ant & cvs prompting password although password should come from PageAnt - ant

I have ant build file, that should take cvs checkouts when called. I can call it ok, but when ant uses cvs to connect to cvs repo, the repo prompts for password and obviously ant command fails.
I have CVSROOT environment variable pointing to same location where I took the initial checkout for the project with TortoiseCVS, having ssh as protocol.
I also have putty's pageant running and an environment variable CVS_RSH pointing to plink.exe of putty. That combination should make the connection via putty, 'cause from pageAnt menu the connection opens without prompts.
My operation system is Windows 8.
Question here is, that why ant build fails on cvs server password prompt, although PageAnt otherwise is enabling promptless access via ssh+cvs?

Ant cvs task invokes cvs.exe command line from PATH so if everything works properly from command line, there is (almost) no reason it will fail from Ant.
Here is a checklist with points to verify:
CVSROOT must contain username and specify ext protocol, :ext:username#cvserver.domain.ldt:/path/to/repository
CVS_RSH must point to plink.exe with absolute file path and you have to ensure it will use SSH protocol
Your SSH private key must have been loaded into Pageant for the same user session as the user running Ant script
If it does not help, please provide more details about your cvs task options and your workstation setup.
When running without any user session opened and Pageant cannot help, often for continuous integration tools, a better option is to pass all arguments like username and private key file to plink directly in CVS_RSH variable:
CVS_RSH="C:\path\to\plink.exe -batch -ssh -l username -i C:\path\user\ssh-privatekey.ppk"
Of course, in such a case, your private key file must not be protected with a passphrase.

Related

sesu : not found no such file or directory in Jenkins ssh plugin

Trying to connect to the server using Jenkins ssh plugin and executing some commands. It's connected but sesu command is not working. Jenkins is unable to recognize sesu command. It says sesu : not found no such file or directory. When trying with putty, sesu command is working. Jenkins version is 2.7. Please help me on same. Thanks in advance. :)
Use locate sesu command. It will show path of sesu command. Use that one in spite of only sesu. e.g. /opt/CA/AccessControl/bin/sesu
As we can't enter password on Jenkins at run-time. Other option for accessing server is generate ssh-key. Use that key to access server from Jenkins.
Use putty or similar tools to create key.
Firstly, log in to your server using credentials.
Then switch to user who has all access rights by using sesu or other switch user command like sudo su.
Execute below steps after that :
ssh-keygen -t rsa
hit enter for all steps without entering input.
then,
Once key is created, type cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys hit [Enter]
use created rsa private key after all these step in SSH plug and you are able to access unix server from Jenkins and execute commands on that server.

Issue with Inno Setup SignTool option

I have the following line in my Inno Setup script:
SignTool=MySign cmd /c C:\SigningTools\signtool.exe sign /f C:\MyCert.pfx /p MyPassword $f
This works on my local machine.
I then commit my changes to our server and Jenkins will compile and make a build automatically. Jenkins does not work and I get the following error.
Error on line 43 in C:\Windows\TEMP\fxbundler8328922406343131203\images\win-exe.image\MyProgram.iss: Value of [Setup] section directive "SignTool" is invalid.
Compile aborted.
I have no idea what the issue is, I have tried numerous things but can't seem to figure it out. I would settle with learning some better options to output error messages with Inno Setup.
I have verired that MySign exists on the server's compiler IDE (http://www.jrsoftware.org/ishelp/index.php?topic=setup_signtool)
I have tried numerous variations of having $q surround file paths
I have verified that the file paths match the two machines
You need to define the SignTool in your call to the compiler via the /s switch.
Example: "/sMySign$q=sign_application.bat$q $f"
sign_application.bat receives the path of the file to sign as first parameter and calls signtool.exe as you've already tried.
Take a look here: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Do not forget to Configure Sign Tools in the Inno Setup Compiler. I simply added signtool $p string.
In my case, the certificate has expired.
I found the following article usefull:
https://www.nextofwindows.com/how-to-check-a-pfx-certifications-expiry-date-on-windows
I opened a command prompt in the directory where my pfx file was and used this command to get details about the certificate:
certutil -dump "nameofcertfile.pfx"
Change nameofcertfile.pfx to your file name. You probably will be prompted for a password. Enter the password you used in your script (MyPassword in the OPs script). You may also copy/paste it.
NOTE: You will not see any character beeing typed while entering or pasting the password - so don't be confused.

How to export credentials from one jenkins instance to another?

I am using the credentials plugin in Jenkins to manage credentials for git and database access for my team's builds. I would like to copy the credentials from one jenkins instance to another, independent jenkins instance. How would I go about doing this?
UPDATE: TL;DR Follow the link provided below in a comment by Filip Stachowiak it is the easiest way to do it. In case it doesn't work for you go on reading.
Copying the $HUDSON_HOME/credentials.xml is not the solution because Jenkins encrypts paswords and these can't be decrypted by another instance unless both share a common key.
So, either you use the same encription keys in both Jenkins instances (Where's the encryption key stored in Jenkins? ) or what you can do is:
Create the same user/password, you need to share, in the 2nd Jenkins instance so that a valid password is generated
What is really important is that user ids in both credentials.xml are the same. For that (see the credentials.xml example below) for user: Jenkins the identifier <id>c4855f57-5107-4b69-97fd-298e56a9977d</id> must be the same in both credentials.xml
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials#1.22">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>c4855f57-5107-4b69-97fd-298e56a9977d</id>
<description>Para SVN</description>
<username>jenkins</username>
<password>J1ztA2vSXHbm60k5PjLl5jg70ZooSFKF+kRAo08UVts=
</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
I was also facing the same problem. What worked for me is I copied the credentials.xml, config.xml and the secrets folder from existing jenkins to the new instance. After the restart of jenkins things worked fine.
This is what worked for me.
Create a job in Jenkins that takes the credentials and writes them to output. If Jenkins replaces the password in the output with ****, just obfuscate it first (add a space between each character, reverse the characters, base64 encode it, etc.)
I used a Powershell job to base64 encode it:
[convert]::ToBase64String([text.encoding]::Default.GetBytes($mysecret))
And then used Powershell to convert the base64 string back to a regular string:
[text.encoding]::Default.GetString([convert]::FromBase64String("bXlzZWNyZXQ="))
After trying quite a few things for several days this is the best solution I found for migrating my secrets from a Jenkins 2.176 to a new clean Jenkins 2.249.1 jenkins-cli was the best approach for me.
The process is quite simple just dump the credentials from the old instance to a local machine, or Docker pod with java installed, as a XML file (unencrypted) and then uploaded to the new instance.
Before starting you should verify the following:
Access to the credentials section on both Jenkins instances
Download the jenkins-ccli.jar from one of the instances (https://www.your-jenkins-url.com/cli/)
Have User and Password/Token at hand.
Notice: In case your jenkins uses an oAuth service you will need to
create a token for your user. Once logged into jenkins at the top
right if you click your profile you can verify both username and
generate password.
Now for the special sauce, you have to execute both parts from the same machine/pod:
Notice: If your instances are using valid Certificates and you want to
secure your connection you must remove the -noCertificateCheck
flag from both commands.
# OLD JENKINS DUMP # 
export USER=madox#example.com
export TOKEN=f561banana6ead83b587a4a8799c12c307
export SERVER=https://old-jenkins-url.com/
java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN list-credentials-as-xml "system::system::jenkins" > /tmp/jenkins_credentials.xml
# NEW JENKINS IMPORT # 
export USER=admin
export TOKEN=admin
export SERVER=https://new-jenkins-url.com/
java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN import-credentials-as-xml "system::system::jenkins" < /tmp/jenkins_credentials.xml
If you have the credentials.xml available and the old Jenkins instance still running, there is a way to decrypt individual credentials so you can enter them in the new Jenkins instance via the UI.
The approach is described over at the DevOps stackexchange by kenorb.
This does not convert all the credentials for an easy, automated migration, but helps when you have only few credentials to migrate (manually).
To summarize, you visit the /script page over at the old Jenkins instance, and use the encrypted credential from the credentials.xml file in the following line:
println(hudson.util.Secret.decrypt("{EncryptedCredentialFromCredentialsXml=}"))
To migrate all credentials to a new server, from Jenkins: Migrating credentials:
Stop Jenkins on new server.
new-server # /etc/init.d/jenkins stop
Remove the identity.key.enc file on new server:
new-server # rm identity.key.enc
Copy secret* and credentials.xml to new server.
current-server # cd /var/lib/jenkins
current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml
current-server # scp credentials.tgz $user#$new-server:/tmp/
new-server # cd /var/lib/jenkins
new-server # tar xzvf /tmp/credentials.tgz -C ./
Start Jenkins.
new-server # /etc/init.d/jenkins start
Migrating users from a Jenkins instance to another Jenkins on a new server -
I tried following https://stackoverflow.com/a/35603191 which lead to https://itsecureadmin.com/2018/03/26/jenkins-migrating-credentials/. However I did not succeed in following these steps.
Further, I experimented exporting /var/lib/jenkins/users (or {JENKINS_HOME}/users) directory to the new instance on new server. After restarting the Jenkins on new server - it looks like all the user credentials are available on new server.
Additionally, I cross-checked if the users can log in to the new Jenkins instance. It works for now.
PS: This code is for redhat servers
Old server:
cd /var/lib/jeknins
or cd into wherever your Jenkins home is
tar cvzf users.tgz ./users
New server:
cd /var/lib/jeknins
scp <user>#<oldserver>:/var/lib/jenkins/user.tgz ~/var/lib/jenkins/.
sudo tar xvzf users.tgz
systemctl restart jenkins
Did you try to copy the $JENKINS_HOME/users folder and the $JENKINS_HOME/credentials.xml file to the other Jenkins instance?

