How to run jenkins as a different user - continuous-integration

I have been trying to follow tutorials and this one: Deploy as Jenkins User or Allow Jenkins To Run As Different User?
but I still can't for the love of the computing gods, run as a different user. Here are the steps of what I did:
download the macosx pkg for jenkins(LTS)
setup plugins etc and git
try to build it
I keep getting a can't clone error because jenkins keeps starting as anonymous:
Started by user anonymous
How do I set it up so that jenkins runs as me? I was using the jenkins web UI so it was in localhost:8080
I tried logging in also using /login but I can't even login using my name or as root.
The people tab doesn't even have a create user link, so yeah I've been stuck. Help please?

The "Issue 2" answer given by #Sagar works for the majority of git servers such as gitorious.
However, there will be a name clash in a system like gitolite where the public ssh keys are checked in as files named with the username, ie keydir/jenkins.pub. What if there are multiple jenkins servers that need to access the same gitolite server?
(Note: this is about running the Jenkins daemon not running a build job as a user (addressed by #Sagar's "Issue 1").)
So in this case you do need to run the Jenkins daemon as a different user.
There are two steps:
Step 1
The main thing is to update the JENKINS_USER environment variable. Here's a patch showing how to change the user to ptran.
BEGIN PATCH
--- etc/default/jenkins.old 2011-10-28 17:46:54.410305099 -0700
+++ etc/default/jenkins 2011-10-28 17:47:01.670369300 -0700
## -13,7 +13,7 ##
PIDFILE=/var/run/jenkins/jenkins.pid
# user id to be invoked as (otherwise will run as root; not wise!)
-JENKINS_USER=jenkins
+JENKINS_USER=ptran
# location of the jenkins war file
JENKINS_WAR=/usr/share/jenkins/jenkins.war
--- etc/init.d/jenkins.old 2011-10-28 17:47:20.878539172 -0700
+++ etc/init.d/jenkins 2011-10-28 17:47:47.510774714 -0700
## -23,7 +23,7 ##
#DAEMON=$JENKINS_SH
DAEMON=/usr/bin/daemon
-DAEMON_ARGS="--name=$NAME --inherit --env=JENKINS_HOME=$JENKINS_HOME --output=$JENKINS_LOG - -pidfile=$PIDFILE"
+DAEMON_ARGS="--name=$JENKINS_USER --inherit --env=JENKINS_HOME=$JENKINS_HOME --output=$JENKINS_LOG --pidfile=$PIDFILE"
SU=/bin/su
END PATCH
Step 2
Update ownership of jenkins directories:
chown -R ptran /var/log/jenkins
chown -R ptran /var/lib/jenkins
chown -R ptran /var/run/jenkins
chown -R ptran /var/cache/jenkins
Step 3
Restart jenkins
sudo service jenkins restart

ISSUE 1:
Started by user anonymous
That does not mean that Jenkins started as an anonymous user.
It just means that the person who started the build was not logged in. If you enable Jenkins security, you can create usernames for people and when they log in, the
"Started by anonymous"
will change to
"Started by < username >".
Note: You do not have to enable security in order to run jenkins or to clone correctly.
If you want to enable security and create users, you should see the options at Manage Jenkins > Configure System.
ISSUE 2:
The "can't clone" error is a different issue altogether. It has nothing to do with you logging in to jenkins or enabling security. It just means that Jenkins does not have the credentials to clone from your git SCM.
Check out the Jenkins Git Plugin to see how to set up Jenkins to work with your git repository.
Hope that helps.

On Mac OS X, the way I enabled Jenkins to pull from my (private) Github repo is:
First, ensure that your user owns the Jenkins directory
sudo chown -R me:me /Users/Shared/Jenkins
Then edit the LaunchDaemon plist for Jenkins (at /Library/LaunchDaemons/org.jenkins-ci.plist) so that your user is the GroupName and the UserName:
<key>GroupName</key>
<string>me</string>
...
<key>UserName</key>
<string>me</string>
Then reload Jenkins:
sudo launchctl unload -w /Library/LaunchDaemons/org.jenkins-ci.plist
sudo launchctl load -w /Library/LaunchDaemons/org.jenkins-ci.plist
Then Jenkins, since it's running as you, has access to your ~/.ssh directory which has your keys.

