搭建Jenkins服务
Jenkins 是工作中日常用到的编译打包工具,但是后来搭建中,安装插件真是一言难尽。今天把我的搭建整理下,仅供参考。
从官网上下载rpm的速度简直让人不能忍受,所以千万不要去官网下载。推荐去:http://mirrors.jenkins-ci.org/status.html ,选择第一个清华大学的镜像站,再选择redhat,可以快速下载到最新的镜像。
先说说我这次安装的环境是Windowns Server 2012,Jenkins版本是2.289.2
安装过程比较简单,需要安装JDK 1.8 以上,Jenkins就默认安装即可。安装完成后,Jenkins服务自动启动,可以通过浏览器进行访问Jenkins页面,进行初始化配置。
在通过浏览器访问前,我们先修改升级服务站点URL地址。以 Windowns Server 2012为例进行操作
进入到 C:\Users\Administrator\AppData\Local\Jenkins\.jenkins目录下,修改hudson.model.UpdateCenter.xml文件 将 “https://updates.jenkins.io/update-center.json" 修改为 "http://mirror.xmission.com/jenkins/updates/update-center.json"
修改完成后,进行浏览器访问,初始化Jenkins,但是插件一样无法正常安装。
介绍下之前的方法是,是修改default.json文件配置加速源 设置清华大学源,可以加速安装插件 cd /var/lib/jenkins/updates sed -i 's/https:\/\/updates.jenkins.io\/download/http:\/\/mirror.xmission.com\/jenkins/g' default.json sed -i 's/http:\/\/www.google.com/https:\/\/www.baidu.com/g' default.json 但是本次这样操作,当服务被重启后,default.json文件会被初始化,也就是说你修改后,服务重启后,default.json就被修改了,此方法不通了,此方法不通了
后来就各种百度,说使用Nginx进行反向代理,简单的说 Nginx 配置的域名是 “updates.jenkins.io” 在Jenkins服务上绑定 hosts,但是问题是需要自签证书,因为请求是HTTPS,签发证书可以使用openssl,也可以是cfssl,本人使用的是cfssl证书
1:下载,安装 cfssl 6-96 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl 6-96 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json 6-96 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo 6-96 ~]# chmod +x /usr/bin/cfssl* 2:创建生成ca证书csr的json配置文件 6-96 certs]# mkdir /opt/certs 6-96 certs]# cd /opt/certs 6-96 certs]# vi /opt/certs/ca-csr.json { "CN": "AuthEdu", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ], "ca": { "expiry": "175200h" } } 3:生成ca证书文件 6-96 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca 6-96 certs]# ll -rw-r--r-- 1 root root 993 4月 29 11:18 ca.csr -rw-r--r-- 1 root root 326 4月 29 11:15 ca-csr.json -rw------- 1 root root 1679 4月 29 11:18 ca-key.pem -rw-r--r-- 1 root root 1338 4月 29 11:18 ca.pem 4:创建基于根证书的config配置文件 -6-96 ~]# vi /opt/certs/ca-config.json { "signing": { "default": { "expiry": "175200h" }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } 5:利用ca 证书签发updates.jenkins.io 证书 -6-96 certs]# vi updates.jenkins.io-csr.json { "CN": "updates.jenkins.io", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ], "Hosts": ["updates.jenkins.io"] } cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server updates.jenkins.io-csr.json|cfssl-json -bare updates.jenkins.io 此时证书已经生成完毕,可以配置Nginx,安装自行百度,Nginx配置文件如下: -6-96 ~]# cat /usr/local/nginx/conf/vhosts/updates.jenkins.io.conf server { listen 80; server_name updates.jenkins.io; rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen 443 ssl; server_name updates.jenkins.io; ssl_certificate /usr/local/nginx/conf/certs/updates.jenkins.io.pem; ssl_certificate_key /usr/local/nginx/conf/certs/updates.jenkins.io-key.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_redirect off; proxy_pass https://mirrors.tuna.tsinghua.edu.cn/jenkins; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding ""; proxy_set_header Accept-Language "zh-CN"; } location ^~ /download/ { proxy_pass https://mirrors.tuna.tsinghua.edu.cn/jenkins/; } }
现在只需要在Jenkins服务器上绑定hosts就可以了,现在通过浏览器访问,只是提示不信任的证书,可以进行导入ca根证书到浏览器“受信任的根证书颁发机构”中,进行解决此问题。
但是需要注意,导入证书只支持 crt类型证书,需要经 pem格式转化为crt格式
使用openssl进行证书格式转换: openssl x509 -in ca.pem -out ca.crt
这样做完,浏览器下载证书可以正常,但是Jenkins依然无法下载安装。提示依然找不到证书“How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?”,应该是
jre中找不到证书,需要把域名证书导入到jre中。
如果是windowns,请按照如下操作,
1:Download and install portecle. 2:First make 100% sure you know which JRE or JDK is being used to run your program. On a 64 bit Windows 7 there could be quite a few JREs. Process Explorer can help you with this or you can use: System.out.println(System.getProperty("java.home")); 3:Copy the file JAVA_HOME\lib\security\cacerts to another folder. 4:In Portecle click File > Open Keystore File 5:Select the cacerts file 6:Enter this password: changeit 7:Click Tools > Import Trusted Certificate 8:Browse for the file mycertificate.pem 9:Click Import 10:Click OK for the warning about the trust path. 11:Click OK when it displays the details about the certificate. 12:Click Yes to accept the certificate as trusted. 13:When it asks for an alias click OK and click OK again when it says it has imported the certificate. 14:Click save. Don’t forget this or the change is discarded. 15:Copy the file cacerts back where you found it.
如果是Linux操作系统,请按照如下操作
You can download the SSL certificate from a web server that is already using it like this:
$ echo -n | openssl s_client -connect www.example.com:443 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt
Optionally verify the certificate information:
$ openssl x509 -in /tmp/examplecert.crt -text
Import the certificate into the Java cacerts keystore:
$ keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts \ -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
证书导入后,重启Jenkins服务,插件应该就可以正常安装了。
参考文档:
https://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail
