[英]How to export credentials from one jenkins instance to another?
I am using the credentials plugin in Jenkins to manage credentials for git and database access for my team's builds.我正在使用 Jenkins 中的凭据插件来管理 git 的凭据和我团队构建的数据库访问权限。 I would like to copy the credentials from one jenkins instance to another, independent jenkins instance.
我想将凭据从一个 jenkins 实例复制到另一个独立的 jenkins 实例。 How would I go about doing this?
我将如何 go 这样做?
UPDATE: TL;DR Follow the link provided below in a comment by Filip Stachowiak it is the easiest way to do it.更新: TL;DR按照下面Filip Stachowiak评论中提供的链接,这是最简单的方法。 In case it doesn't work for you go on reading.
如果它不适合你继续阅读。
Copying the $HUDSON_HOME/credentials.xml is not the solution because Jenkins encrypts paswords and these can't be decrypted by another instance unless both share a common key.复制 $HUDSON_HOME/credentials.xml 不是解决方案,因为 Jenkins 对密码进行加密并且这些密码不能被另一个实例解密,除非两者共享一个公共密钥。
So, either you use the same encription keys in both Jenkins instances ( Where's the encryption key stored in Jenkins? ) or what you can do is:因此,要么您在两个 Jenkins 实例中使用相同的加密密钥(Jenkins 中存储的加密密钥在哪里? ),要么您可以做的是:
What is really important is that user ids in both credentials.xml are the same.真正重要的是两个credentials.xml 中的用户ID 是相同的。 For that (see the credentials.xml example below) for user: Jenkins the identifier
<id>c4855f57-5107-4b69-97fd-298e56a9977d</id>
must be the same in both credentials.xml为此(请参阅下面的credentials.xml 示例)用户: Jenkins标识符
<id>c4855f57-5107-4b69-97fd-298e56a9977d</id>
在两个凭据中必须相同。
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.22"> <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"> <entry> <com.cloudbees.plugins.credentials.domains.Domain> <specifications/> </com.cloudbees.plugins.credentials.domains.Domain> <java.util.concurrent.CopyOnWriteArrayList> <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> <scope>GLOBAL</scope> <id>c4855f57-5107-4b69-97fd-298e56a9977d</id> <description>Para SVN</description> <username>jenkins</username> <password>J1ztA2vSXHbm60k5PjLl5jg70ZooSFKF+kRAo08UVts= </password> </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> </java.util.concurrent.CopyOnWriteArrayList> </entry> </domainCredentialsMap> </com.cloudbees.plugins.credentials.SystemCredentialsProvider>
I was also facing the same problem.我也面临同样的问题。 What worked for me is I copied the credentials.xml, config.xml and the secrets folder from existing jenkins to the new instance.
对我有用的是我将credentials.xml、config.xml 和secrets 文件夹从现有jenkins 复制到新实例。 After the restart of jenkins things worked fine.
詹金斯重启后一切正常。
After trying quite a few things for several days this is the best solution I found for migrating my secrets from a Jenkins 2.176 to a new clean Jenkins 2.249.1 jenkins-cli was the best approach for me.经过几天的尝试,这是我找到的将我的秘密从 Jenkins 2.176 迁移到新的干净 Jenkins 2.249.1 的最佳解决方案jenkins-cli对我来说是最好的方法。
The process is quite simple just dump the credentials from the old instance to a local machine, or Docker pod with java installed, as a XML file (unencrypted) and then uploaded to the new instance.该过程非常简单,只需将凭据从旧实例转储到本地机器或安装了 java 的 Docker pod,作为 XML 文件(未加密),然后上传到新实例。
Before starting you should verify the following:在开始之前,您应该验证以下内容:
Notice: In case your jenkins uses an oAuth service you will need to create a token for your user.
注意:如果您的 jenkins 使用 oAuth 服务,您将需要为您的用户创建一个令牌。 Once logged into jenkins at the top right if you click your profile you can verify both username and generate password.
在右上角登录 jenkins 后,如果您单击您的个人资料,您可以验证用户名和生成密码。
Now for the special sauce, you have to execute both parts from the same machine/pod:现在对于特殊的酱汁,您必须从同一台机器/吊舱执行这两个部分:
Notice: If your instances are using valid Certificates and you want to secure your connection you must remove the -noCertificateCheck flag from both commands.
注意:如果您的实例使用有效证书并且您想要保护您的连接,您必须从两个命令中删除-noCertificateCheck标志。
export USER=madox@example.com
export TOKEN=f561banana6ead83b587a4a8799c12c307
export SERVER=https://old-jenkins-url.com/
java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN list-credentials-as-xml "system::system::jenkins" > /tmp/jenkins_credentials.xml
export USER=admin
export TOKEN=admin
export SERVER=https://new-jenkins-url.com/
java -jar jenkins-cli.jar -noCertificateCheck -s $SERVER -auth $USER:$TOKEN import-credentials-as-xml "system::system::jenkins" < /tmp/jenkins_credentials.xml
This is what worked for me.这对我有用。
Create a job in Jenkins that takes the credentials and writes them to output.在 Jenkins 中创建一个获取凭据并将它们写入输出的作业。 If Jenkins replaces the password in the output with ****, just obfuscate it first (add a space between each character, reverse the characters, base64 encode it, etc.)
