I have a shell script to do deployment on a remote server. But I didn't have full root privileges for that server and it asks password for every steps (4-5 times while executing the script).
Now, I want to run the shell script using Jenkins. How to configure jenkins to give the password while executing the shell script in remote server.
Thanks in advance
Add myuser ALL=(ALL) NOPASSWD: ALL in /etc/sudoers.
Note: Replace myuser with your actual username.
At my workplace we have some computer labs. In these laboratories each computer has the operating system windows and linux. Both systems are in our AD domain.
I did a lab of tests and I have a functional puppet server. I put some nodes/agents as root and Everything working perfectly when I run puppet agent -t.
The problem:
When I log in with a domain user (e.g: xiru) on linux machines and run the puppet agent -t command, a new certificate is generated, but an error occurs warning that it does not match the server's certificate.
For the domain users, the puppet creates the new certificate on the path: /home/<user>/.puppetlabs/etc/puppet/ssl
Linux machines names in the test:
mint-client.mycompany.intra
ubuntu-client.mycompany.intra
I try set certname variable on the puppet conf, but the error remains.
[main]
certname = mint-client.mycompany.intra
[agent]
server = puppet.mycompany.intra
How can I get around this and make it always with the same certificate that I configure via root user?
I think you must setup your environtment to accept non-root users.
When you run it, do you use sudo or the users are present on sudoers?
If its not, on puppet docs theres some tips to run it as non-root users...
Installation and configuration
To properly configure non-root agent access, you need to:
Install a monolithic PE master
Install and configure PE agents, disable the puppet service on all nodes, and create non-root users
Verify the non-root configuration
Install and configure a monolithic master
As a root user, install and configure a monolithic PE master. Use the web-based installer or the text-mode installer.
Use the PE console to make sure no new agents can get added to the MCollective group.
a. In the console, click Nodes > Classification, and in the PE Infrastructure group, select the PE MCollective group.
b. On the Rules tab, under Fact, locate aio_agent_version and click Remove.
c. Commit changes.
Install and configure PE agents and create non-root users
1. On each agent node, install a PE agent while logged in as a root user. Refer to the instructions for installing agents.
2. As a root user, log in to an agent node, and add the non-root user with puppet resource user <UNIQUE NON-ROOT USERNAME> ensure=present managehome=true.
Note: Each and every non-root user must have a unique name.
3. As a root user, still on the agent node, set the non-root user’s password. For example, on most *nix systems run passwd
4. By default, the puppet service runs automatically as a root user, so it needs to be disabled. As a root user on the agent node, stop the service by running puppet resource service puppet ensure=stopped enable=false.
5. Disable the MCollective service on the agent node. As a root user, run puppet resource service mcollective ensure=stopped enable=false.
6. Disable the PXP agent.
a. In the console, click Nodes > Classification* and in the PE Infrastructure group, select the PE Agent group.
b. On the Classes tab, select the puppet_enterprise::profile::agent class, and set the parameter pxp_enabled to false.
7. Change to the non-root user.
Tip: If you wish to use su - <NON-ROOT USERNAME> to switch between accounts, make sure to use the - (-l in some unix variants) argument so that full login privileges are correctly granted. Otherwise you may see “permission denied” errors when trying to apply a catalog.
8. As the non-root user, generate and submit the cert for the agent node. From the agent node, execute the following command:
puppet agent -t --certname "<UNIQUE NON-ROOT USERNAME.HOSTNAME>" --server "<PUPPET MASTER HOSTNAME>"
This Puppet run submits a cert request to the master and creates a ~/.puppet directory structure in the non-root user’s home directory.
9. As an admin user, log into the console, navigate to the pending node requests, and accept the requests from non-root user agents.
Note: It is possible to also sign the root user certificate in order to allow that user to also manage the node. However, you should do so only with great caution as this introduces the possibility of unwanted behavior and potential security issues. For example, if your site.pp has no default node configuration, running agent as non-admin could lead to unwanted node definitions getting generated using alt hostnames, which is a potential security issue. In general, if you deploy this scenario, you should ensure that the root and non-root users never try to manage the same resources,ensure that they have clear-cut node definitions, and ensure that classes scope correctly. As the non-root user, run puppet config set certname <UNIQUE NON-ROOT USERNAME.HOSTNAME> --section agent.
