堆栈内存溢出
  简体   繁体   English

如何将凭证从一个 jenkins 实例导出到另一个实例?

[英]How to export credentials from one jenkins instance to another?

 原文  2015-06-08 08:53:51       jenkins/ jenkins-plugins

问题描述

I am using the credentials plugin in Jenkins to manage credentials for git and database access for my team's builds.我正在使用 Jenkins 中的凭据插件来管理 git 的凭据和我团队构建的数据库访问权限。 I would like to copy the credentials from one jenkins instance to another, independent jenkins instance.我想将凭据从一个 jenkins 实例复制到另一个独立的 jenkins 实例。 How would I go about doing this?我将如何 go 这样做?

8 个解决方案

解决方案1
 26 已采纳  2016-02-24 13:11:18

UPDATE: TL;DR Follow the link provided below in a comment by Filip Stachowiak it is the easiest way to do it.更新: TL;DR按照下面Filip Stachowiak评论中提供的链接,这是最简单的方法。 In case it doesn't work for you go on reading.如果它不适合你继续阅读。

Copying the $HUDSON_HOME/credentials.xml is not the solution because Jenkins encrypts paswords and these can't be decrypted by another instance unless both share a common key.复制 $HUDSON_HOME/credentials.xml 不是解决方案,因为 Jenkins 对密码进行加密并且这些密码不能被另一个实例解密,除非两者共享一个公共密钥。

So, either you use the same encription keys in both Jenkins instances ( Where's the encryption key stored in Jenkins? ) or what you can do is:因此,要么您在两个 Jenkins 实例中使用相同的加密密钥(Jenkins 中存储的加密密钥在哪里? ),要么您可以做的是:

  1. Create the same user/password, you need to share, in the 2nd Jenkins instance so that a valid password is generated创建相同的用户/密码,您需要共享,在 2nd Jenkins 实例中,以便生成有效密码

  2. What is really important is that user ids in both credentials.xml are the same.真正重要的是两个credentials.xml 中的用户ID 是相同的。 For that (see the credentials.xml example below) for user: Jenkins the identifier <id>c4855f57-5107-4b69-97fd-298e56a9977d</id> must be the same in both credentials.xml为此(请参阅下面的credentials.xml 示例)用户: Jenkins标识符<id>c4855f57-5107-4b69-97fd-298e56a9977d</id>在两个凭据中必须相同。

     <com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.22"> <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"> <entry> <com.cloudbees.plugins.credentials.domains.Domain> <specifications/> </com.cloudbees.plugins.credentials.domains.Domain> <java.util.concurrent.CopyOnWriteArrayList> <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> <scope>GLOBAL</scope> <id>c4855f57-5107-4b69-97fd-298e56a9977d</id> <description>Para SVN</description> <username>jenkins</username> <password>J1ztA2vSXHbm60k5PjLl5jg70ZooSFKF+kRAo08UVts= </password> </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> </java.util.concurrent.CopyOnWriteArrayList> </entry> </domainCredentialsMap> </com.cloudbees.plugins.credentials.SystemCredentialsProvider>

解决方案2
 3  2018-02-26 05:19:51

I was also facing the same problem.我也面临同样的问题。 What worked for me is I copied the credentials.xml, config.xml and the secrets folder from existing jenkins to the new instance.对我有用的是我将credentials.xml、config.xml 和secrets 文件夹从现有jenkins 复制到新实例。 After the restart of jenkins things worked fine.詹金斯重启后一切正常。

解决方案3
 2  2020-10-16 13:09:19

After trying quite a few things for several days this is the best solution I found for migrating my secrets from a Jenkins 2.176 to a new clean Jenkins 2.249.1 jenkins-cli was the best approach for me.经过几天的尝试,这是我找到的将我的秘密从 Jenkins 2.176 迁移到新的干净 Jenkins 2.249.1 的最佳解决方案jenkins-cli对我来说是最好的方法。

