一. 安装docker
1. 安装依赖
[root@localhost ~]# rpm -ivh /home/allen/container-selinux-2.107-3.el7.noarch.rpm
[root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
2. 下载docker ce的repo
[root@localhost ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
3. 安装docker ce
[root@localhost ~]# yum -y install docker-ce
4. 查看version
[root@localhost ~]# docker --version
Docker version 19.03.13, build 4484c46d9d
[root@localhost ~]#
5. 开机启动,运行,查看docker服务
[root@localhost ~]# systemctl start docker.service
[root@localhost ~]# systemctl status docker.service
[root@localhost ~]# systemctl enable docker.service
6. 获取镜像
从指定hub获取镜像:
[root@localhost ~]# docker pull registry.hub.docker.com/jenkins/jenkins:latest
查看本地的镜像:
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.hub.docker.com/jenkins/jenkins latest 3e06c7dd3345 4 days ago 711MB
运行创建指定名字为jenkins的容器,
注意: 在使用volume映射host的目录比如/data到jenkins的home目录时候,一定要写/data绝对路径因为jenkins程序是以id jenkins uid=1000来运行的,所以id 1000必须要对/data目录写的权限,否则无法启动容器
[root@localhost ~]# docker run -d -p 8080:8080 -p 50000:50000 -v /data:/var/jenkins_home --name jenkins 3e06c7dd3345
f77f633561db85fe56ce6230cb927ba21b90a2ac4f1f7dde791c2c25944c5e84
[root@localhost ~]#
[root@localhost ~]# ls -ld /data
drwxr-xr-x 2 root root 6 Oct 20 00:31 /data
[root@localhost ~]#
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f77f633561db 3e06c7dd3345 "/sbin/tini -- /usr/…" 5 seconds ago Exited (1) 4 seconds ago jenkins
[root@localhost ~]#
[root@localhost ~]# docker start f77f633561db
f77f633561db
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f77f633561db 3e06c7dd3345 "/sbin/tini -- /usr/…" 49 seconds ago Exited (1) 1 second ago jenkins
[root@localhost ~]# chown -R 1000:1000 /data
[root@localhost ~]# ls -ld /data
drwxr-xr-x 2 allen allen 6 Oct 20 00:31 /data
[root@localhost ~]# id allen
uid=1000(allen) gid=1000(allen) groups=1000(allen),10(wheel)
[root@localhost ~]#
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f77f633561db 3e06c7dd3345 "/sbin/tini -- /usr/…" 38 minutes ago Exited (1) 38 minutes ago jenkins
[root@localhost ~]# docker start f77f633561db
f77f633561db
[root@localhost ~]#
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f77f633561db 3e06c7dd3345 "/sbin/tini -- /usr/…" 39 minutes ago Up 1 second 0.0.0.0:8080->8080/tcp, 0.0.0.0:50000->50000/tcp jenkins
列出创建的容器:
[root@localhost ~]# docker ps -l ##列出最近最新创建的容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
306db9a01ba7 registry.hub.docker.com/jenkins/jenkins "/sbin/tini -- /usr/…" About a minute ago Up About a minute 0.0.0.0:8080->8080/tcp, 0.0.0.0:50000->50000/tcp jenkins
[root@localhost ~]#
[root@localhost ~]# docker ps -l --no-trunc #不压缩显示
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
306db9a01ba796a3a25490e91125b87aac7ea88fbebdb8bef3f3c8ea8aa3d2d7 registry.hub.docker.com/jenkins/jenkins "/sbin/tini -- /usr/local/bin/jenkins.sh" 2 minutes ago Up 2 minutes 0.0.0.0:8080->8080/tcp, 0.0.0.0:50000->50000/tcp jenkins
[root@localhost ~]#
[root@localhost ~]# docker ps -a #显示所有容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
306db9a01ba7 registry.hub.docker.com/jenkins/jenkins "/sbin/tini -- /usr/…" 5 minutes ago Up 5 minutes 0.0.0.0:8080->8080/tcp, 0.0.0.0:50000->50000/tcp jenkins
停止容器运行:
[root@localhost ~]# docker stop 306db9a01ba7
306db9a01ba7
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
306db9a01ba7 registry.hub.docker.com/jenkins/jenkins "/sbin/tini -- /usr/…" 7 minutes ago Exited (143) 6 seconds ago jenkins
重新启动容器:
[root@localhost ~]# docker start 306db9a01ba7
306db9a01ba7
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
306db9a01ba7 registry.hub.docker.com/jenkins/jenkins "/sbin/tini -- /usr/…" 10 minutes ago Up 2 minutes 0.0.0.0:8080->8080/tcp, 0.0.0.0:50000->50000/tcp jenkins
删除指定容器:
[root@localhost ~]# docker rm 306db9a01ba7 ##删除前必需先stop容器运行
Error response from daemon: You cannot remove a running container 306db9a01ba796a3a25490e91125b87aac7ea88fbebdb8bef3f3c8ea8aa3d2d7. Stop the container before attempting removal or force remove
[root@localhost ~]#
[root@localhost ~]# docker stop 306db9a01ba7
306db9a01ba7
[root@localhost ~]#
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
306db9a01ba7 registry.hub.docker.com/jenkins/jenkins "/sbin/tini -- /usr/…" 14 minutes ago Exited (143) 6 seconds ago jenkins
[root@localhost ~]#
[root@localhost ~]# docker rm 306db9a01ba7
306db9a01ba7
[root@localhost ~]#
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
一次性删除所有容器
[root@localhost ~]# docker rm `docker ps -aq`
进入指定的容器:
[root@localhost ~]# docker exec -it 8fe3e6c0c739 "/bin/bash"
jenkins@8fe3e6c0c739:/$
二. Jenkins
进入jenkins
http://192.168.122.88:8080/
查看初始admin密码:
jenkins@f77f633561db:/$ cat /var/jenkins_home/secrets/initialAdminPassword
81a3f5761029438f9c1ef05170791644
输入生成的初始admin密码:
安装建议的插件
有些plugin failed,没关系直接点击 continue:
创建自己的admin 用户:
使用默认的url,保存并完成
对缺失的plugin 手动安装:
勾选“restar jenkins when installation is complete and no jobs are running”, jenkins在没job在跑的时候就会重启
三. 使用GitHub Authentication Plugin
安装plugin:
The GitHub Authentication Plugin provides a means of using GitHub for authentication and authorization to secure Jenkins. GitHub Enterprise is also supported.
