Run jenkins with service account on windows - jenkins

Is there a way i can change the user the jenkins run without losing existing jenkins data/cofig. I tried changing the user in services.msc, however it crashed jenkins and was not able to load jenkins after changing user.
ps. Actually there are couple of jobs in which clone(git, tfs) happening with some user, however when it comes to running scripts/commands i get permission and attribute(readonly) issues as Jenkins is not running with same account that was used to clone repositories

Maybe your new user has not privileges on Jenkins home folder (C:\Program Files (x86)\Jenkins in my case). Just check rights on this folder.

Related

Can't install TFS 2015 build vNext agent as a service

I'm looking at migrating our builds from the old XAML to the new build system, but I have a problem with configuring the build agent to run as a service.
Configuring the agent to run interactively (in my session on the build server) works. The builds are OK but this is not useable as I have to open a session and start the agent.
Configuring the agent to run as a service with the default NT AUTHORITY\NETWORK SERVICE works. The builds are broken. WiX doesn't like this account and fails during the ICE validation. The drop also fails because this account doesn't have access to the drop folder.
Configuring the agent to run as a service with a domain account fails. The service is not created and I get the following error:
Installing service vsoagent.tfs-server.tfs-build-server-agent1...
Creating EventLog source vsoagent.tfs-server.tfs-build-server-agent1 in log Application...
An exception occurred in the OnAfterInstall event handler of System.ServiceProcess.ServiceInstaller.
System.NullReferenceException: Object reference not set to an instance of an object.
The username and passwords are OK, I get a different "bad username or password" error when typing a bad password. The user was used for the old XAML build system on the same build server and is in the local admin group, so it has authorisations AFAIK.
I was running TFS 2015, I upgraded to 2015 update 1 then forced an agent update in the web interface. After that it works, I can configure the agent to run as a service using a domain account.
Agent.Version is still saying 1.83.2 in the web interface, but the files are actually different in the agent folder. An agent.old folder is left after the upgrade and you can see that VsoAgent.exe and VsoAgentService.exe have a different size and version. Also the agent.old folder has 138 files in 46 folders, but the agent folder has 157 files in 53 folders.
I Had the same issue with the WIX validation. But i did not try to reconfigure the agent (not due to problems,just due to pure laziness), instead i did just change the account to a domain account using the services overview. restarted the machine and everything did work fine.
To narrow down your issue:
1.Try to Configure the agent to run as a service with another domain account on another computer
2.If you need to change the logon account, don't do it from the services snap-in. Instead, From an elevated Command Prompt, run: C:\Agent\Agent\VsoAgent.exe /ChangeWindowsServiceAccount
update
If you upgrade your TFS2015 to TFS2015update1. Do not just use the simple update agent in the web interface. You need download the agent from web and reconfigure it in the cmd.

Change Jenkins from running as windows service to CLI, while remaining the jobs

I have a Jenkins installation which runs as a Windows Service under a specific user. Now, we want to be able to access the UI for system tests, which is not allowed with this user.
My idea was to start Jenkins from the command line (using Jenkins.war) such that it is run with allowance of desktop interaction, while still using the specific user.
However, when I run this I get an 'empty' Jenkins, so nothing is configured (no settings, no jobs). Do I have to do something special to run Jenkins from the command line retaining the settings and jobs once it has been installed as a service?
Jenkins stores its configuration in a directory (called JENKINS_HOME), whose location is generally based on the user under which Jenkins is running.
You can see where this is via: Manage Jenkins > Configure System > Home directory (at the top of the page).
To run Jenkins as another user, you need to copy the JENKINS_HOME contents to the "Home directory" value you see when running that user (probably something like c:\users\username\.jenkins).
Or you can set the JENKINS_HOME environment variable to point to the system installation directory (if you installed from the MSI, this is likely within c:\Program Files (x86)\jenkins). Then Jenkins will start up, reading the existing settings and jobs. Though in this case, you need to make sure that your user has the same access rights as the system service had.

How to automatically login to Jenkins on Active Directory?

I have an Active Directory plugin installed that allows logging in to Jenkins portal with my directory credentials by typing them in on the Login page.
But is there a way to automatically log in users if they are on a domain-joined machine? (Obviously, given the browser is configured to allow providing credentials to the site.)
There's a thread on Jenkins Dev group in which a guy mentions that he developed an SSO plugin that worked for him on Windows. He posted it on GitHub under name NegotiateSSO.
First you need to build it to get the hpi file. (Clone the project to your machine, cd into the directory and run mvn (Maven) in it).
The problem is that when I tried to install it, it broke my Jenkins configuration section/page. There's an exception happening inside the plugin that breaks the entire page.
So it didn't work for me, but hopefully it will get fixed at some point and we'll be able to use it.

Jenkins runs as root instead of Jenkins

I have a newly installed jenkins server running on my computer, and am having some issues related to permissions.
It seems that jenkins creates the workspace directory as the root user, and then of course all task (including even pulling from the repository) fail, because they do not have permissions to modify the directory
Have a look at the Started-By Environment Variable plugin:
https://wiki.jenkins-ci.org/display/JENKINS/Started-By+Environment+Variable+Plugin
If you are just asking how to set up Jenkins to run under a different user in Linux it depends on how you installed it. Have a look at https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins for different setup options. I had a look at Installing Jenkins as a Unix daemon and at step 7 you need to setup a configuration file. Change the last line in that file (RUN_AS_USER=jenkins) to contain the user of your choice.

Is there a way to prevent a project from not having access to another project files in Jenkins CI?

I am trying to setup a Jenkins/Hudson CI in a distributed environment. I am curious about the following questions:
1) does the slave account need to be a root/administrator account? If lower privilege can run whats the minimum access?
2) On a slave node, does one projects jobs have access to another project files that previously built on the same node? How would you prevent this?
3) How do you secure someone from not being able to format your disk with a bat file running in a pre or post build script?
1) The slave account does not have to be root or administrator. It only needs full access to the folder you give in the "Remote FS root" field of the slave configuration.
2) Yes it does. Each project folder is owned by the user that is used to run the slave. You can access other project folders using relative paths: $WORKSPACE/../OTHER_PROJECT/. I'm not sure if there is a default way to prevent this. However, you have two options:
Delete the workspace after your build (use plugin Workspace Cleanup Plugin)
Create a separate slave/user combination for each project - the slave can be the same, but you'd have to create a separate user for each project.
3) Formatting a disk completely would require privileged access. You should not give your slave user those rights. I'm not sure whether your slave is Unix or Windows based, but either way, you should be able to prevent your user from being allowed to do any such task. Like stated in A1, the slave user only needs enough access to be able to read/write/execute in its "Remote FS root" folder.
Just out of curiosity - what OS are you running on your slave?

Resources