jenkins Cookbook

Cookbook Version (opens in a new tab) CI State (opens in a new tab) OpenCollective OpenCollective License (opens in a new tab)

Installs and configures Jenkins CI master & node slaves. Resource providers to support automation via jenkins-cli, including job create/update.


This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit (opens in a new tab) or come chat with us on the Chef Community Slack in #sous-chefs (opens in a new tab).



  • Debian 9+
  • Ubuntu 18.04+
  • RHEL/CentOS 7+


  • Chef 13.0+

Java cookbook

This cookbook does not install, manage, or manipulate a JDK, as that is outside of the scope of Jenkins. The package installation method will automatically pull in a valid Java if one does not exist on Debian. RHEL jenkins packages do not depend on java as there are far too many options for a package to do the right thing. We recommend including the java cookbook on your system which allows for either openJDK or Oracle JDK installations.


In order to keep the README manageable and in sync with the attributes, this cookbook documents attributes inline. The usage instructions and default values for attributes can be found in the individual attribute files.


Documentation and examples are provided inline using YARD. The tests and fixture cookbooks in tests and tests/fixtures are intended to be a further source of examples.



The master recipe will create the required directory structure and install jenkins. There are two installation methods, controlled by the node['jenkins']['master']['install_method'] attribute:

  • package - Install Jenkins from the official packages
  • war - Download the latest version of the WAR file and configure a systemd service




If you use or plan to use authentication for your Jenkins cluster (which we highly recommend), you will need to set a special value in the run_context:


The underlying executor class (which all HWRPs use) intelligently adds authentication information to the Jenkins CLI commands if this value is set. The method used to generate and populate this key-pair is left to the user:

# Using search
master = search(:node, '').first
node.run_state[:jenkins_private_key] = master['jenkins']['private_key']
# Using encrypted data bags and chef-sugar
private_key = encrypted_data_bag_item('jenkins', 'keys')['private_key']
node.run_state[:jenkins_private_key] = private_key

The associated public key must be set on a Jenkins user. You can use the jenkins_user resource to create this pairing. Here's an example that loads a keypair and assigns it appropriately:

jenkins_keys = encrypted_data_bag_item('jenkins', 'keys')
require 'openssl'
require 'net/ssh'
key =['private_key'])
private_key = key.to_pem
public_key = "#{key.ssh_type} #{[key.to_blob].pack('m0')}"
# Create the Jenkins user with the public key
jenkins_user 'chef' do
  public_keys [public_key]
# Set the private key on the Jenkins executor
node.run_state[:jenkins_private_key] = private_key

Please note that older versions of Jenkins (< 1.555) permitted login via CLI for a user defined in Jenkins configuration with an SSH public key but not present in the actual SecurityRealm, and this is no longer permitted. If an operation requires any special permission at all, you must authenticate as a real user. This means that if you have LDAP or GitHub OAuth based authn/authz enabled the user you are using for configuration tasks must have an associated account in the external services. Please see JENKINS-22346 (opens in a new tab) for more details.

If (and only if) you have your Jenkins instance configured to use the PAM (Unix user/group database) security realm you can set the username and password the CLI uses via these two run_context values:


Jenkins 2

Jenkins 2 enables an install wizard by default. To make sure you can manipulate the jenkins instance, you need to disable the wizard. You can do this by setting an attribute:

default['jenkins']['master']['jvm_options'] = '-Djenkins.install.runSetupWizard=false'

This is done by default, but must be kept when overriding the jvm_options!


If you need to pass through a proxy to communicate between your masters and slaves, you will need to set a special node attribute:


The underlying executor class (which all HWRPs use) intelligently passes proxy information to the Jenkins CLI commands if this attribute is set. It should be set in the form HOST:PORT:

node.normal['jenkins']['executor']['proxy'] = ''


Please see the Contributing and Testing Guidelines.


This project exists thanks to all the people who contribute. (opens in a new tab)


Thank you to all our backers!


Support this project by becoming a sponsor. Your logo will show up here with a link to your website.