I've mkdir commands in a batch file but only admins have permissions to create directory, so how to pass credentials from Jenkins job to the batch file.
mkdir \\%%S.domain.com\c$\Test
Select the "use secret text(s) or file(s) and then add a binding. See screenshot :
Yes Daniel, it might be done using such utility tools but my organization doesn't allow me to use third party tools without approvals. So, we have configured server with WinRM that allows to connect to server remotely using credentials.
Just to add to #Marc's answer, use the secret text Bindings as suggested to store and pass the username and password as environment variables.
The set the username variable to USERNAME and Password Variable to PASSWORD, then in your batch file use the net use command like so.
net use "\\server\share" %PASSWORD% /user:%USERNAME%
\* whatever you need to do on that share, e.g. xcopy, mkdir *\
net use "\\server\share" /delete
Related
I want to use a curl with a username and password that I set in the bashrc. ie:
curl -u $jenkuser:$jenkpass foobar.org
but this isn't working for me. So what is a good way to set secret credentials that I don't want in my repo/Jenkinsfile
Create a Jenkins project with Execute shell build step. In that shell you can run curl command and to set credentials, there is one option named This build is parameterized, where you can create Password Parameter. These parameters can be used in shell with curl command. Here is screenshot of my test project.
This way is secure because password is stored in encrypted format.
.
I am using the credentials plugin in Jenkins to manage credentials for git and database access for my team's builds. I would like to copy the credentials from one jenkins instance to another, independent jenkins instance. How would I go about doing this?
UPDATE: TL;DR Follow the link provided below in a comment by Filip Stachowiak it is the easiest way to do it. In case it doesn't work for you go on reading.
Copying the $HUDSON_HOME/credentials.xml is not the solution because Jenkins encrypts paswords and these can't be decrypted by another instance unless both share a common key.
So, either you use the same encription keys in both Jenkins instances (Where's the encryption key stored in Jenkins? ) or what you can do is:
Create the same user/password, you need to share, in the 2nd Jenkins instance so that a valid password is generated
What is really important is that user ids in both credentials.xml are the same. For that (see the credentials.xml example below) for user: Jenkins the identifier <id>c4855f57-5107-4b69-97fd-298e56a9977d</id> must be the same in both credentials.xml
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials#1.22">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>c4855f57-5107-4b69-97fd-298e56a9977d</id>
<description>Para SVN</description>
<username>jenkins</username>
<password>J1ztA2vSXHbm60k5PjLl5jg70ZooSFKF+kRAo08UVts=
</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
I was also facing the same problem. What worked for me is I copied the credentials.xml, config.xml and the secrets folder from existing jenkins to the new instance. After the restart of jenkins things worked fine.
This is what worked for me.
Create a job in Jenkins that takes the credentials and writes them to output. If Jenkins replaces the password in the output with ****, just obfuscate it first (add a space between each character, reverse the characters, base64 encode it, etc.)
I used a Powershell job to base64 encode it:
[convert]::ToBase64String([text.encoding]::Default.GetBytes($mysecret))
And then used Powershell to convert the base64 string back to a regular string:
[text.encoding]::Default.GetString([convert]::FromBase64String("bXlzZWNyZXQ="))
After trying quite a few things for several days this is the best solution I found for migrating my secrets from a Jenkins 2.176 to a new clean Jenkins 2.249.1 jenkins-cli was the best approach for me.
The process is quite simple just dump the credentials from the old instance to a local machine, or Docker pod with java installed, as a XML file (unencrypted) and then uploaded to the new instance.
Before starting you should verify the following:
Access to the credentials section on both Jenkins instances
Download the jenkins-ccli.jar from one of the instances (https://www.your-jenkins-url.com/cli/)
Have User and Password/Token at hand.
Notice: In case your jenkins uses an oAuth service you will need to
create a token for your user. Once logged into jenkins at the top
right if you click your profile you can verify both username and
generate password.
Now for the special sauce, you have to execute both parts from the same machine/pod:
Notice: If your instances are using valid Certificates and you want to
secure your connection you must remove the -noCertificateCheck
flag from both commands.
# OLD JENKINS DUMP #
export USER=madox#example.com
export TOKEN=f561banana6ead83b587a4a8799c12c307
export SERVER=https://old-jenkins-url.com/
java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN list-credentials-as-xml "system::system::jenkins" > /tmp/jenkins_credentials.xml
# NEW JENKINS IMPORT #
export USER=admin
export TOKEN=admin
export SERVER=https://new-jenkins-url.com/
java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN import-credentials-as-xml "system::system::jenkins" < /tmp/jenkins_credentials.xml
If you have the credentials.xml available and the old Jenkins instance still running, there is a way to decrypt individual credentials so you can enter them in the new Jenkins instance via the UI.
The approach is described over at the DevOps stackexchange by kenorb.
This does not convert all the credentials for an easy, automated migration, but helps when you have only few credentials to migrate (manually).
To summarize, you visit the /script page over at the old Jenkins instance, and use the encrypted credential from the credentials.xml file in the following line:
println(hudson.util.Secret.decrypt("{EncryptedCredentialFromCredentialsXml=}"))
To migrate all credentials to a new server, from Jenkins: Migrating credentials:
Stop Jenkins on new server.
new-server # /etc/init.d/jenkins stop
Remove the identity.key.enc file on new server:
new-server # rm identity.key.enc
Copy secret* and credentials.xml to new server.
current-server # cd /var/lib/jenkins
current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml
current-server # scp credentials.tgz $user#$new-server:/tmp/
new-server # cd /var/lib/jenkins
new-server # tar xzvf /tmp/credentials.tgz -C ./
Start Jenkins.
new-server # /etc/init.d/jenkins start
Migrating users from a Jenkins instance to another Jenkins on a new server -
I tried following https://stackoverflow.com/a/35603191 which lead to https://itsecureadmin.com/2018/03/26/jenkins-migrating-credentials/. However I did not succeed in following these steps.