10. As the non-root user, run puppet config set server <PUPPET MASTER HOSTNAME> --section agent. Steps 7 and 8 create and set the configuration for the non-root agent’s puppet.conf, created in /.puppetlabs/etc/puppet/ in the non-root user’s home directory.
[main]
certname = <UNIQUE NON-ROOT USERNAME.HOSTNAME>
server = <PUPPET MASTER HOSTNAME>
11. You can now connect the non-root agent node to the master and get PE to configure it. Log into the agent node as the non-root user and run puppet agent -t.
Source: https://puppet.com/docs/pe/2017.1/deploy_nonroot-agent.html
Check the permissions. To make it work, you can provide relevant permissions to the folder where certificates are stored, so that domain user has permissions on the certificates.
My linux user account has the rights to run a particular sudo command without a password prompt. I am trying to implements jenkins to run this command. It is set up to ssh as my user account on the box with the Publish Over SSH plugin.
When I am in the box $USER shows the correct user, but when I try to run "sudo {command}" (which runs without password when I am using that box normally with my user) it requires password. What is causing this behavior?
Because it is configured to do so. There is file /etc/sudoers specifying these rules and there is respective manual page describing how does this file and the roles work. It is probably a good start to read.
I have a jenkins running on my local centos machine.
I have configured my local jenkins and was able to run a successful local build .
Now, i want to run remote tests which are python scripts on a remote centos machine which is not having jenkins installed. also, i dont want to install any jenkins process on the remote linux system as it is "like a" production server and am advised not to install any apps on it.
How do i use my local jenkins to run a build to execute those remote tests and report/output on my local jenkins console.
Do i need to use jenkins master-slave architecture ? if yes, how do i configure that given my above requirement.
You might want to have a look at this:
https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds
for you req, precisely this part:
https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds#Distributedbuilds-Launchslaveagentheadlessly
However, i believe you still have to have java on your slave unix node to run the slave.jar on it
This answer is assuming the scripts are in GitHub. May it helps to think in your case.
So.. First you need to install Git in you server machine by:
$ sudo apt-get update
$ sudo apt-get install git
Now you need to get the path of Git by $ which git
it will give like "/usr/local/bin/git"
copy that path into ManageJenkins->Global Tool Configuration-> in the git section, paste into "Path to Git executable".
it will allows you to access git sources.
Now you need to provive SSH keys.
Type sudo su- jenkins in you remote machine.You have to generate ssh key for "jenkins" user.
Now add public key to GitHub account(You can see https://www.youtube.com/watch?v=Vi-WqFKYpnw).
and add the private key to Jenkins by
Go to Credentials
Click in Global in Stores scoped
Add Credentials
Kind: SSH Username with private key
Username: your server username
Private Key: give the private key of user "Jenkins"
Specify ID as "jenkins-private-key" or anything else to identify
Now
Go to job configuration->select credentials that you have created and
Copy the ssh url of repository(Where you scripts are stored) Now you can run the scripts which are stored in Git.
What I'm basically trying to do is allow jenkins access my android-sdk-linux folder and all the sub-directories. My boss does not want to change permissions on the folder himself. I am supposed to do it during the build process. I have seen some examples that run some commands in the execute shell during the build process. Is there some commands that can I can run in that execute shell so that jenkins can have read write and execute authority on my android-sdk-linux folder?
As bcolfer said, you should be able to just run your shell commands with "sudo" in front of it. You will want to be sure that the user that started the Jenkins slave is a sudoer.
As root, run "visudo", this will open the /etc/sudoers file. At the bottom add a line similar to this if it is not a current sudoer:
jenkins ALL=(ALL) NOPASSWD: ALL
"Jenkins" being the user that started the slave.
OR
You could try adding the user to the group that owns that directory. IF you run "ls -l" you should be able to see the permissions and then the user, and the group that owns the directory. Once you know the group, as root run:
usermod -a -G group Jenkins
"Jenkins" being the user that started the slave, and "group" being the actual group name.
One possibility is to use sudo to run commands that specifically target those files. There are a bunch of ways to manage the sudo privileges limit and log what actions happen on those files.