The title is general, but I have more specific questions. I am deep in a permissions nightmare trying to set up a "push-to-deploy" system using Git.
From my local machine, I push by SSH to the server (Ubuntu 14.04). I have the server set up as the remote
git remote add development devuser#development.server:/home/dummyuser/bare/repo.git
This bare repository is within the home folder of a dummy user dummyuser that we use to handle deployment tasks. devuser is my own account on the development server.
I have a post-receive hook set up within the remote repository (development.server:/home/dummyuser/bare/repo.git/hooks/post-receive) that's intended to deploy files via git checkout to a web server directory on the same server, call it webfolder/. That folder currently has permissions
drwxr-xr-x dummyuser www-data webfolder/
where www-data is the group associated with the Apache user.
If I have the post-receive hook script use the command
git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
I get errors that it can't write to webfolder/, which is predictable since I assume the script is running as me (devuser) since I did the instigating push via SSH, and devuser doesn't have any permissions on webfolder/.
However, if I change the script to act as dummyuser,
sudo -u dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
just to see what happens, I have the error
warning: unable to access '/home/devuser/.config/git/attributes': Permission denied
There's a couple of things I don't understand about this:
1) Neither /home/devuser/.config/ nor /home/dummyuser/.config/ exist. That's fine, but if Git needs to access a .config/ folder, why wasn't it complaining before when I was setting up bare repos and executing hooks as devuser?
2) Now that I'm trying to act as dummyuser, why is Git looking in ~devuser/ for a .config/ folder? Why isn't it looking in ~dummyuser/?
I've been working on this tiny slice of one single problem in the maddening shitshow that is "using Git" for coming up on four hours now, and my brain is fuzzy, so please use small words.
The problem is something involving sudo -u dummyuser not setting the environment variables that Git expects. If I add HOME=/home/dummyuser to the post-receive hook, the deployment works as expected.
If anyone can provide more details about what's happening or a better solution, write it as an answer and I'll accept it. Couple of notes:
dummyuser doesn't have a login, so using sudo -iu dummyuser in the post-receive script won't work
After setting HOME=/home/dummyuser manually and successfully executing the script, I find that echo $HOME from the terminal returns /home/devuser, so there's no permanent change to $HOME
After successfully executing the hook script, neither ~devuser/ nor ~dummyuser/ nor /root/ have a .config/ folder. So... I still have no idea why Git was hung up on it.
Git expects a .config folder in the user's home directory. If $HOME isn't set correctly, e.g. if it points to a different user's home, Git will try to access $HOME/.config, not knowing that it actually doesn't even exist. However, since the user, and thus Git, doesn't have access to that $HOME, you will receive an error saying Permission denied.
To test that, try to run as dummyuser:
[ -d /home/devuser/.config ] && echo '.config exists!'
You're trying to test if the directory /home/devuser/.config exists. However, since you don't have the needed permissions, you get Permission denied, and you still don't know whether the directory exists or not.
Instead of setting $HOME manually, you could possibly use -H or --set-home:
sudo -Hu dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
Error:
Failed to connect to repository : Command "/usr/bin/git ls-remote -h file:///home/myuser/path/to/project HEAD" returned status code 128:
stdout:
stderr: fatal: 'home/myuser/path/to/project' does not appear to be a git repository
fatal: The remote end hung up unexpectedly
I have tried the following:
chmod 777 to the repo folder(folder containing .git directory)
chowned to jenkins:jenkins on the repo folder
tried to clone into another folder from this local repo folder: this works!
When I run the above command: /usr/bin/git ls-remote -h file:///home/myuser/path/to/project HEAD on cmd I get the branches.
My questions are:
why is git ls-remote -h ... command called when it should be git clone ...?
How to configure jenkins git plugin to fetch code from local repo
My environment:
RHEL 5.9
Jenkins 1.519 installed as a service(no Web container)
Git plugin
When installing Jenkins as a service, by default, Jenkins does not create a user directory as in: /home/jenkins. Jenkins default home directory is set to /var/lib/jenkins. From my work-around, as you would expect, jenkins has trouble accessing local resources from other users directory.