Setup
1. 创建app
参考:
https://www.jenkins.io/zh/solutions/github/
https://plugins.jenkins.io/github-oauth/#GithubOAuthPlugin-Setup
Before configuring the plugin you must create a GitHub application registration.
- Visit https://github.com/settings/applications/new to create a GitHub application registration.
- The values for application name, homepage URL, or application description don't matter. They can be customized however desired.
-
However, the authorization callback URL takes a specific value. It must be
https://jenkins.example.com/securityRealm/finishLogin
where jenkins.example.com is the location of the Jenkins server.The important part of the callback URL is
/securityRealm/finishLogin
- Finish by clicking Register application.
The Client ID and the Client Secret will be used to configure the Jenkins Security Realm. Keep the page open to the application registration so this information can be copied to your Jenkins configuration.
1 user
Client ID
c9cb6d21*****
Client Secret
2593fa087f0**********
Application logo
Drag & drop
Application name
allenapp
Something users will recognize and trust.
Homepage URL
https://github.com/allen-shun
The full URL to your application homepage.
Application description
Application description is optional
This is displayed to all users of your application.
Authorization callback URL
http://192.168.122.88:8080/securityRealm/finishLogin
Your application’s callback URL. Read our OAuth documentation for more information.
2. 设置jenkins security:
Security Realm in Global Security
The security realm in Jenkins controls authentication (i.e. you are who you say you are). The GitHub Authentication Plugin provides a security realm to authenticate Jenkins users via GitHub OAuth.
- In the Global Security configuration choose the Security Realm to be GitHub Authentication Plugin.
- The settings to configure are: GitHub Web URI, GitHub API URI, Client ID, Client Secret, and OAuth Scope(s).
-
If you're using GitHub Enterprise then the API URI is https://ghe.example.com/api/v3.
The GitHub Enterprise API URI ends with
/api/v3
. -
The recommended minimum GitHub OAuth scopes are
read:org,user:email
.The recommended scopes are designed for using both authentication and authorization functions in the plugin. If only authentication is being used then the scope can be further limited to
(no scope)
oruser:email
.
In the plugin configuration pages each field has a little next to it. Click on it for help about the setting.
Authorization in Global Security.
The authorization configuration in Jenkins controls what your users can do (i.e. read jobs, execute builds, administer permissions, etc.). The GitHub OAuth Plugin supports multiple ways of configuring authorization.
It is highly recommended that you configure the security realm and log in via GitHub OAuth before configuring authorization. This way Jenkins can look up and verify users and groups if configuring matrix-based authorization.
Github Committer Authorization Strategy
Control user authorization using the Github Committer Authorization Strategy. This is the simplest authorization strategy to get up and running. It handles authorization based on the git URL of a job and the type of access a user has to that project (i.e. Admin, Read/Write, Read-Only).
There is a way to authorize the use of the /github-webhook
callback url to receive post commit hooks from GitHub. This authorization strategy has a checkbox that can allow GitHub POST data to be received. You will still need to run the GitHub Plugin to have the message trigger the build.
Logged-in users can do anything
There are a few ways to configure the plugin so that everyone on your team has Overall/Administer
access.
- Choose Logged-in users can do anything authorization strategy.
- Choose one of the matrix-based authorization strategies. Set
authenticated
users toOverall/Administer
permissions. Setanonymous
users to haveOverall/Read
permissions and perhaps theViewStatus
permission.
Matrix-based Authorization strategy
Control user authorization using Matrix-based security or Project-based Matrix Authorization Strategy. Project-based Matrix Authorization Strategy allows one to configure authorization globally per project and, when using Project-based Matrix Authorization Strategy with the CloudBees folder plugin, per folder.