The process is quite simple just dump the credentials from the old instance to a local machine, or Docker pod with java installed, as a XML file (unencrypted) and then uploaded to the new instance.该过程非常简单,只需将凭据从旧实例转储到本地机器或安装了 java 的 Docker pod,作为 XML 文件(未加密),然后上传到新实例。

Before starting you should verify the following:在开始之前,您应该验证以下内容:

Notice: In case your jenkins uses an oAuth service you will need to create a token for your user.注意:如果您的 jenkins 使用 oAuth 服务,您将需要为您的用户创建一个令牌。 Once logged into jenkins at the top right if you click your profile you can verify both username and generate password.在右上角登录 jenkins 后,如果您单击您的个人资料,您可以验证用户名和生成密码。

Now for the special sauce, you have to execute both parts from the same machine/pod:现在对于特殊的酱汁,您必须从同一台机器/吊舱执行这两个部分:

Notice: If your instances are using valid Certificates and you want to secure your connection you must remove the -noCertificateCheck flag from both commands.注意:如果您的实例使用有效证书并且您想要保护您的连接,您必须从两个命令中删除-noCertificateCheck标志。

# OLD JENKINS DUMP # #老詹金斯转储#

export USER=madox@example.com
export TOKEN=f561banana6ead83b587a4a8799c12c307
export SERVER=https://old-jenkins-url.com/

java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN list-credentials-as-xml "system::system::jenkins" > /tmp/jenkins_credentials.xml

# NEW JENKINS IMPORT # #新詹金斯进口#

export USER=admin
export TOKEN=admin
export SERVER=https://new-jenkins-url.com/

java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN import-credentials-as-xml "system::system::jenkins" < /tmp/jenkins_credentials.xml

解决方案4
 1  2018-03-20 19:01:05

This is what worked for me.这对我有用。

Create a job in Jenkins that takes the credentials and writes them to output.在 Jenkins 中创建一个获取凭据并将它们写入输出的作业。 If Jenkins replaces the password in the output with ****, just obfuscate it first (add a space between each character, reverse the characters, base64 encode it, etc.)如果 Jenkins 将输出中的密码替换为 ****,只需先对其进行混淆(在每个字符之间添加一个空格、反转字符、对它进行 base64 编码等)

I used a Powershell job to base64 encode it:我使用 Powershell 作业对其进行 base64 编码:

[convert]::ToBase64String([text.encoding]::Default.GetBytes($mysecret))

And then used Powershell to convert the base64 string back to a regular string:然后使用 Powershell 将 base64 字符串转换回常规字符串:

[text.encoding]::Default.GetString([convert]::FromBase64String("bXlzZWNyZXQ="))

解决方案5
 0  2021-08-23 09:37:23

If you have the credentials.xml available and the old Jenkins instance still running, there is a way to decrypt individual credentials so you can enter them in the new Jenkins instance via the UI.如果您有可用的credentials.xml .xml 并且旧的 Jenkins 实例仍在运行,则有一种方法可以解密单个凭据,以便您可以通过 UI 将它们输入到新的 Jenkins 实例中。 The approach is described over at the DevOps stackexchange by kenorb . kenorbDevOps stackexchange 中描述了该方法。

This does not convert all the credentials for an easy, automated migration, but helps when you have only few credentials to migrate (manually).这不会为轻松的自动迁移转换所有凭据,但在您只有少量凭据要迁移(手动)时会有所帮助。

To summarize, you visit the /script page over at the old Jenkins instance, and use the encrypted credential from the credentials.xml file in the following line:总而言之,您访问旧 Jenkins 实例的/script页面,并在以下行中使用来自credentials.xml文件的加密凭证:

println(hudson.util.Secret.decrypt("{EncryptedCredentialFromCredentialsXml=}"))