I moved my cloned repo under Jenkins default home directory i.e. under /var/lib/jenkins so my Repository URLin Jenkins Project configuration looks like: file:///${JENKINS_HOME}/repo/<myprojectname>
UPDATE:
The above works fine ...but I found a better way to do it from this blog
The steps are outlined here:
look up /etc/init.d/jenkins script. There are a few $JENKINS variables defined
. This should lead you to the sysconfig for jenkins i.e. /etc/sysconfig/jenkins.
Stop your jenkins instance:
sudo /sbin/service jenkins stop
Take a backup
cp /etc/sysconfig/jenkins /etc/sysconfig/jenkins.bak
In this file, change the following property:
$JENKINS_USER="<your desired user>"
Change ownership of all related Jenkins directories:
chown -R <your desired user>:<your user group> /var/lib/jenkins
chown -R <your desired user>:<your user group> /var/cache/jenkins
chown -R <your desired user>:<your user group> /var/log/jenkins
Restart jenkins and that error should disappear
sudo /sbin/service jenkins start
This error should go away now!
It's been a while since this question was asked, but I had this problem today and there are very few resources. Most probably, because people tend to connect to git repositories remotely.
I checked using strace what exactly jenkins was doing and yes, it was a problem with permissions.
But I solved it in a simpler way than answer #2 - by adding jenkins to the git server group - in my case, git1:
root# gpasswd -a jenkins git1
root# service jenkins restart
I'm running Jenkins on Windows and had the same problem. I was able to solve this by having the Jenkins service log in as my user on my laptop.
(Windows 7)
Open Task Manager (Ctrl + Shift + Escape)
(Windows 10 only) Click on More Details in the lower left corner of the pop up window
Go to the Services tab
Click the Services... button
Find "Jenkins" in the list of services
Right-click "Jenkins" and click on Properties
Click the Log On tab in the Jenkins Properties window
Choose This account: under Log on as:
Enter your username and password
Click OK
Restart the Jenkins service
Then Bob's your uncle.
Jenkins uses git clone command only for the first time when a workspace is configured for a project. Further instances uses the git ls-remote command.
I had the same issue when I configured Jenkins. It was resolved by playing around with the SSH Keys. This looks like a configuration issue as well. Check if SSH Keys are setup for the Jenkins account.
Also, see the step by step procedure of configuration of SSH in the link provided. This might not give you exact solution, but can point you to the solution.
http://oodlestechnologies.com/blogs/How-to-setup-Jenkins-With-Grails-on-Ubuntu
I find that the other solutions are a bit "hacky" for me. What I did was move the Jenkins Home folder from /Users/Shared/ to /Users/[myacccount]/. This way, my Jenkins will have access to my repos and to my Android SDK (because that's where I use Jenkins for). Then change the JENKINS_HOME environment variable. I did this by entering the JENKINS_HOME in my .bash_profile (but there are other ways to do this).
Note: I use OSX
Instead of file:/// you can also use ssh:// as in this answer:
ssh://YOUR_USER#localhost/PATH_TO_YOUR_PROJECT
Note that you need to do the standard ssh setup:
Generate a keypair using ssh-keygen if you don't already have one in ~/.ssh
Paste private key (default ~/.ssh/id_rsa) into Jenkins (project settings, git repo, credentials)
Paste public key into ~/.ssh/authorized_keys
I've installed GitLab on Google Compute Engine using "Click to Deploy" from the project interface. The deployment is successful after a few minutes. I can SSH into the instance, and muck around with it as expected.
I can also log in to GitLab using the web interface, and add SSH keys to my profile. So far, so good. However, when I attempt to push or pull to a new example repository, I receive this message:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I've removed my local SSH config so it doesn't interfere. Do I need to setup an SSH tunnel of some sort? What am I missing?
UPDATE: Wiping out my local ~/.ssh folder, and regenerating an SSH key (which I've added to my profile in GitLab) produces the following error:
Received disconnect from {GITLAB_IP_ADDRESS}: 2: Too many authentication failures for git
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
UPDATE 2: It seems GitLab may already have a solution: run sudo gitlab-ctl reconfigure. See here: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#git-ssh-access-stops-working-on-selinux-enabled-systems
You need to create an SSH tunnel to communicate with GitLab.
