit and they have incorporated it after that.
There are changes to /etc/default/jenkins we will have to take in account as well.
Upon upgrading the Jenkins package:
Setting up jenkins (2.346.1) ... migrate: /etc/default/jenkins does not exist Processing triggers for systemd (241-7~deb10u8) ...
And on the spare server (which has the unit masked) we also have:
Failed to preset unit: Unit file /etc/systemd/system/jenkins.service is masked. /usr/bin/deb-systemd-helper: error: systemctl preset failed on jenkins.service: No such file o r directory
Then we have to run puppet to update /lib/systemd/system/jenkins.service and restart the jenkins service to apply the settings back.
Upstream systemd logic is at https://github.com/jenkinsci/packaging/tree/master/systemd
Diff:
--- /lib/systemd/system/jenkins.service 2022-06-22 11:38:27.000000000 +0000 +++ /tmp/puppet-file20220623-14844-c5o56m 2022-06-23 14:01:08.356569533 +0000 @@ -1,156 +1,26 @@ -# -# This file is managed by systemd(1). Do NOT edit this file manually! -# To override these settings, run: -# -# systemctl edit jenkins -# -# For more information about drop-in files, see: -# -# https://www.freedesktop.org/software/systemd/man/systemd.unit.html -# - [Unit] Description=Jenkins Continuous Integration Server -Requires=network.target After=network.target [Service] -Type=notify -NotifyAccess=main -ExecStart=/usr/bin/jenkins -Restart=on-failure -SuccessExitStatus=143 - -# Configures the time to wait for start-up. If Jenkins does not signal start-up -# completion within the configured time, the service will be considered failed -# and will be shut down again. Takes a unit-less value in seconds, or a time span -# value such as "5min 20s". Pass "infinity" to disable the timeout logic. -#TimeoutStartSec=90 - -# Unix account that runs the Jenkins daemon -# Be careful when you change this, as you need to update the permissions of -# $JENKINS_HOME, $JENKINS_LOG, and (if you have already run Jenkins) -# $JENKINS_WEBROOT. +Type=simple User=jenkins Group=jenkins +SyslogIdentifier=jenkins +UMask=0002 +LimitNOFILE=8192 + +Environment=JENKINS_HOME=/var/lib/jenkins +ExecStart=/usr/lib/jvm/java-11-openjdk-amd64/bin/java -Djava.awt.headless=true -Dhudson.plugins.git.GitSCM.verbose=true -Dhudson.model.ParametersAction.keepUndefinedParameters=true -Djava.util.logging.config.file=/etc/jenkins/logging.properties -Dhudson.udp=-1 -Dhudson.DNSMultiCast.disabled=true -Djenkins.model.Jenkins.buildsDir=$${ITEM_ROOTDIR}/builds -Djenkins.model.Jenkins.workspacesDir=$${ITEM_ROOTDIR}/workspace "-Dhudson.model.DirectoryBrowserSupport.CSP=sandbox; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; media-src 'self'" \ + -jar /usr/share/java/jenkins.war \ + --accessLoggerClassName=winstone.accesslog.SimpleAccessLogger --simpleAccessLogger.format=combined --simpleAccessLogger.file=/var/log/jenkins/access.log \ + --webroot=/var/cache/jenkins/war \ + --pluginroot=/var/cache/jenkins/plugins \ + --httpPort=8080 \ + --prefix=/ -# Directory where Jenkins stores its configuration and workspaces -Environment="JENKINS_HOME=/var/lib/jenkins" -WorkingDirectory=/var/lib/jenkins - -# Location of the Jenkins WAR -#Environment="JENKINS_WAR=/usr/share/java/jenkins.war" - -# Location of the exploded WAR -Environment="JENKINS_WEBROOT=%C/jenkins/war" - -# Location of the Jenkins log. By default, systemd-journald(8) is used. -#Environment="JENKINS_LOG=%L/jenkins/jenkins.log" - -# The Java home directory. When left empty, JENKINS_JAVA_CMD and PATH are consulted. -#Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64" - -# The Java executable. When left empty, JAVA_HOME and PATH are consulted. -#Environment="JENKINS_JAVA_CMD=/etc/alternatives/java" - -# Arguments for the Jenkins JVM -Environment="JAVA_OPTS=-Djava.awt.headless=true" - -# IP address to listen on for HTTP requests. -# The default is to listen on all interfaces (0.0.0.0). -#Environment="JENKINS_LISTEN_ADDRESS=" - -# Port to listen on for HTTP requests. Set