如果 Jenkins 将输出中的密码替换为 ****,只需先对其进行混淆(在每个字符之间添加一个空格、反转字符、对它进行 base64 编码等)
I used a Powershell job to base64 encode it:我使用 Powershell 作业对其进行 base64 编码:
[convert]::ToBase64String([text.encoding]::Default.GetBytes($mysecret))
And then used Powershell to convert the base64 string back to a regular string:然后使用 Powershell 将 base64 字符串转换回常规字符串:
[text.encoding]::Default.GetString([convert]::FromBase64String("bXlzZWNyZXQ="))
If you have the credentials.xml
available and the old Jenkins instance still running, there is a way to decrypt individual credentials so you can enter them in the new Jenkins instance via the UI.如果您有可用的
credentials.xml
.xml 并且旧的 Jenkins 实例仍在运行,则有一种方法可以解密单个凭据,以便您可以通过 UI 将它们输入到新的 Jenkins 实例中。 The approach is described over at the DevOps stackexchange by kenorb . kenorb在DevOps stackexchange 中描述了该方法。
This does not convert all the credentials for an easy, automated migration, but helps when you have only few credentials to migrate (manually).这不会为轻松的自动迁移转换所有凭据,但在您只有少量凭据要迁移(手动)时会有所帮助。
To summarize, you visit the /script
page over at the old Jenkins instance, and use the encrypted credential from the credentials.xml
file in the following line:总而言之,您访问旧 Jenkins 实例的
/script
页面,并在以下行中使用来自credentials.xml
文件的加密凭证:
println(hudson.util.Secret.decrypt("{EncryptedCredentialFromCredentialsXml=}"))
Migrating users from a Jenkins instance to another Jenkins on a new server - I tried following https://stackoverflow.com/a/35603191 which lead to https://itsecureadmin.com/2018/03/26/jenkins-migrating-credentials/ .将用户从 Jenkins 实例迁移到新服务器上的另一个 Jenkins - 我尝试遵循https://stackoverflow.com/a/35603191这导致https://itsecureadmin.com/2018/03/26/jenkins-migrating-credentials / . However, I did not succeed in following these steps.
但是,我没有成功执行这些步骤。 Further, I experimented exporting /var/lib/jenkins/users (or {JENKINS_HOME}/users) directory to the new instance on new server.
此外,我尝试将 /var/lib/jenkins/users(或 {JENKINS_HOME}/users)目录导出到新服务器上的新实例。 After restarting the Jenkins on new server - it looks like all the user credentials are available on new server.
在新服务器上重新启动 Jenkins 后 - 看起来所有用户凭据都可以在新服务器上使用。 Additionally, I cross-checked if the users can log in to the new Jenkins instance.
此外,我交叉检查了用户是否可以登录到新的 Jenkins 实例。 It works for now.
它现在有效。
PS: This code is for redhat servers PS:此代码适用于redhat服务器
Old server: cd /var/lib/jeknins旧服务器:cd /var/lib/jeknins
or cd into wherever your Jenkins home is或 cd 进入您的 Jenkins 家所在的任何地方
tar cvzf users.tgz ./users tar cvzf users.tgz ./users
New server: cd /var/lib/jeknins新服务器:cd /var/lib/jekkins
scp @:/var/lib/jenkins/user.tgz ~/var/lib/jenkins/. scp @:/var/lib/jenkins/user.tgz ~/var/lib/jenkins/.
sudo tar xvzf users.tgz须藤 tar xvzf users.tgz
systemctl restart jenkins systemctl 重启詹金斯
To migrate all credentials to a new server, from Jenkins: Migrating credentials :要将所有凭据从Jenkins 迁移到新服务器:迁移凭据:
Stop Jenkins on new server.在新服务器上停止 Jenkins。
new-server # /etc/init.d/jenkins stop
Remove the identity.key.enc file on new server:删除新服务器上的identity.key.enc文件:
new-server # rm identity.key.enc
Copy secret * and credentials.xml to new server.将secret * 和credentials.xml复制到新服务器。
current-server # cd /var/lib/jenkins current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml current-server # scp credentials.tgz $user@$new-server:/tmp/ new-server # cd /var/lib/jenkins new-server # tar xzvf /tmp/credentials.tgz -C./
Start Jenkins.启动 Jenkins。
new-server # /etc/init.d/jenkins start
您是否尝试将 $JENKINS_HOME/users 文件夹和 $JENKINS_HOME/credentials.xml 文件复制到另一个 Jenkins 实例?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.