1. Log into your development server as your user, and create a key.
ssh-keygen -t rsa
Follow the steps, and create a passcode (that you can remember) as you'd need this to pull and push code from/to GitLab.
2. Now that you've created your key, we can copy it;
cat id_rsa.pub
Copy the output of that command (including ssh-rsa), and add it to your GitLab profile. (http://my-gitlab-server.com/profile/keys/new).
3. Ensure you have the correct privilege to the project(s)
Ensure you are at role developer at the very least. (Screengrab of roles: http://i.stack.imgur.com/DSSvl.jpg)
4. Now, copy the project link
Go into your project, and find the SSH link in the top right;
5. Now back to your development server
Navigate to your directory where you'd like to work, and run the following;
$ git init
$ git remote add origin <<project_url>>
$ git fetch
Where <<project_url>> is the link we copied in step 4.
You will be prompted your password (this is your ssh key password, not your server password) and to add the host to your known_hosts file. After that, the project will start to download and you can enjoy development.
I did these steps on a CentOS 6.4 machine with Digital Ocean. But they shouldn't differ from using Google CE.
Edit
Quote from Marty Penner answer as per this comment
Solved it! Thanks to #sxleixer and #Alexander Wenzowski for figuring this out.
Apparently, SELinux was interfering with a non-standard location for the .ssh directory. I needed to run the following commands on the Compute Engine instance:
sudo yum -y install policycoreutils-python # Install the `semanage` tool
sudo semanage fcontext -a -t ssh_home_t "/var/opt/gitlab/.ssh/authorized_keys" # Allow the nonstandard ssh_home_t
See the full thread here:
Google Cloud Engine. Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
Solved it! Thanks to #sxleixer and #Alexander Wenzowski for figuring this out.
Apparently, SELinux was interfering with a non-standard location for the .ssh directory. I needed to run the following commands on the Compute Engine instance:
sudo yum -y install policycoreutils-python # Install the `semanage` tool
sudo semanage fcontext -a -t ssh_home_t "/var/opt/gitlab/.ssh/authorized_keys" # Allow the nonstandard ssh_home_t
See the full thread here:
Google Cloud Engine. Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
UPDATE: It seems GitLab may already have a solution: run sudo gitlab-ctl reconfigure. See here: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#git-ssh-access-stops-working-on-selinux-enabled-systems
In my situation the git user wasn´t set up completely. If you get in your log files messages like "User git not allowed because account is locked" (Under Centos or Redhat it´s /var/log/secure) than you simply need to activate the user via "passwd -d git"
I use a mercurial repository for global configuration. The system config files are linked to /opt/config which is a hg repo owned by root.
I d like all users to be able to update settings from repo i.e. to call hg pull -u in /opt/config
I tried to create the following script
# -rwsr-x--x 1 root users 343 Mar 15 14:10 /bin/update_config
#! /bin/bash
cd /opt/config
hg pull -u
(Pay attention, the s-bit is set) . In this case, hg does not read the settings from /root/.hgrc which contain the HTTP login parameter (user cannot does not know the parameters)
even if I do export HOME=/root the hgrc file is not read.
How should I change my script to make it possible?
EDIT
It seems to be a general permission problem. I use sles11. The line touch /root/bla does not work in this script, why?
Mercurial being a distributed versioning system, it seems to me that you are not using it correctly. If users are required to modify the repository, every user should handle its own repository and then configure it to push into your desired location (/opt/config). Hence, the mercurial workflow will handle the merge problems. If they are only consumers of the repository, you should either 1) create a cron entry to update it automatically or 2) use a continuous integration system like Jenkins or TeamCity that will automatically update the repository when something is pushed to it.
If you still want to realize what you asked, you should look into the sudo command for this purpose. Make the /opt/config ownership to a new passwordless user, configure sudo to allow the switch to this user without password and make the configuration only in ~theuser/.hgrc . This will make it easier to maintain (only a single .hgrc to handle).
Is there a way to reset all (or just disable the security settings) from the command line without a user/password as I have managed to completely lock myself out of Jenkins?
The simplest solution is to completely disable security - change true to false in /var/lib/jenkins/config.xml file.