If you really want to run Jenkins as you, I suggest you check out my Jenkins.app. An alternative, easy way to run Jenkins on Mac.
See https://github.com/stisti/jenkins-app/
Download it from https://github.com/stisti/jenkins-app/downloads

To run jenkins as different user on ubuntu os you need to change below things.
Update below two lines in /etc/default/jenkins file
JENKINS_USER=$USERNAME
JENKINS_GROUP=$NAME
In our case we set user as ubuntu.
#JENKINS_USER=$NAME
#JENKINS_GROUP=$NAME
JENKINS_USER="ubuntu"
JENKINS_GROUP="ubuntu"
Update below two lines in /lib/systemd/system/jenkins.service file
User=jenkins
Group=jenkins
In our case we set user as ubuntu.
#User=jenkins
#Group=jenkins
User=ubuntu
Group=ubuntu
Change file ownership of jenkins owned folders.
sudo chown -R ubuntu:ubuntu /var/lib/jenkins
sudo chown -R ubuntu:ubuntu /var/cache/jenkins
sudo chown -R ubuntu:ubuntu /var/log/jenkins
After above changes run below command to reload systemctl
sudo systemctl daemon-reload
Now you can restart jenkins
sudo systemctl restart jenkins.service

you can integrate to LDAP or AD as well. It works well.

Related

No /var/log/jenkins directory after LTS installation

After installing Jenkins with https://www.jenkins.io/download/lts/macos/ and running it, when I go to http://localhost:8080/
Unlock Jenkins
To ensure Jenkins is securely set up by the administrator, a password has been written to the log (not sure where to find it?) and this file on the server:
So there it says:
Log files should be at /var/log/jenkins/jenkins.log, unless customized in org.jenkins-ci.plist.
But there is no /var/log/jenkins directory on my machine - where to find those logs? Why there is no /var/log/jenkins directory?
Typically this will be written into the JENKINS home directory. Which is located at /Users/<YOUR_USER>/.jenkins. The secret will be located here.
`/Users/<YOUR_USER>/.jenkins/secrets/initialAdminPassword`
and this file on the server:
It is best to rely on "this file" rather than the logs
The official documentation suggests:
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
Or (as in here)
cat /Users/administrator/.jenkins/secrets/initialAdminPassword
In both instances, the file mentioned in the "Unlock Jenkins" should give you the password.
(assuming this is a Homebrew installation, not a Docker one)

Cannot pull a repository (from Cloud Source Repositories) in a GCE VM startup script

I have a VM in Google Compute Engine that I want to start and stop daily - I have already written Cloud Functions for this. When the VM starts, I want it to run a startup script. In the bash startup script, I first need to pull data from git - Cloud Source Repository. This causes it to crash:
Error: Permission denied (publickey)
The startup script looks like this:
#!/bin/bash
cd /home/my_home_directory/git_repo
git pull;
cd some_directory_in_repo
python3 some_script.py;
shutdown -h now;
The VM has its own service account, which, as far as I know, runs the script. What I basically want, is to run the script with a "user" - service account - that does not have a home directory on the VM (the service account has the necessary permissions for accessing the repository, though). I also set up SSH key for the service account, then I registered the public key on my user profile and this works when I execute the script under my user.
Is there a solution for this, other than run the script under my user (which works, as I said), please?
Note: If I execute the startup script like the one below, it also works.
#!/bin/bash
cd /home/my_home_directory/git_repo
sudo -u my_username bash -c \
'git pull;
cd some_directory_in_repo
python3 some_script.py;
shutdown -h now;'
Thanks

Can't su to jenkins even though login shell is /bin/bash

I can't seem to su to jenkins user even though the login shell is already set to /bin/bash. When I attempt to run sudo su - jenkins -s /bin/bash, the user does not switch and I see the same prompt.
I've rebooted the machine and restarted the service using sudo systemctl restart jenkins.
I made sure that the jenkins login shell is not /bin/false like this question points out. My /etc/passwd shows this for jenkins:
jenkins:x:121:129:Jenkins,,,:/var/lib/jenkins:/bin/bash
Jenkins does run when I reboot the machine, but the service fails to start when I try to restart it.
Any idea why I can't su into jenkins?
Thanks
Edit: the below solution is not what fixed it for me. I'm still not sure what the root cause was, it may have been related to the Jenkins user not having read permission to some files, but I resolved it by reinstalling Jenkins.
It turns out that my /etc/sudoers file had:
jenkins ALL=(ALL:ALL) ALL
I changed it to:
jenkins ALL= NOPASSWD: ALL
and now I can switch to the jenkins user.