to -1 to disable. -# To be able to listen on privileged ports (port numbers less than 1024), -# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities -# directive below. -Environment="JENKINS_PORT=8080" - -# IP address to listen on for HTTPS requests. Default is disabled. -#Environment="JENKINS_HTTPS_LISTEN_ADDRESS=" - -# Port to listen on for HTTPS requests. Default is disabled. -# To be able to listen on privileged ports (port numbers less than 1024), -# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities -# directive below. -#Environment="JENKINS_HTTPS_PORT=443" - -# Path to the keystore in JKS format (as created by the JDK's keytool). -# Default is disabled. -#Environment="JENKINS_HTTPS_KEYSTORE=/path/to/keystore.jks" - -# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE. -# Default is disabled. -#Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=s3cR3tPa55w0rD" - -# IP address to listen on for HTTP2 requests. Default is disabled. -# -# Note: HTTP2 support may require additional configuration. -# See the Winstone documentation for more information. -#Environment="JENKINS_HTTP2_LISTEN_ADDRESS=" - -# HTTP2 port to listen on. Default is disabled. -# To be able to listen on privileged ports (port numbers less than 1024), -# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities -# directive below. -# -# Note: HTTP2 support may require additional configuration. -# See the Winstone documentation for more information. -#Environment="JENKINS_HTTP2_PORT=" - -# Controls which capabilities to include in the ambient capability set for the -# executed process. Takes a whitespace-separated list of capability names, e.g. -# CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Ambient capability sets are -# useful if you want to execute a process as a non-privileged user but still -# want to give it some capabilities. For example, add the CAP_NET_BIND_SERVICE -# capability to be able to listen on privileged ports (port numbers less than -# 1024). -#AmbientCapabilities=CAP_NET_BIND_SERVICE - -# Debug level for logs. The higher the value, the more verbose. 5 is INFO. -#Environment="JENKINS_DEBUG_LEVEL=5" - -# Set to true to enable logging to /var/log/jenkins/access_log. -#Environment="JENKINS_ENABLE_ACCESS_LOG=false" - -# Folder for additional JAR files to add to the Jetty class loader. Default -# is disabled. See the Winstone documentation for more information. -#Environment="JENKINS_EXTRA_LIB_FOLDER=" - -# Servlet context (important if you want to use reverse proxying) -#Environment="JENKINS_PREFIX=/jenkins" - -# Arbitrary additional arguments to pass to Jenkins. -# Full option list: java -jar jenkins.war --help -#Environment="JENKINS_OPTS=" - -# Maximum core file size. If unset, the value from the OS is inherited. -#LimitCORE=infinity - -# Maximum file size. If unset, the value from the OS is inherited. -#LimitFSIZE=infinity - -# File descriptor limit. If unset, the value from the OS is inherited. -#LimitNOFILE=8192 - -# Maximum number of processes. If unset, the value from the OS is inherited. -#LimitNPROC=32768 - -# Set the umask to control the permission bits of files that Jenkins creates. -# -# 0027 makes files read-only for group and inaccessible for others, which some -# security sensitive users might consider beneficial, especially if Jenkins -# is running on a server that is used for multiple purposes. Beware that 0027 -# permissions would interfere with sudo scripts that run on the controller -# (see JENKINS-25065). -# -# Note also that the particularly sensitive parts of $JENKINS_HOME (such as -# credentials) are always written without 'other' access. So the umask values -# only affect job configuration, build records, etc. -# -# If unset, the value from the OS is inherited, which is normally 0022. -# The default umask comes from pam_umask(8) and /etc/login.defs. -#UMask=0022 +# We send SIGTERM(15), java exit code is 143 = 128 + 15 +SuccessExitStatus=143 [Install] WantedBy=multi-user.target