Further, I experimented exporting /var/lib/jenkins/users (or {JENKINS_HOME}/users) directory to the new instance on new server. After restarting the Jenkins on new server - it looks like all the user credentials are available on new server.
Additionally, I cross-checked if the users can log in to the new Jenkins instance. It works for now.
PS: This code is for redhat servers
Old server:
cd /var/lib/jeknins
or cd into wherever your Jenkins home is
tar cvzf users.tgz ./users
New server:
cd /var/lib/jeknins
scp <user>#<oldserver>:/var/lib/jenkins/user.tgz ~/var/lib/jenkins/.
sudo tar xvzf users.tgz
systemctl restart jenkins
Did you try to copy the $JENKINS_HOME/users folder and the $JENKINS_HOME/credentials.xml file to the other Jenkins instance?
I have a CI system on my Windows to build my server code.
Nowadays, I also want to autobuild my IOS project daily, but it can only build in Mac system.
So I write a shell script that can build my ios project on my Mac, and I want to remotely execute my script from Windows.
How can I write a batch file on Windows to remote access my Mac and execute my script there?
So I can make my CI system to execute that batch file everyday automatically.
Or... does anyone got other better ways to do this thing?
Thanks!
Get "plink" from the PuTTY download page. Put the command(s) to kick off your Mac shell script in a file (e.g. "maccommands.txt") on your Windows computer. Then make a batch file that contains:
plink -l macusername -m maccommands.txt your.mac.ip.address
If you don't want to be prompted for a password every time, you could make a public-private keypair with an empty passphrase using PuTTYgen. Save the private key as "pc_rsa.ppk" (or whatever you want to call it). Copy the public key out of the PuTTYgen window to the clipboard, and paste it in a text editor and save it (e.g. as "pc_rsa_pub.txt").
Then transfer the file with public key over to the Mac, and add its contents to the end of ~/.ssh/authorized_keys, e.g. with cat pc_rsa_pub.txt >> ~/.ssh/authorized_keys
Then add -i pc_rsa.ppk to the plink command above to use your private key.
(This obviously has security implications, so protect the private key file. You could also use -pw password but that has even greater security implications as the password would be plainly visible within your batch file.)
Another solution is to use openssh. The benefit is not having to use an alternative format for your keys.
You can install Git for Windows. During the installation choose the third option of being able to use the "unix" tools from the command line.
I have a small wrapper utility that loads the agent to memory in github (#selfplug)
I have ant build file, that should take cvs checkouts when called. I can call it ok, but when ant uses cvs to connect to cvs repo, the repo prompts for password and obviously ant command fails.
I have CVSROOT environment variable pointing to same location where I took the initial checkout for the project with TortoiseCVS, having ssh as protocol.
I also have putty's pageant running and an environment variable CVS_RSH pointing to plink.exe of putty. That combination should make the connection via putty, 'cause from pageAnt menu the connection opens without prompts.
My operation system is Windows 8.
Question here is, that why ant build fails on cvs server password prompt, although PageAnt otherwise is enabling promptless access via ssh+cvs?
Ant cvs task invokes cvs.exe command line from PATH so if everything works properly from command line, there is (almost) no reason it will fail from Ant.
Here is a checklist with points to verify:
CVSROOT must contain username and specify ext protocol, :ext:username#cvserver.domain.ldt:/path/to/repository
CVS_RSH must point to plink.exe with absolute file path and you have to ensure it will use SSH protocol
Your SSH private key must have been loaded into Pageant for the same user session as the user running Ant script
If it does not help, please provide more details about your cvs task options and your workstation setup.
When running without any user session opened and Pageant cannot help, often for continuous integration tools, a better option is to pass all arguments like username and private key file to plink directly in CVS_RSH variable:
CVS_RSH="C:\path\to\plink.exe -batch -ssh -l username -i C:\path\user\ssh-privatekey.ppk"
Of course, in such a case, your private key file must not be protected with a passphrase.
My question is exactly the title.
Every time I run the command git-tf checkin in my command prompt when its connecting to TFS it asks for my username and password. How can I avoid this?
Either have it to log in with the current user or store the credentials somewhere in a configuration file.
By far the most secure way to do this is to simply not store a password and to instead use single sign-on via Kerberos or NTLM:
If you're on Windows and logged into a domain that has a trust relationship with your TFS server, then you should not need to specify a username and password.
If you're on Windows and have a "shadow account" setup, then you should not need to specify a username and password. This occurs when you don't have a domain trust relationship with the TFS server but you are logged in to your local machine with the same username and password as the account on your TFS server.
If you're on a Unix platform, you can get single sign-on using Kerberos. This is most likely the scenario when you have a ticket from your Active Directory server itself, eg kinit activedirectory.domain.name.
Similarly, if you're on Unix and have a Kerberos ticket to a KDC that has a trust relationship with the TFS server (almost certainly the Active Directory server itself) then you should not need to specify a username and password. git-tf will use your logged in credentials to authenticate.
If none of these applies, then you can store the username and password in the git configuration for your repository:
git config git-tf.server.username your-username
git config git-tf.server.password your-password
Note that your password will be stored in the git configuration file in plain text. Be sure to set the ACLs or file permissions as appropriate to discourage people from reading your password out of your configuration file. Or you can store just the username and you will need to type only your password each time.
You can prevent git from saving this to the project's .gitconfig by using the --global switch:
git config --global git-tf.server.username your-username
git config --global git-tf.server.password your-password
It will still be saved in plain text on your system (C:/Users/your-login/.gitconfig), but at least it won't be saved in a file that lives in the project.