如何将 Jenkins SSH 凭据 creation/assigning 自动化到节点?
How do I automate Jenkins SSH credentials creation/assigning to nodes?
我正在编写一个自动创建 Jenkins 机器 脚本,我遇到了 SSH 凭据问题,即:
在 Jenkins 中有一个名为 credentials.xml(在 /var/lib/jenkins 中)的文件,用于存储节点的凭据。我的看起来像这样:
<?xml version='1.0' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.18">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</id>
<description>root_with_secret</description>
<username>root</username>
<password>2Xd4i7+8tjVXg2RHP6ggl/ZtWJp177ajXNajJxsj80o=</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
还有节点(从属)配置文件(每个从属存储在 /var/lib/jenkins/nodes/HOSTNAME/config.xml 中)看起来像:
<?xml version='1.0' encoding='UTF-8'?>
<slave>
<name>HOSTNAME_OF_MY_SECRET_MACHINE</name>
<description>HOSTNAME_OF_MY_SECRET_MACHINE</description>
<remoteFS>/root</remoteFS>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
<launcher class="hudson.plugins.sshslaves.SSHLauncher" plugin="ssh-slaves@1.9">
<host>10.0.10.1</host>
<port>22</port>
<credentialsId>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</credentialsId>
<maxNumRetries>0</maxNumRetries>
<retryWaitTime>0</retryWaitTime>
</launcher>
<label></label>
<nodeProperties/>
<userId>anonymous</userId>
</slave>
问题是,在我创建 jenkins 机器后,为每个从机复制 credentials.xml 和 config.xml,然后凭据将不起作用。我得到
[07/26/15 16:00:39] [SSH] Opening SSH connection to 10.0.10.1:22.
ERROR: Failed to authenticate as root. Wrong password. (credentialId:8743cc14-bc2c-44a6-b6bb-c121bef4ae2d/method:password)
[07/26/15 16:00:41] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1178)
at hudson.plugins.sshslaves.SSHLauncher.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[07/26/15 16:00:41] Launch failed - cleaning up connection
[07/26/15 16:00:41] [SSH] Connection closed.
要解决此问题,我可以转到 Jenkins -> Credentials -> 然后使用与我相同的密码更新凭据无论如何都会用,它会起作用。
所以问题是 Jenkins 是否在每次安装时使用了某种 salting/hashing,这样 credentials.xml 如果复制到新机器就无法工作?
好的,我已经设法用(我相信)一种变通方法解决了这个问题,即:
要在 credentials.xml 中以明文形式存储密码,请在安装并启动服务后将其复制到 Jenkins 机器上。然后 Jenkins 会用它的新秘密(或者它为此目的使用的任何东西)加密它并且它会起作用:)
编辑
第二个选项是安装 Jenkins,启动它,然后复制带有加密密码的 credentials.xml 以及之前安装的 secrets 目录和 secret.xml。这将复制加密主密钥和使用此主密钥创建的加密凭据。
我正在编写一个自动创建 Jenkins 机器 脚本,我遇到了 SSH 凭据问题,即:
在 Jenkins 中有一个名为 credentials.xml(在 /var/lib/jenkins 中)的文件,用于存储节点的凭据。我的看起来像这样:
<?xml version='1.0' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.18">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</id>
<description>root_with_secret</description>
<username>root</username>
<password>2Xd4i7+8tjVXg2RHP6ggl/ZtWJp177ajXNajJxsj80o=</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
还有节点(从属)配置文件(每个从属存储在 /var/lib/jenkins/nodes/HOSTNAME/config.xml 中)看起来像:
<?xml version='1.0' encoding='UTF-8'?>
<slave>
<name>HOSTNAME_OF_MY_SECRET_MACHINE</name>
<description>HOSTNAME_OF_MY_SECRET_MACHINE</description>
<remoteFS>/root</remoteFS>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
<launcher class="hudson.plugins.sshslaves.SSHLauncher" plugin="ssh-slaves@1.9">
<host>10.0.10.1</host>
<port>22</port>
<credentialsId>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</credentialsId>
<maxNumRetries>0</maxNumRetries>
<retryWaitTime>0</retryWaitTime>
</launcher>
<label></label>
<nodeProperties/>
<userId>anonymous</userId>
</slave>
问题是,在我创建 jenkins 机器后,为每个从机复制 credentials.xml 和 config.xml,然后凭据将不起作用。我得到
[07/26/15 16:00:39] [SSH] Opening SSH connection to 10.0.10.1:22.
ERROR: Failed to authenticate as root. Wrong password. (credentialId:8743cc14-bc2c-44a6-b6bb-c121bef4ae2d/method:password)
[07/26/15 16:00:41] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1178)
at hudson.plugins.sshslaves.SSHLauncher.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[07/26/15 16:00:41] Launch failed - cleaning up connection
[07/26/15 16:00:41] [SSH] Connection closed.
要解决此问题,我可以转到 Jenkins -> Credentials -> 然后使用与我相同的密码更新凭据无论如何都会用,它会起作用。
所以问题是 Jenkins 是否在每次安装时使用了某种 salting/hashing,这样 credentials.xml 如果复制到新机器就无法工作?
好的,我已经设法用(我相信)一种变通方法解决了这个问题,即:
要在 credentials.xml 中以明文形式存储密码,请在安装并启动服务后将其复制到 Jenkins 机器上。然后 Jenkins 会用它的新秘密(或者它为此目的使用的任何东西)加密它并且它会起作用:)
编辑
第二个选项是安装 Jenkins,启动它,然后复制带有加密密码的 credentials.xml 以及之前安装的 secrets 目录和 secret.xml。这将复制加密主密钥和使用此主密钥创建的加密凭据。