There are a few built-in authorizations to consider.
anonymous
- is anyone who has not logged in. Recommended permissions are justJob/Discover
andJob/ViewStatus
.-
authenticated
- is anyone who has logged in. You can configure permissions for anybody who has logged into Jenkins. Recommended permissions areOverall/Read
andView/Read
.anonymous
andauthenticated
usernames are case sensitive and must be lower case. This is a consideration when configuring authorizations via Groovy. Keep in mind thatanonymous
shows up as Anonymous in the Jenkins UI.
You can configure authorization based on GitHub users, organizations, or teams.
username
- give permissions to a specific GitHub username.organization
- give permissions to every user that belongs to a specific GitHub organization.organization*team
- give permissions to a specific GitHub team of a GitHub organization. Notice that organization and team are separated by an asterisk (*
).
Other usage
Calling Jenkins API using GitHub Personal Access Tokens
You can make Jenkins API calls by using a GitHub personal access token. One can still call the Jenkins API by using Jenkins tokens or use the Jenkins CLI with an SSH key for authentication. However, the GitHub OAuth plugin provides another way to call the Jenkins API by allowing the use of a GitHub Personal Access Token.
- Generate a GitHub Personal Access Token and give it only
read:org
scope. - Use a username and GitHub personal access token to authenticate with the Jenkins API.
Here's an example using curl to start a build using parameters (username samrocketman
and password using the personal access token).
curl -X POST https://jenkins.example.com/job/_jervis_generator/build --user "samrocketman:myGitHubPersonalAccessToken" --data-urlencode json='{"parameter": [{"name":"project", "value":"samrocketman/jervis"}]}'
Automatically configure security realm via script console
Configuration management could be used to configure the security realm via the Jenkins Script Console. Here's a sample configuring plugin version 0.22.
import hudson.security.SecurityRealm
import org.jenkinsci.plugins.GithubSecurityRealm
String githubWebUri = 'https://github.com'
String githubApiUri = 'https://api.github.com'
String clientID = 'someid'
String clientSecret = 'somesecret'
String oauthScopes = 'read:org'
SecurityRealm github_realm = new GithubSecurityRealm(githubWebUri, githubApiUri, clientID, clientSecret, oauthScopes)
//check for equality, no need to modify the runtime if no settings changed
if(!github_realm.equals(Jenkins.instance.getSecurityRealm())) {
Jenkins.instance.setSecurityRealm(github_realm)
Jenkins.instance.save()
}
Automatically configure authorization strategy via script console
Configuration management could be used to configure the authorization strategy via the Jenkins Script Console. Here's a sample configuring plugin version 0.22.
import org.jenkinsci.plugins.GithubAuthorizationStrategy
import hudson.security.AuthorizationStrategy
//permissions are ordered similar to web UI
//Admin User Names
String adminUserNames = 'samrocketman'
//Participant in Organization
String organizationNames = ''
//Use Github repository permissions
boolean useRepositoryPermissions = true
//Grant READ permissions to all Authenticated Users
boolean authenticatedUserReadPermission = false
//Grant CREATE Job permissions to all Authenticated Users
boolean authenticatedUserCreateJobPermission = false
//Grant READ permissions for /github-webhook
boolean allowGithubWebHookPermission = false
//Grant READ permissions for /cc.xml
boolean allowCcTrayPermission = false
//Grant READ permissions for Anonymous Users
boolean allowAnonymousReadPermission = false
//Grant ViewStatus permissions for Anonymous Users
boolean allowAnonymousJobStatusPermission = false
AuthorizationStrategy github_authorization = new GithubAuthorizationStrategy(adminUserNames,
authenticatedUserReadPermission,
useRepositoryPermissions,
authenticatedUserCreateJobPermission,
organizationNames,
allowGithubWebHookPermission,
allowCcTrayPermission,
allowAnonymousReadPermission,
allowAnonymousJobStatusPermission)
//check for equality, no need to modify the runtime if no settings changed
if(!github_authorization.equals(Jenkins.instance.getAuthorizationStrategy())) {
Jenkins.instance.setAuthorizationStrategy(github_authorization)
Jenkins.instance.save()
}
点击“configure global security”
点击 Apply and save 后,下次登录jenkins将直接通过github认证:
配置:Global Tool Configuration
点击apply and save
创建一个新任务
创建连接github的帐号密码:
点击"jenkins"
选择"Add-credential"
#!/bin/sh
export PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
# Print env variable
echo "[INFO] Print env variable"
echo "Current deployment envrionment is $deploy_env" >> test.properties
echo "THe build is $version" >> test.properties
echo "[INFO] Done..."
# Check test properties
echo "[INFO] Check test properties"
if [ -s test.properties ]
then
cat test.properties
echo "[INFO] Done..."
else
echo "test.properties is empty"
fi
echo "[INFO] Build finished..."
点击: apply and save
点击: Build with Parameters
点击build:
点击"Console output"