We are using Jenkins for a variety of jobs, including both building and testing, with different developers having access only to the jobs within their scope.
However, when we are allowing a Jenkins user to "Configure" the job, we are basically permitting them to run shell (via the "Execute shell" step) with the privileges of the user who is running the Jenkins binary. That, in turn, gives theoretical ability to change things on the server and access files they are not supposed to.
Question: How can we control that?
So basically, I am looking for a way to disable the ability of users to edit the existing shell fields of particular builds (or altogether).
As a workaround that I haven't personally tested, you can overwrite the sh executable used by Jenkins in the global settings, but then everyone won't be able to use "Execute Shell".
You could then have some programmers write plugins for actions that you DO allow.
The solution that we ended up implementing is a master-slave tandem, where the master node has the number of executors set to 0.
Related
I need to run a console app after deployment, but the tool should only be run once per environment. I have two roles defined per environment, DatabaseServer and AppServer. The tool should be run on the AppServer machine.
I deploy the console app using a nuget package and a custom PowerShell script to copy it to the correct location on the AppServer machine.
Everything is fine when there is only one machine in the AppServer role, but I cannot think of an elegant way of ensuring the tool is run exactly once when there is more than one machine in the AppServer role.
The only way I can think of is if I specify a variable per environment that contains the name of the machine that the tool should run on. In the PowerShell script I could check this value and if it's not equal to the current machine name, just exit the script successfully.
This doesn't feel right though - it needs a variable per environment, and if the machines in the AppServer change (and the one the app should run on is removed) then the deployment will be classed as successful but the tool will not have run.
Is there anything simple that I've overlooked? Or will I have to make do with this approach? (which makes me sad)
You could give the AppServer machine that will run this tool a second role such as ToolRunner, for example. You could then create a deployment process step that targets the ToolRunner role and executes the console application on the one and only machine that has happens to be defined with that role.
This would require no change to your PowerShell scripts or to Octopus variables. However, should you remove the machine that is tagged with the ToolRunner tag from the environment, you would have to make sure to assign the tag to a new machine for your process to continue to work as you wish it to.
How to configure Jenkins to run Query (select, Update) on Oracle database,
Is there any plugin available in Jenkins?
Is there any easy way to write script in python?
Jenkins is a Continuous Integration (CI) tool. It is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.
Is there any plugin available in Jenkins?
As far as i know, there are no plugins for the type of job you're looking for. However, it does provide you a mechanism to run your own scripts by using various options present in Build section such as running a Win batch script, shell script, perl, python, ant commands etc...
Is there any easy way to write script in python?
If you understand the language well, then yes!
This link might be of some interest: http://176.34.122.30/blog/2009/05/18/continuous-integration-with-oracle-plsql-utplsql-and-hudson/
Plugin to run Sql on Oracle database in Jenkins:
https://wiki.jenkins-ci.org/display/JENKINS/SQLPlus+Script+Runner+Plugin
I'm no experience with Jenkins, I'm currently researching different options for PHP & JS automated unit testing with Jenkins.
I've come across Chutzpah (which uses PhantomJS's headless WebKit browser) but:
Is it possible to use Chutzpah with Jenkins?
There's very little documentation on Chutzpah. Although it does state on the Chutzpah homepage that it can be integrated into the TeamCity continuous integration server.
What's the minimum requirements for something to be compatible with Jenkins?
It is possible to use Chutzpah with Jenkins and with the 2.1 release of Chutzpah it is easier. Chutzpah's command line client can now take /junit argument that lets you specify a file name to output a junit-xml compatible file to. You can use Jenkins to pick this file up and report the test results.
I am not the downvoter, but I agree it is difficult to give a good answer to this question.
I believe the minimum requirement for something to be compatible with Jenkins is: It can be executed from a shell or cmd script. (If it's not, you need to find or write a plugin.)
Additionally, the thing should exit with code 0 for success and anything else for failure. (If it doesn't, you need to find or write a plugin.)
If you are interested in having Jenkins publish test results, the results must be in xml files using junit compatible notation. (If they are not, you need find or write a plugin.)
Additional requirements might be imposed by the tool you want to execute: It might need to draw windows or access the mouse or other parts of a graphical UI desktop/session. If that's the case, you need to run Jenkins in a context/session where it has access to those. (Windows, Mac and Linux all restrict background daemon/service access to the GUI desktop.)
Also, if your tool needs to access resources which are accessible by only certain user, you need to run Jenkins as that user.
This is a very open-ended question. Please try it out and come back with more concrete questions.
I have a build configuration which deploys my code to a machine. Depending on which machine I am deploying to (e.g. dev/uat/prod), I need to run as a different user.
Rather than hardcoding the username and password in the build files (not really possible as they change regularly for security reasons) I would like to be able to type them in at the point I run the build. I would envisage the "Run Custom Build" in TeamCity would have this option but I can't see anywhere to input that information.
Is there any way to do this (short of remoting into the build agent and changing the user which the build agent runs as)?
Thanks
The RunAs plugin combined with TeamCity 7's new Typed Parameters will let you make the password a "typed" parameter plugin.
Then, when it's entered at the Run screen, it will not be visible in the build history.
EDIT: Much later, as covered in the comments: You probably don't want to do this. Consider having separate pools which run as different users, and parameters to specify what builds are supported by what pools.
Neil, you can pass build parameters via Run Custom Build dialog.
There are "System properties" and "Environment variables" sections, where you can add new build parameters or redefine existing ones.
Please read more: http://confluence.jetbrains.net/display/TCD6/Triggering+a+Custom+Build
In our development environment each developer has their own dev server. Often times they do not actually develop on that server but develop from their local machine, deploy to their dev server, and then attach with the remote debugger to do debugging.
My question is; how can I use MSBuild to execute a different set of tasks for each user?
I want to enable each user to define their own build process with MSBuild tasks but I don't want that to necessarily affect the other developers. I also want a default set of tasks to execute if a given user explicitly defined their own process.
Example:
SomeProj.csproj
Default MS Build process is to copy to test server or staging server
Custom process for Steve is to copy to Steve's dev server
Custom process for Eric is to copy to Eric's dev server
You could use the project user file (*.suo / *.user) to do some 'poor mans dependency injection'.
looks like this guy did something similar
Yeah, I've done this before. Try trick is to key off $(USERNAME) in your msbuild script. If you haven't tried editing msbuild scripts before, you've got a lot of learning to do.