如何自动化Jenkins SSH凭据创建/分配给节点？

Question

我正在编写一个自动化的Jenkins机器创建脚本,我遇到了SSH凭证的问题,即:

In Jenkins there is a file called credentials.xml (in /var/lib/jenkins) which stored credentials for the nodes. Mine looks like so:

<?xml version='1.0' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.18">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
          <scope>GLOBAL</scope>
          <id>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</id>
          <description>root_with_secret</description>
          <username>root</username>
          <password>2Xd4i7+8tjVXg2RHP6ggl/ZtWJp177ajXNajJxsj80o=</password>
        </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>

There is (are) also nodes (slaves) configuration file(s) (stored in /var/lib/jenkins/nodes/HOSTNAME/config.xml for each slave) which look(s) like:

<?xml version='1.0' encoding='UTF-8'?>
<slave>
  <name>HOSTNAME_OF_MY_SECRET_MACHINE</name>
  <description>HOSTNAME_OF_MY_SECRET_MACHINE</description>
  <remoteFS>/root</remoteFS>
  <numExecutors>1</numExecutors>
  <mode>NORMAL</mode>
  <retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
  <launcher class="hudson.plugins.sshslaves.SSHLauncher" plugin="ssh-slaves@1.9">
    <host>10.0.10.1</host>
    <port>22</port>
    <credentialsId>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</credentialsId>
    <maxNumRetries>0</maxNumRetries>
    <retryWaitTime>0</retryWaitTime>
  </launcher>
  <label></label>
  <nodeProperties/>
  <userId>anonymous</userId>
</slave>

The problem is that after I create the jenkins machine, copy credentials.xml and config.xmls for each slave then the credentials wouldn't work. I get

[07/26/15 16:00:39] [SSH] Opening SSH connection to 10.0.10.1:22.
ERROR: Failed to authenticate as root. Wrong password. (credentialId:8743cc14-bc2c-44a6-b6bb-c121bef4ae2d/method:password)
[07/26/15 16:00:41] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
    at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1178)
    at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
    at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
[07/26/15 16:00:41] Launch failed - cleaning up connection
[07/26/15 16:00:41] [SSH] Connection closed.

To solve this issue I can go to Jenkins -> Credentials -> and then update the credential with the same password that I would use anyway and it will work.

So the question is whether Jenkins uses kind of salting/hashing per installation so that the credentials.xml will not work if copied to a new machine?

Answer 1

好的,我已经设法用(我相信)一个解决方法来解决这个问题,即:

要以明文形式存储密码,请credentials.xml在安装和启动服务后将其复制到Jenkins计算机.然后詹金斯将用它的新秘密(或其用于此目的的任何东西)对其进行加密,它将起作用:)

编辑

第二个选项是安装Jenkins,启动它,然后将credentials.xml加密的密码与secrets目录和secret.xml之前的安装一起复制.这将复制加密主密钥和使用此主密钥创建的加密凭据.