<useSecurity>true</useSecurity>
A one-liner to achieve the same:
sed -i 's/<useSecurity>true<\/useSecurity>/<useSecurity>false<\/useSecurity>/g' /var/lib/jenkins/config.xml
Then just restart Jenkins:
sudo service jenkins restart
And then go to admin panel and set everything once again.
If you in case are running your Jenkins inside a Kubernetes pod and can not run service command, then you can just restart Jenkins by deleting the pod:
kubectl delete pod <jenkins-pod-name>
Once the command was issued, Kubernetes will terminate the old pod and start a new one.
One other way would be to manually edit the configuration file for your user (e.g. /var/lib/jenkins/users/username/config.xml) and update the contents of passwordHash:
<passwordHash>#jbcrypt:$2a$10$razd3L1aXndFfBNHO95aj.IVrFydsxkcQCcLmujmFQzll3hcUrY7S</passwordHash>
Once you have done this, just restart Jenkins and log in using this password:
test
The <passwordHash> element in users/<username>/config.xml will accept data of the format
salt:sha256("password{salt}")
So, if your salt is bar and your password is foo then you can produce the SHA256 like this:
echo -n 'foo{bar}' | sha256sum
You should get 7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349 as the result. Take the hash and put it with the salt into <passwordHash>:
<passwordHash>bar:7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349</passwordHash>
Restart Jenkins, then try logging in with password foo. Then reset your password to something else. (Jenkins uses bcrypt by default, and one round of SHA256 is not a secure way to store passwords. You'll get a bcrypt hash stored when you reset your password.)
I found the file in question located in /var/lib/jenkins called config.xml, modifying that fixed the issue.
In El-Capitan config.xml can not be found at
/var/lib/jenkins/
Its available in
~/.jenkins
then after that as other mentioned open the config.xml file and make the following changes
In this replace <useSecurity>true</useSecurity> with <useSecurity>false</useSecurity>
Remove <authorizationStrategy> and <securityRealm>
Save it and restart the jenkins(sudo service jenkins restart)
The answer on modifying was correct. Yet, I think it should be mentioned that /var/lib/jenkins/config.xml looks something like this if you have activated "Project-based Matrix Authorization Strategy". Deleting /var/lib/jenkins/config.xml and restarting jenkins also does the trick. I also deleted the users in /var/lib/jenkins/users to start from scratch.
<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>hudson.model.Computer.Configure:jenkins-admin</permission>
<permission>hudson.model.Computer.Connect:jenkins-admin</permission>
<permission>hudson.model.Computer.Create:jenkins-admin</permission>
<permission>hudson.model.Computer.Delete:jenkins-admin</permission>
<permission>hudson.model.Computer.Disconnect:jenkins-admin</permission>
<!-- if this is missing for your user and it is the only one, bad luck -->
<permission>hudson.model.Hudson.Administer:jenkins-admin</permission>
<permission>hudson.model.Hudson.Read:jenkins-admin</permission>
<permission>hudson.model.Hudson.RunScripts:jenkins-admin</permission>
<permission>hudson.model.Item.Build:jenkins-admin</permission>
<permission>hudson.model.Item.Cancel:jenkins-admin</permission>
<permission>hudson.model.Item.Configure:jenkins-admin</permission>
<permission>hudson.model.Item.Create:jenkins-admin</permission>
<permission>hudson.model.Item.Delete:jenkins-admin</permission>
<permission>hudson.model.Item.Discover:jenkins-admin</permission>
<permission>hudson.model.Item.Read:jenkins-admin</permission>
<permission>hudson.model.Item.Workspace:jenkins-admin</permission>
<permission>hudson.model.View.Configure:jenkins-admin</permission>
<permission>hudson.model.View.Create:jenkins-admin</permission>
<permission>hudson.model.View.Delete:jenkins-admin</permission>
<permission>hudson.model.View.Read:jenkins-admin</permission>
</authorizationStrategy>
We can reset the password while leaving security on.
The config.xml file in /var/lib/Jenkins/users/admin/ acts sort of like the /etc/shadow file Linux or UNIX-like systems or the SAM file in Windows, in the sense that it stores the hash of the account's password.