Jenkins shell script stuck on git clone

I am trying to nest a shell script into a Jenkins job but the script will infinitely get stuck when using the bash git clone command.
It doesn't even send me an error. I suspect the script is asking for a password when coming to the git clone command.
Jenkins Job Configuration :
#!/bin/sh
set -x
whoami #returns 'jenkins'
sudo -u root ./my_script.sh
my_script.sh
whoami #returns ROOT
sudo git clone 'https://myusername:mypassword#my.forge.fr/project/my-project.git' -b "master" --verbose
What have I tried so far
I edited my sudoers and added jenkins ALL=NOPASSWD: ALL
I intentionnaly wrote wrong credential in the git clone command, and I get an error remote: HTTP Basic: Access denied
With a terminal, I went in my workspace project, switched to jenkins user and ran sudo ./my_script.sh and it worked fine, no password asked.
It also work fine when ran under root user ( not a surprise )
Does anyone know how I can get my job to make this command pass ?
Edit
I am on Mac OS
I finally solved it, it did come from a credential, but not the one I thought of. The problem came from Keychain Access. Also I appologize, I did not specified I was on Mac, I thought it wasn't relevant here since I was using bash.
When running the script under the Jenkins user, it worked fine as I was using sudo, but when I tried to run directly the sudo git clone 'https://myusername:mypassword#my.forge.fr/project/my-project.git' -b "master" --verbose I got an error :
I couldn't find the error message in english, but basically it says "unable to find a Keychain to store..." and the answers "cancel" and "reset my default keychain"
From there I :
Created a new Keychain called jenkins-dev in the Keychain manager
I copied it from /Users/myuser/Library/Keychains to /Users/Shared/Jenkins/Library/Keychains under myuser
Then I ran security unlock-keychain /Users/Shared/Jenkins/Library/Keychains/jenkins-dev.keychain-db under jenkins user
finally security default-keychain /Users/Shared/Jenkins/Library/Keychains/jenkins-dev.keychain-db under jenkins user
I ran once more the git clone ... command line under jenkins user, and then it found the keychain, stored the access and my Jenkins script wasn't stuck anymore
Hope this can help
Do you have a key in ~/.ssh/id_rsa.pub in that machine?

Laravel Homestead: Nginx failing to start on Vagrant. Need root password to access Nginx logs

Using Laravel Homestead to work with Laravel 4. After running vagrant up this morning, I was unable to access homestead.app:8000. I pinged it with no problem so I investigated my virtualbox and discovered that Nginx wasn't starting. I then attempted to view logs and I am denied permission from the /var/log/nginx directory which is owned by www-data adm.
My question then, what is the su or sudo password which would allow me to access that directory? The documentation is surprisingly void of any information as well as the Homestead.app Git repository. Thank you.
i had similar issue with laravel/homestead vagrant virtual machine and nginx not restarting. the error after running nginx -t was :
nginx: [crit] pread() "/etc/nginx/sites-enabled/sites-available" failed (21: Is a directory)
nginx: configuration file /etc/nginx/nginx.conf test failed
solution was to delete the symbolic link sites_available:
rm -Rf /etc/nginx/sites-enabled/sites-available
than it worked:
service nginx restart
elevate to root by typing sudo -s
A quick way to jump to a root account shell is to run the "sudo bash" command. That way, if you don't have to have to type "sudo" in front of each command. Since this VM is for development purposes I don't see it as a danger, but in real production Ubuntu runs with the root account locked down so you always go in and should stay in with user level privileges until you need to execute a higher level command. You "can" enable the root account and set a password, but jumping to it with sudo is the better method.
You can just look at the log using the root account password. So: sudo nano and then just enter your root user's password. A root is able to do anything on the system, so that always is a solution for this kind of problems.
If you forgot the root password, just search google to recover it.

Resources