Can I ssh to Mac using Windows Command line without using other tool like putty?

I have a CI system on my Windows to build my server code.
Nowadays, I also want to autobuild my IOS project daily, but it can only build in Mac system.
So I write a shell script that can build my ios project on my Mac, and I want to remotely execute my script from Windows.
How can I write a batch file on Windows to remote access my Mac and execute my script there?
So I can make my CI system to execute that batch file everyday automatically.
Or... does anyone got other better ways to do this thing?
Thanks!
Get "plink" from the PuTTY download page. Put the command(s) to kick off your Mac shell script in a file (e.g. "maccommands.txt") on your Windows computer. Then make a batch file that contains:
plink -l macusername -m maccommands.txt your.mac.ip.address
If you don't want to be prompted for a password every time, you could make a public-private keypair with an empty passphrase using PuTTYgen. Save the private key as "pc_rsa.ppk" (or whatever you want to call it). Copy the public key out of the PuTTYgen window to the clipboard, and paste it in a text editor and save it (e.g. as "pc_rsa_pub.txt").
Then transfer the file with public key over to the Mac, and add its contents to the end of ~/.ssh/authorized_keys, e.g. with cat pc_rsa_pub.txt >> ~/.ssh/authorized_keys
Then add -i pc_rsa.ppk to the plink command above to use your private key.
(This obviously has security implications, so protect the private key file. You could also use -pw password but that has even greater security implications as the password would be plainly visible within your batch file.)
Another solution is to use openssh. The benefit is not having to use an alternative format for your keys.
You can install Git for Windows. During the installation choose the third option of being able to use the "unix" tools from the command line.
I have a small wrapper utility that loads the agent to memory in github (#selfplug)

How to run batch file with credentials using Jenkins

I've mkdir commands in a batch file but only admins have permissions to create directory, so how to pass credentials from Jenkins job to the batch file.
mkdir \\%%S.domain.com\c$\Test
Select the "use secret text(s) or file(s) and then add a binding. See screenshot :
Yes Daniel, it might be done using such utility tools but my organization doesn't allow me to use third party tools without approvals. So, we have configured server with WinRM that allows to connect to server remotely using credentials.
Just to add to #Marc's answer, use the secret text Bindings as suggested to store and pass the username and password as environment variables.
The set the username variable to USERNAME and Password Variable to PASSWORD, then in your batch file use the net use command like so.
net use "\\server\share" %PASSWORD% /user:%USERNAME%
\* whatever you need to do on that share, e.g. xcopy, mkdir *\
net use "\\server\share" /delete

Resources