I need to configure our Nexus repo to have multiple procured groups and have different Jenkins jobs reference different groups depending on the type of job.
For example, for CI jobs I need to be able to proxy a bunch of repositories. For deploy or release jobs I need to use a proxy group that is procured and controlled. The CI may allow the users to get to artifacts that aren't yet approved but for releases the artifacts are vetted and approved first.
It seems simple to create the groups and do procurement in Nexus. However, I can't figure out how to get the Jenkins jobs to use the different groups. I can only have a single mirrorOf tag in the maven .settings.xml and mirrors can't be set in profiles.
Has anyone tried this?
You have to have a different settings.xml file for the different jobs that access different groups. The Maven 3 integration of Hudson can do that within the server and automatically use the right one. For Jenkins you have to manually manage it a different way. E.g. by having different settings.xml file with different names on the CI server and then using the -s options of the mvn invocation.
"The CI may allow the users to get to artifacts that aren't yet approved but for releases the artifacts are vetted and approved first."
I wonder what are you using the CI for. Normally The CI is simply used to build continuously your projects but not used to be arbitrary between your developers and your repos manager server.
Maybe you could configure your proxies in multiple profile in your setting.xml and activate them as needed using properties/environment variables.
Related
Where are Maven and pom.xml file kept in a real-time project if the code is at GitHub. I mean can I keep my local repository somewhere in another machine and use it in my project. If yes, how?
Local repositories are not meant for sharing. They are also not "thread-safe" in any way, so accessing them simultaneously from two different builds might break things.
They are populated by the artifacts Maven downloads from MavenCentral and other repositories, and also the stuff you build yourself. As they are more or less a form of cache, there is no need to share them.
If you need a repository that is used from different machines or by different users, set up a Nexus/Artifactory server.
We are looking into setting up a local maven repository server at our institute. We have several teams that are completely independent and therefore should not have write access to each others artifacts.
Ideally we would like a similar permission concept as e.g. Gitlab, where every user can create a project (or in this case repository) and give permissions to it, but not have write access to any other repositories.
I tried out Artifactory and Nexus, but as far as I could tell, giving permissions to a group for a specific project includes manual work for a user with full admin rights, namely creating that repository.
Is there a freely available maven repository server, that allows creation and administration of repositories by users without giving them access to other repositories? If not, is there one, that can restrict write access for an artifact to the person who first deployed it?
Even better if Artifactory or Nexus can in fact do something like that and I just missed it.
You can create an arbitrary number of repositories in one Nexus 2.x (professional) server. Then you can set up different user accounts with different writing rights, e.g. you can create a projectA repository and define a projectAuser which has writing rights only for this particular repository.
I guess this is possible in Artifactory and Nexus 3 as well, but I do not have experience.
In Artifactory you have many options, I recommend you:
Create a virtual maven repository with permissions for a group of users.
Configure the settings.xml of this group of users with this virtual repository.
Create remote repositories to access to Github or any other websites.
Add these remote repositories to the virtual repository.
Create local repositories if you need and add to the virtual repository.
Do this with every group of users that you want and you will have independent artifacts and repositories.
I am playing around with Nexus oss 3.1.0-04 OSS. I created a new maven style repository called test and it is proxying from http://repo1.maven.org/maven2/org/apache/maven; After setting this up, I tried to view the contents of test repository but there is nothing seen. I get a "no component found in repository". Why is this? What is that am missing? If I type the URL http://repo1.maven.org/maven2/org/apache/maven on a browser am able to see all its contents.
By default, the local proxy is empty. The best way to get components in is to build a maven project. Of course, make sure your maven settings are configured to point to Nexus - https://books.sonatype.com/nexus-book/reference3/maven.html#maven-sect-single-group).
I should also add, Nexus 3 provides a task for this: Publish Maven indexes
- Maven indexes can be used to download an index of available components to your repo, allowing users connecting to it to use the index to discover components. The task publishes the index for all or a specific Maven repository, hosted, group or proxy. This task will not populate the Browse UI, we intentionally did this so you only see what components and assets are available locally. More on the task here: https://books.sonatype.com/nexus-book/reference3/admin.html
I want to setup a development environment that allows reusing some artifacts from public Maven repositories like Maven Central, Code Haus. Specifically, I like the concept of transitive dependencies.
In our company, our production network cannot export any data outside, but we can push data inside. We already have some gateways to copy file from the outside into our network. Therefore, I could use this to copy the required packages manually but we would miss the power of maven. In our case, the perfect solution would be to be able to get data from public repository but be forbidden to deploy to the external repo.
So I would like to have your expert view on this problem.
We can use various means, as long as the capability to export data outside our network is guarantee:
External packages are created on a disk area that is read-only from production servers.
Some HTTP requests are filtered.
Using a repository manager, as Nexus.
In the repository management guide, Nexus talks about this possibility (http://books.sonatype.com/nexus-book/reference/confignx-sect-manage-repo.html). I would like a confirmation from you guys about how secure it is. Specifically, this has to be updated only by the IT manager.
Regards,
Loïc.
This is completely feasible and a common setup with Nexus. Here are the steps roughly.
Lock all developers and CI server inside the network disallowing direct access to outside servers
Setup Nexus to proxy external repositories like Central as desired
Allow Nexus to reach to those external repositories via the proxy
Configure developers and CI server machines to access Nexus to get the dependencies (and transitive dependencies) as desired
Optionally you can also
Configure CI servers to deploy any internal packages to Nexus
Configure deployment tools to get components for deployment from Nexus
Also note this can be done via different repository formats and toolchains. The common one is Maven, but Nexus also supports NPM, Nuget, Rubygems, sites, YUM and others.
And if you want to make some of your packages in Nexus available to the outside you can configure this as well following multiple options.
Also note that a proxy repository is by definition read only in terms of deployments to it directly. Thats what a hosted repository is for...
We currently use TeamCity to build a deployment artifact, then a further TeamCity task takes that artifact and deploys it to our development and testing servers on demand.
We can store the passwords and other secret data in properties files that we can check into source control, as these are all internal servers and the developers have full access to them.
However for release to Production (and our final test layer) there are secret passwords and configuration that we don't want checked into the normal source control, or to have development be able to discover the passwords. So to do 'real' deployments we have to hand the artifact over to another team and they maintain a properties file with the production values.
What methods exist to store these secrets and allow TeamCity to run a deploy without ever leaking the secrets out?
(note I am one of the devs and it is not a trust issue... I don't want to have the ability to find out prod passwords so I can never accidently know them and do some horrific damage!)
Probably what you need here, is to create a separate project with narrower scope of permissions (for example, allow only certain people to edit build configurations). In this project create a build configuration, responsible for deployment. In this configuration, you can define a Typed Parameter of type 'password' to store the password to the production environment.
Another option is to use Deployer Plugin, especially its ability to deploy over ssh with private key authentication
If you are OK to use a third party solution, consider using a solution like CloudMunch which can help you to perform release management functions with these secure parameters collected at deploy time and encrypted post deployment.
Disclaimer: I work with CloudMunch
You can do 2 things.
Use a teamcity project to deploy artefacts for production only. This will only be accessible to ops members.
Teamcity also supports running agents with different user ids. You can create a new user id which can have access to the production "secrets" (passwords and configuration). Use this id to run the targets in the 1st step.