How do I automate the creation / assignment of SSH jenkins credentials to nodes?
I am writing an "auto create jenkins machine" script and I am facing an issue with SSH credentials, namely:
there is a file in jenkins called credentials.xml
(in /var/lib/jenkins
) that stores credentials for nodes and my looks like this:
<?xml version='1.0' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.18">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</id>
<description>root_with_secret</description>
<username>root</username>
<password>2Xd4i7+8tjVXg2RHP6ggl/ZtWJp177ajXNajJxsj80o=</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
There is (is) also a configuration file (slaves) of nodes (stored in /var/lib/jenkins/nodes/HOSTNAME/config.xml
for each slave device), which looks like this:
<?xml version='1.0' encoding='UTF-8'?>
<slave>
<name>HOSTNAME_OF_MY_SECRET_MACHINE</name>
<description>HOSTNAME_OF_MY_SECRET_MACHINE</description>
<remoteFS>/root</remoteFS>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<retentionStrategy class="hudson.slaves.RetentionStrategy$Always"/>
<launcher class="hudson.plugins.sshslaves.SSHLauncher" plugin="ssh-slaves@1.9">
<host>10.0.10.1</host>
<port>22</port>
<credentialsId>8743cc14-bc2c-44a6-b6bb-c121bef4ae2d</credentialsId>
<maxNumRetries>0</maxNumRetries>
<retryWaitTime>0</retryWaitTime>
</launcher>
<label></label>
<nodeProperties/>
<userId>anonymous</userId>
</slave>
The problem is that after creating the jenkins machine, copy credentials.xml
and config.xml
for each slave, after which the credentials will not work. I get
[07/26/15 16:00:39] [SSH] Opening SSH connection to 10.0.10.1:22.
ERROR: Failed to authenticate as root. Wrong password. (credentialId:8743cc14-bc2c-44a6-b6bb-c121bef4ae2d/method:password)
[07/26/15 16:00:41] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1178)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[07/26/15 16:00:41] Launch failed - cleaning up connection
[07/26/15 16:00:41] [SSH] Connection closed.
To solve this problem, I can go to Jenkins
→ Credentials
→, and then update the credentials the same password, which I would use anyway, and it will work.
So the question is, does jenkins use the salting / hashing kind for every install, so that credentials.xml
won't work when copied to a new machine?
source to share
Ok, so I was able to solve it with (I think) a solution with a workaround, namely:
To save the password in plain text credentials.xml
, copy it to the jenkins machine after installing and starting the service. Jenkins will then encrypt it with a new secret (or whatever he uses for that purpose) and it will work :)
EDIT
The second option is to install jenkins, run it, and then copy credentials.xml
with encrypted passwords along with secrets
and secret.xml
from the previous installation. This will copy the master encryption key and encrypted credentials created with that master key.
source to share