If you need to reset the password without logging in, you can edit this file and replace the old hash with a new one generated from bcrypt:
$ pip install bcrypt
$ python
>>> import bcrypt
>>> bcrypt.hashpw("yourpassword", bcrypt.gensalt(rounds=10, prefix=b"2a"))
'YOUR_HASH'
This will output your hash, with prefix 2a, the correct prefix for Jenkins hashes.
Now, edit the config.xml file:
...
<passwordHash>#jbcrypt:REPLACE_THIS</passwordHash>
...
Once you insert the new hash, reset Jenkins:
(if you are on a system with systemd):
sudo systemctl restart Jenkins
You can now log in, and you didn't leave your system open for a second.
To disable Jenkins security in simple steps in Linux, run these commands:
sudo ex +g/useSecurity/d +g/authorizationStrategy/d -scwq /var/lib/jenkins/config.xml
sudo /etc/init.d/jenkins restart
It will remove useSecurity and authorizationStrategy lines from your config.xml root config file and restart your Jenkins.
See also: Disable security at Jenkins website
After gaining the access to Jenkins, you can re-enable security in your Configure Global Security page by choosing the Access Control/Security Realm. After than don't forget to create the admin user.
To reset it without disabling security if you're using matrix permissions (probably easily adaptable to other login methods):
In config.xml, set disableSignup to false.
Restart Jenkins.
Go to the Jenkins web page and sign up with a new user.
In config.xml, duplicate one of the <permission>hudson.model.Hudson.Administer:username</permission> lines and replace username with the new user.
If it's a private server, set disableSignup back to true in config.xml.
Restart Jenkins.
Go to the Jenkins web page and log in as the new user.
Reset the password of the original user.
Log in as the original user.
Optional cleanup:
Delete the new user.
Delete the temporary <permission> line in config.xml.
No securities were harmed during this answer.
On the offchance you accidentally lock yourself out of Jenkins due to a permission mistake, and you dont have server-side access to switch to the jenkins user or root... You can make a job in Jenkins and add this to the Shell Script:
sed -i 's/<useSecurity>true/<useSecurity>false/' ~/config.xml
Then click Build Now and restart Jenkins (or the server if you need to!)
\.jenkins\secrets\initialAdminPassword
Copy the password from the initialAdminPassword file and paste it into the Jenkins.
1 first check location if you install war or Linux or windows based on that
for example if war under Linux and for admin user
/home/"User_NAME"/.jenkins/users/admin/config.xml
go to this tag after #jbcrypt:
<passwordHash>#jbcrypt:$2a$10$3DzCGLQr2oYXtcot4o0rB.wYi5kth6e45tcPpRFsuYqzLZfn1pcWK</passwordHash>
change this password using use any website for bcrypt hash generator
https://www.dailycred.com/article/bcrypt-calculator
make sure it start with $2a cause this one jenkens uses
In order to remove the by default security for jenkins in Windows OS,
You can traverse through the file Config.xml created inside /users/{UserName}/.jenkins.
Inside this file you can change the code from
<useSecurity>true</useSecurity>
To,
<useSecurity>false</useSecurity>
step-1 : go to the directory cd .jenkins/secrets then you will get a 'initialAdminPassword'.
step-2 : nano initialAdminPassword
you will get a password
changing the <useSecurity>true</useSecurity> to <useSecurity>false</useSecurity> will not be enough, you should remove <authorizationStrategy> and <securityRealm> elements too and restart your jenkins server by doing sudo service jenkins restart .
remember this, set <usesecurity> to false only may cause a problem for you, since these instructions are mentioned in thier official documentation here.
Jenkins over KUBENETES and Docker
In case of Jenkins over a container managed by a Kubernetes POD is a bit more complex since: kubectl exec PODID --namespace=jenkins -it -- /bin/bash will you allow to access directly to the container running Jenkins, but you will not have root access, sudo, vi and many commands are not available and therefore a workaround is needed.
Use kubectl describe pod [...] to find the node running your Pod and the container ID (docker://...)
SSH into the node
run docker exec -ti -u root -- /bin/bash to access the container with Root privileges
apt-get update
sudo apt-get install vim
The second difference is that the Jenkins configuration file are placed in a different path that corresponds to the mounting point of the persistent volume, i.e. /var/jenkins_home, this location might change in the future, check it running df.
