thanks for taking time reading my issue.
I have a jenkins job that executes a shell script on a remote machine via ssh.
This script asks for username and password in a "form" way, so the two vars can not be sent as parameters. This script also verifies if the username and password are set as environment variables on the remote machine, if so, it runs without asking for inputs.
Here is the command i give to jenkins job build:
ssh admin#10.24.66.254 'SVN_USER=foo SVN_PASSWORD=bar sh /app/script.sh'
--> The script runs properly BUT, it shows my credentials on the jenkins job conf and console output.
--> Now i think about parametrizing the job so that it will dynamicly ask for username/password, but i don't know how to inject them into my command line so that i can transfer them as env vars on the remote machine.
when i do:
ssh admin#10.24.66.254 'SVN_USER=$LOGIN SVN_PASSWORD=$PWD sh /app/script.sh'
it doesnt consider that $LOGIN and $PWD are jenkins input vars because of the simple quotes used to execute the script.
I hope i clarified well the situation, thanks for reading !
A good starting point for this would be Injecting-Secrets-into-Jenkins-Build-Jobs
OR
You can also use Jenkin's Environment Injector Plugin. But be sure to review the security notices while using this plugin.
Related
Is it possible to bash script the setup process of jenkins, for example i have jenkins container set-up on my local machine, i would like to complete jenkins set-up entirely on bash for the purpose of scripting this entirely from a dockerfile.
I need to be able to pass initialAdminPassword without the use of a browser and just from the terminal.
Is it possible to complete the set-up from the terminal?
Yes it is possible to skip the manual setup.
I don't know your particular setup, but let's assume you retrieve the password from jenkins instance :
cat /var/jenkins_home/secrets/initialAdminPassword
or
docker exec "myjenkinscontainer" bash -c 'cat $JENKINS_HOME/secrets/initialAdminPassword'
You could then connect to Jenkins as admin, using that password.
curl --silent -u "admin:$mypassword" http://localhost:8080/manage
If you've configured Jenkins Security to not allow API calls, then you might require to generate first a crumb token that you would use in every request, instead of the password. To issue a crumb token, you might do something similar :
curl -s 'http://admin:$mypassword#localhost:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\":\",//crumb)'
Then you might need pass this crumb value instead of password in further requests.
Depending on your situation / Jenkins configuration, I might provide more details.
I was provided a tool to do a SSH to a remote host. The remote host is a new docker to be created. I was trying to understand if there are commands being executed right after the SSH (i.e. probably using ssh -t <some commands>).
It seems like the .bash_history does not include those cmds. In such case, what else can I do to figure out what cmds being executed right after my login? Thank you.
To find out the actual commands that are executed, you could add "set -v" or "set -x" to the shell initialization file(s) on the system you are ssh-ing to.
See man bash (the "INVOCATION" section) to find out which files will executed so that you can figure out which file to add the "set" command to.
You will probably want to do that temporarily ... because the output is verbose.
Another approach would be to configure sshd to set the logging level to DEBUG and see what commands are requested. However, note that sshd DEBUG logging is a user privacy violation.
If you are trying to do this kind of stuff to find out what is happening on the first "boot" of a docker instance, try putting the (temporarily) config changes into the docker image that you are starting.
The bash history only contains command lines that are submitted to the shell via a shell command prompt.
I have created a Jenkins job which executes a shell script. "Unsafe" people can open it and start the job. The job executes a db tool in shell which requires the db password.
The Jenkins instance is run on a computer which can be accessed by "unsafe" people. The job is delegated to a slave which is accessed by "safe" people.
This is a parameterized build, has one parameter: password as Password Parameter.
For the sake of brevity the relevant part of the script is as follows:
#!/bin/bash +x
dban -u username -p ${password}
It runs fine and fails fine if the password is not correct. Echoing the command invoked is disabled by +x as the first line says.
Is this that simple? What else should I consider for safety reasons?
Do you want people to run the build and not have to pass in the parameter of the password? If so you should checkout setting up a credential for it.
https://support.cloudbees.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs
https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc
I have a shell provisioning script that invokes a command that requires user input - but when I run vagrant provision, the process hangs at that point in the script, as the command is waiting for my input, but there is nowhere to give it. Is there any way around this - i.e. to force the script to run in some interactive mode?
The specifics are that I creating a clean Ubuntu VM, and then invoking the Heroku CLI to download a database backup (this is in my provisioning script):
curl -o /tmp/db.backup `heroku pgbackups:url -a myapp`
However, because this is a clean VM, and therefore this is the first time that I have run an Heroku CLI command, I am prompted for my login credentials. Because the script is being managed by Vagrant, there is no interactive shell attached, and so the script just hangs there.
If you want to pass temporary input or variables to a Vagrant script, you can have them enter their credentials as temporary environment variables for that command by placing them first on the same line:
username=x password=x vagrant provision
and access them from within Vagrantfile as
$u = ENV['username']
$p = ENV['password']
Then you can pass them as an argument to your bash script:
config.vm.provision "shell" do |s|
s.inline: "echo username: $1, password: $2"
s.args: [$u, $p]
end
You can install something like expect in the vm to handle passing those variables to the curl command.
I'm assuming you don't want to hard code your credentials in plain text thus trying to force an interactive mode.
Thing is just as you I don't see such option in vagrant provision doc ( http://docs.vagrantup.com/v1/docs/provisioners/shell.html ) so one way or another you need to embed the authentication within your script.
Have you thought about using something like getting a token and use the heroku REST Api instead of the CLI?
https://devcenter.heroku.com/articles/authentication
I'm trying to write a shell script using bash. I have multiple servers and each servers have multiple apps runnings on it. Each server also has specific app scripts to check/stop/start etc. All I want to do is that, do a ssh and connect to the remote server.
Which I'm also able to do sucessfully and exceute the commands also..
In some instance I need to check some process status on a remote machine, the app sepecific scripts already does that. But using my ssh when i try to execute that script I dont get any info ( it gets executed but no info is passed ). How do i get the information from the remote host and display on the local host here.
Any help on this is really appreciated.
Regards,
Senny
You can run remote commands and get results locally by passing the command as a string to ssh.
In your script, you can do:
CMD_OUT=$(ssh user#remote_host "/path/to/script argument")
The command will be run remotely and the output store in the CMD_OUT variable. You can then parse the output in your script to get the results you want.
To simplify usage of your script, you might want to set up passwordless ssh so you don't have to type your password each time the script tries to run a remote command.