Setting up a Jenkins server for CI on Pantheon

Because maybe that's your thing.

I built this for a technical guide, so even if you don't do CI, you can use this for custom cron jobs and other things that Pantheon doesn't do out of the box. This example uses a Digital Ocean Ubuntu droplet, with my pre-installed ssh key.

Make sure Java is installed

Install Jenkins

ssh root@<your ip address>

  • wget -q -O - | sudo apt-key add -
  • echo deb binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list
  • sudo apt-get update
  • sudo apt install jenkins composer php7.0-fpm zip unzip php7.0-zip php7.0-curl php-parser php-xml -y

Setup Jenkins User

As root:

  • usermod -aG sudo jenkins
  • passwd jenkins (set new password)
  • Generate/Add/SCP an ssh key for that user to /var/lib/jenkins/.ssh
  • chown -R jenkins:jenkins /var/lib/jenkins/.ssh /var/libjenkins**
  • chmod 0700 /var/lib/jenkins/.ssh /var/libjenkins**
  • chmod 0600 .ssh/authorized_keys or chmod 600 /var/lib/jenkins/.ssh/id_rsa; chmod 600 /var/lib/jenkins/.ssh/
  • In a ~/.ssh/config file, add these two lines:
     Host *
         StrictHostKeyChecking no

Test by logging in as jenkins user and verify you can sudo su

Install Terminus, etc.

As the jenkins user, from the user's home directory (probably /var/lib/jenkins/):

  • curl -O && php installer.phar install
  • add `export PATH=$PATH:/var/lib/jenkins/vendor/bin` to a ~/.profile file you create and restart the terminal session
  • run "terminus" to verify you get output
  • restart jenkins so it knows the new path: sudo /etc/init.d/jenkins restart
  • composer global require -n "hirak/prestissimo:^0.3" (makes Composer run in parallel, less glacial)
  • composer global require -n "consolidation/cgr" (makes `composer global require` safer)
  • composer  require drush/drush "^8"
  • mkdir -p ~/.terminus/plugins
  • composer create-project -n -d ~/.terminus/plugins pantheon-systems/terminus-build-tools-plugin:^1
  • composer create-project -n -d ~/.terminus/plugins pantheon-systems/terminus-secrets-plugin:^1

Setting up Jenkins

Visit <your ip address>:8080

  • Unlock by getting the default password which is located at the path indicated on the web page.
    • cat /var/lib/jenkins/secrets/initialAdminPassword
  • Paste results and log in
  • Install all the recommended plugins at the prompt. You will install more in a few steps.
  • Create an admin user and password. if you lose this, it's a pain in the ass to get back in, so save this UN/PW somewhere and set up the next security steps carefully. Don't monkey around here.
  • Jenkins will automatically log you in as that admin user.

Enable Security

  • Manage Jenkins > Configure Global Security
  • Use Jenkins own database.
  • Use Matrix-based security.
  • Add your new user and enable all permissions for this user.
  • Verify you added the new admin user and enabled all permissions.
  • Verify you added the new admin user and enabled all permissions.
  • Give anonymous users overall read permissions.
  • Save settings. If you suddenly find yourself locked out of Jenkins, you thought I was being hyperbolic.
  • In Configure System, add your git username and email .


  • From Manage Jenkins, Add plugins. Click the "Available" plugins tab. Install these plugins too:
    • Required for the guide: Github Pull Request Builder, Environment Injector,  Conditional Build Step, Run Condition. Be sure to install the latest versions, which have addressed various security issues
    • Makes life easier: Rebuilder
  • Go back to the top page after install

Jenkins User's Pantheon Access

Your Jenkins user should be able to push and pull to Pantheon, so create a user for it on Pantheon (call it Jenkins or Integrations or something), generate a private key on the Jenkins server and add the public key to that user's Pantheon dashboard. Check it by doing a git clone from Pantheon to the Jenkins $HOME dir. If you don't get prompted for a password and it successfully clones, you are good to go.

Let me know if you find an error in this doc.