Then disable security - change true to false in /var/jenkins_home/jenkins/config.xml file.
<useSecurity>false</useSecurity>
Now it is enough to restart the Jenkins, action that will cause the container and the Pod to die, it will created again in some seconds with the configuration updated (and all the chance like vi, update erased) thanks to the persistent volume.
The whole solution has been tested on Google Kubernetes Engine.
UPDATE
Notice that you can as well run ps -aux the password in plain text is shown even without root access.
jenkins#jenkins-87c47bbb8-g87nw:/$ps -aux
[...]
jenkins [..] -jar /usr/share/jenkins/jenkins.war --argumentsRealm.passwd.jenkins=password --argumentsRealm.roles.jenkins=admin
[...]
Easy way out of this is to use the admin psw to login with your admin user:
Change to root user: sudo su -
Copy the password: xclip -sel clip < /var/lib/jenkins/secrets/initialAdminPassword
Login with admin and press ctrl + v on password input box.
Install xclip if you don't have it:
$ sudo apt-get install xclip
Using bcrypt you can solve this issue. Extending the #Reem answer for someone who is trying to automate the process using bash and python.
#!/bin/bash
pip install bcrypt
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install xmlstarlet
cat > /tmp/jenkinsHash.py <<EOF
import bcrypt
import sys
if not sys.argv[1]:
sys.exit(10)
plaintext_pwd=sys.argv[1]
encrypted_pwd=bcrypt.hashpw(sys.argv[1], bcrypt.gensalt(rounds=10, prefix=b"2a"))
isCorrect=bcrypt.checkpw(plaintext_pwd, encrypted_pwd)
if not isCorrect:
sys.exit(20);
print "{}".format(encrypted_pwd)
EOF
chmod +x /tmp/jenkinsHash.py
cd /var/lib/jenkins/users/admin*
pwd
while (( 1 )); do
echo "Waiting for Jenkins to generate admin user's config file ..."
if [[ -f "./config.xml" ]]; then
break
fi
sleep 10
done
echo "Admin config file created"
admin_password=$(python /tmp/jenkinsHash.py password 2>&1)
# Repalcing the new passowrd
xmlstarlet -q ed --inplace -u "/user/properties/hudson.security.HudsonPrivateSecurityRealm_-Details/passwordHash" -v '#jbcrypt:'"$admin_password" config.xml
# Restart
systemctl restart jenkins
sleep 10
I have kept password hardcoded here but it can be a user input depending upon the requirement. Also make sure to add that sleep otherwise any other command revolving around Jenkins will fail.
To very simply disable both security and the startup wizard, use the JAVA property:
-Djenkins.install.runSetupWizard=false
The nice thing about this is that you can use it in a Docker image such that your container will always start up immediately with no login screen:
# Dockerfile
FROM jenkins/jenkins:lts
ENV JAVA_OPTS -Djenkins.install.runSetupWizard=false
Note that, as mentioned by others, the Jenkins config.xml is in /var/jenkins_home in the image, but using sed to modify it from the Dockerfile fails, because (presumably) the config.xml doesn't exist until the server starts.
I will add some improvements based on the solution:
https://stackoverflow.com/a/51255443/5322871
On my scenario it was deployed with Swarm cluster with nfs volume, in order to perform the password reset I did the following:
Attach to the pod:
$ docker exec -it <pod-name> bash
Generate the hash password with python (do not forget to specify the letter b outside of your quoted password, the method hashpw requires a parameter in bytes):
$ pip install bcrypt
$ python
>>> import bcrypt
>>> bcrypt.hashpw(b"yourpassword", bcrypt.gensalt(rounds=10, prefix=b"2a"))
'YOUR_HASH'
Once inside the container find all the config.xml files:
$ find /var/ -type f -iname "config.xml"
Once identified, modify value of the field ( on my case the config.xml was in another location):
$ vim /var/jenkins_home/users/admin_9482805162890262115/config.xml
...
<passwordHash>#jbcrypt:YOUR_HASH</passwordHash>
...
Restart the service:
docker service scale <service-name>=0
docker service scale <service-name>=1
Hope this can be helpful for anybody.
I had a similar issue, and following reply from ArtB,
I found that my user didn't have the proper configurations. so what I did:
Note: manually modifying such XML files is risky. Do it at your own risk. Since I was already locked out, I didn't have much to lose. AFAIK Worst case I would have deleted the ~/.jenkins/config.xml file as prev post mentioned.
**> 1. ssh to the jenkins machine
cd ~/.jenkins (I guess that some installations put it under /var/lib/jenkins/config.xml, but not in my case )
vi config.xml, and under authorizationStrategy xml tag, add the below section (just used my username instead of "put-your-username")
restart jenkins. in my case as root service tomcat7 stop; ; service tomcat7 start
Try to login again. (worked for me)**
under
add:
<permission>hudson.model.Computer.Build:put-your-username</permission>
<permission>hudson.model.Computer.Configure:put-your-username</permission>
<permission>hudson.model.Computer.Connect:put-your-username</permission>
<permission>hudson.model.Computer.Create:put-your-username</permission>
<permission>hudson.model.Computer.Delete:put-your-username</permission>
<permission>hudson.model.Computer.Disconnect:put-your-username</permission>
<permission>hudson.model.Hudson.Administer:put-your-username</permission>
<permission>hudson.model.Hudson.ConfigureUpdateCenter:put-your-username</permission>
<permission>hudson.model.Hudson.Read:put-your-username</permission>
<permission>hudson.model.Hudson.RunScripts:put-your-username</permission>
<permission>hudson.model.Hudson.UploadPlugins:put-your-username</permission>
<permission>hudson.model.Item.Build:put-your-username</permission>
<permission>hudson.model.Item.Cancel:put-your-username</permission>
<permission>hudson.model.Item.Configure:put-your-username</permission>
<permission>hudson.model.Item.Create:put-your-username</permission>
<permission>hudson.model.Item.Delete:put-your-username</permission>
<permission>hudson.model.Item.Discover:put-your-username</permission>
<permission>hudson.model.Item.Read:put-your-username</permission>
<permission>hudson.model.Item.Workspace:put-your-username</permission>
<permission>hudson.model.Run.Delete:put-your-username</permission>
<permission>hudson.model.Run.Update:put-your-username</permission>
<permission>hudson.model.View.Configure:put-your-username</permission>
<permission>hudson.model.View.Create:put-your-username</permission>
<permission>hudson.model.View.Delete:put-your-username</permission>
<permission>hudson.model.View.Read:put-your-username</permission>
<permission>hudson.scm.SCM.Tag:put-your-username</permission>
Now, you can go to different directions. For example I had github oauth integration, so I could have tried to replace the authorizationStrategy with something like below:
Note:, It worked in my case because I had a specific github oauth plugin that was already configured. So it is more risky than the previous solution.
<authorizationStrategy class="org.jenkinsci.plugins.GithubAuthorizationStrategy" plugin="github-oauth#0.14">
<rootACL>
<organizationNameList class="linked-list">
<string></string>
</organizationNameList>
<adminUserNameList class="linked-list">
<string>put-your-username</string>
<string>username2</string>
<string>username3</string>
<string>username_4_etc_put_username_that_will_become_administrator</string>
</adminUserNameList>
<authenticatedUserReadPermission>true</authenticatedUserReadPermission>
<allowGithubWebHookPermission>false</allowGithubWebHookPermission>
<allowCcTrayPermission>false</allowCcTrayPermission>
<allowAnonymousReadPermission>false</allowAnonymousReadPermission>
</rootACL>
</authorizationStrategy>
Edit the file $JENKINS_HOME/config.xml and change de security configuration with this:
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
After that restart Jenkins.
A lot of times you wont be having permissions to edit the config.xml file.
The simplest thing would be to take a back of config.xml and delete using sudo command.
Restart the jenkins using the command sudo /etc/init.d/jenkins restart
This will disable all the security in the Jenkins and the login option would disappear
For one who is using macOS, the new version just can be installed by homebrew. so for resting, this command line must be using:
brew services restart jenkins-lts
The directory where the file is located config.xml in windows
C:\Windows\System32\config\systemprofile\AppData\Local\Jenkins\.jenkins