Automate Jenkins slave running macOS connection

Although XCode server is almost perfect for building iOS apps, Jenkins is still more popular. If your application consists of a few parts such as a database, backend, frontend, Android, and iOS apps you typically want to have the same CI/CD for all components.

My Jenkins master is running in AWS cloud together with a dozen of Linux and Windows slaves. However, iOS app can be built only on macOS and you have to use Apple computer to build it.  It’s typically a Mac Mini computer located in the office.

In this post we’ll consider secure and reliable connection between mac in the office and Jenkins master in AWS cloud.

The simplest way is to use SSH, but you might not have access to an office router to set port forwarding and ACL. Also, you might have a dynamic IP address from ISP in the office. All this can be managed one way or the other, but we don’t want to waste time on it, we’ll use Java Web Start instead.

We don’t want to establish connection via “open” Internet, so let’s use VPN, – in my case it’s OpenVPN and Tunnelblick client. It can be configured to route all traffic through the VPN and establish connection on Tunnelblick launch (and Tunnelblick itself can be launched on system startup):

If your Jenkins master is running behind Load Balancer you have to allow port for JNLP agents which is not really secure. So let’s just change hosts file on our macOS machine to make it work with Jenkins master directly via internal IP address:

We’re ready to establish connection, but we want this connection to be established automatically on system startup. To manage it we have to download slave.jar file:

Now let’s create launch script in the same ~/.jenkins-slave directory:

Why do we use noCertificateCheck option here? Well, I use certificate from AWS Certificate manager and it can’t be installed on EC2 machine. In order to use the same link I’ve installed on EC2 instance self-signed certificate:

In newer macOS versions it’s a bit tricky to launch scripts at system startup, and we don’t want to waste time on launchctl peculiarities, so let’s just use Lingon 3 app (less user-friendly but a free substitute for launchd-oneshot):

Now you can reboot your mac and ensure that Jenkins agent will be connected automatically:

I hope this info will be useful to you, and if you need any help feel free to use contact from on the main page.