解决方案6
 0  2021-11-10 10:04:42

Migrating users from a Jenkins instance to another Jenkins on a new server - I tried following https://stackoverflow.com/a/35603191 which lead to https://itsecureadmin.com/2018/03/26/jenkins-migrating-credentials/ .将用户从 Jenkins 实例迁移到新服务器上的另一个 Jenkins - 我尝试遵循https://stackoverflow.com/a/35603191这导致https://itsecureadmin.com/2018/03/26/jenkins-migrating-credentials / . However, I did not succeed in following these steps.但是,我没有成功执行这些步骤。 Further, I experimented exporting /var/lib/jenkins/users (or {JENKINS_HOME}/users) directory to the new instance on new server.此外,我尝试将 /var/lib/jenkins/users(或 {JENKINS_HOME}/users)目录导出到新服务器上的新实例。 After restarting the Jenkins on new server - it looks like all the user credentials are available on new server.在新服务器上重新启动 Jenkins 后 - 看起来所有用户凭据都可以在新服务器上使用。 Additionally, I cross-checked if the users can log in to the new Jenkins instance.此外,我交叉检查了用户是否可以登录到新的 Jenkins 实例。 It works for now.它现在有效。

PS: This code is for redhat servers PS:此代码适用于redhat服务器

Old server: cd /var/lib/jeknins旧服务器:cd /var/lib/jeknins

or cd into wherever your Jenkins home is或 cd 进入您的 Jenkins 家所在的任何地方

tar cvzf users.tgz ./users tar cvzf users.tgz ./users

New server: cd /var/lib/jeknins新服务器:cd /var/lib/jekkins

scp @:/var/lib/jenkins/user.tgz ~/var/lib/jenkins/. scp @:/var/lib/jenkins/user.tgz ~/var/lib/jenkins/.

sudo tar xvzf users.tgz须藤 tar xvzf users.tgz

systemctl restart jenkins systemctl 重启詹金斯

解决方案7
 0  2022-07-27 17:40:52

To migrate all credentials to a new server, from Jenkins: Migrating credentials :要将所有凭据从Jenkins 迁移到新服务器:迁移凭据

  1. Stop Jenkins on new server.在新服务器上停止 Jenkins。

     new-server # /etc/init.d/jenkins stop

  2. Remove the identity.key.enc file on new server:删除新服务器上的identity.key.enc文件:

     new-server # rm identity.key.enc

  3. Copy secret * and credentials.xml to new server.secret * 和credentials.xml复制到新服务器。

     current-server # cd /var/lib/jenkins current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml current-server # scp credentials.tgz $user@$new-server:/tmp/ new-server # cd /var/lib/jenkins new-server # tar xzvf /tmp/credentials.tgz -C./

  4. Start Jenkins.启动 Jenkins。

     new-server # /etc/init.d/jenkins start

解决方案8
 -2  2015-06-08 09:07:07

您是否尝试将 $JENKINS_HOME/users 文件夹和 $JENKINS_HOME/credentials.xml 文件复制到另一个 Jenkins 实例?

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从jenkins凭证管理器导出密钥库 - Export keystore from jenkins credentials manager Jenkins的一个实例可以呼叫另一个 - One instance of Jenkins to call another 如何将 Jenkins 从一台 PC 移动到另一台 PC - How to move Jenkins from one PC to another 从Jenkins工作中的另一个Jenkins实例上运行Jenkins作业 - run a Jenkins job on another Jenkins instance from the Jenkins job 如何从Jenkins主页中删除凭据部分? - How to remove Credentials section from Jenkins homepage? 如何使用Jenkins的Windows凭据访问另一台计算机上的SVN存储库 - How to access SVN repository on another computer using Windows Credentials from Jenkins 从一个账户中的 jenkins 启动 aws ssm 到另一个实例中的 ec2 以进行数据传输 - initiate aws ssm from jenkins in one account to ec2 in another instance for data transfer 如何在jenkins中将输出从一个管道传递到另一个管道 - How to pass output from one pipeline to another in jenkins 如何在Jenkins中将现有作业从一个视图移动到另一个视图? - How to move an existing job from one view to another in Jenkins? 如何在 Jenkins 声明性管道中将人工制品从一个代理复制到另一个代理? - How to copy an artefact from one agent to another in a Jenkins declarative pipeline?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM