set https on Jenkins

本文详细介绍如何为Jenkins配置HTTPS,包括版本检查、证书创建与安装等步骤,并提供了使用openssl生成证书的具体命令。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

教程的图片可能需要重新截图 从word中copy出来的很模糊 不想用

虽然没有图片但是不影响阅读本教程

Jenkins https 配置教程

1.在进行Jenkins Https 配置之前的准备工作

查看当前Jenkins的版本信息

 

系统管理->About Jenkins


历史版本功能比照

https://jenkins.io/changelog/

版本信息

 

如果是早期版本的话(2.47前期版本)

可能会没有cli remote 的可选项

2.47版本的新增功能列表中可以看到以下注释

  •  Remoting 3.5: Add option to specify the remoting protocol to use on the client. (issue 41730)

 

 

查看路径 系统管理->Configure Global Security->EnableCLI over Remoting

 

 

 

如果没有这个checkbox的话 可能是因为jenkins版本过低

 

这个时候需要升级

 

一般版本不是的话 系统会自动提示 升级到最新版本

 

检查路径

点击 系统管理

 

升级完成之后

记得再次查看 有没有 Enable CLI over Remoting 这个可选项

(以2.68版本为例 这个选项肯定是有的)

 

Step 2创建证书

 

加密知识简单介绍

 

本处信息来源于 阮一峰的网络日志

链接:http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html

 

 

古老的加密方式对称加密

1)甲方选择某一种加密规则,对信息进行加密;

2)乙方使用同一种规则,对信息进行解密。

由于加密和解密使用同样规则(简称"密钥"),这被称为"对称加密算法"(Symmetric-key algorithm)。

这种加密模式有一个最大弱点:甲方必须把加密规则告诉乙方,否则无法解密。保存和传递密钥,就成了最头疼的问题。

 

先进的加密方式— 非对称加密算法

1976年,两位美国计算机学家Whitfield Diffie 和 Martin Hellman,提出了一种崭新构思,可以在不直接传递密钥的情况下,完成解密。这被称为"Diffie-Hellman密钥交换算法"。这个算法启发了其他科学家。人们认识到,加密和解密可以使用不同的规则,只要这两种规则之间存在某种对应关系即可,这样就避免了直接传递密钥。

这种新的加密模式被称为"非对称加密算法"。

(1)乙方生成两把密钥(公钥和私钥)。公钥是公开的,任何人都可以获得,私钥则是保密的。

(2)甲方获取乙方的公钥,然后用它对信息加密。

(3)乙方得到加密后的信息,用私钥解密。

如果公钥加密的信息只有私钥解得开,那么只要私钥不泄漏,通信就是安全的。

 

 

下面开始正式配置 https on Jenkins

 

1.  首先说明 现在创建证书的方式主要有2种 一种是 keytool  另外一种是 openssl

 

我在做实验的时候 使用 keytool 产出的keystore 证书 Jenkins 无法正常工作(大家可以自己尝试下)

 

所以 本教程是以openssl 创建证书的方式

 

本处信息来自网络

链接:https://github.com/hughperkins/howto-jenkins-ssl

 

generate key

创建私钥

openssl genrsa -outkey.pem  # creates key.pem

 

$openssl genrsa -out key.pem  # createskey.pem

GeneratingRSA private key, 2048 bit long modulus

......+++

..........................................................+++

e is65537 (0x10001)

 

 

构建证书

openssl req -new -key key.pem-out csr.pem

 

$openssl req -new -key key.pem -out csr.pem

Youare about to be asked to enter information that will be incorporated

intoyour certificate request.

Whatyou are about to enter is what is called a Distinguished Name or a DN.

Thereare quite a few fields but you can leave some blank

Forsome fields there will be a default value,

Ifyou enter '.', the field will be left blank.

-----

CountryName (2 letter code) [AU]:sh

Stateor Province Name (full name) [Some-State]:shanghai

LocalityName (eg, city) []:shanghai

OrganizationName (eg, company) [Internet Widgits Pty Ltd]:mit

OrganizationalUnit Name (eg, section) []:mit

!!!!!

CommonName (e.g. server FQDN or YOUR name) []:localhost  这一步一定要写你的Jenkins server的域名

!!!!!

EmailAddress []:123@123.com

 

Pleaseenter the following 'extra' attributes

to besent with your certificate request

Achallenge password []:123456

Anoptional company name []:mit

 

 

当使用x509选项的时候,说明是要生成自签名证书。

 

openssl x509 -req -days 9999-in csr.pem -signkey key.pem -out cert.pem

rm csr.pem

 

start Jenkins

 

•      if you want both https and http:

 

java -jar jenkins.war--httpsPort=8443 --httpsCertificate=cert.pem --httpsPrivateKey=key.pem

 

•      if you want https only, dont open http port:

 

java -jar jenkins.war--httpsPort=8443 --httpsCertificate=cert.pem --httpsPrivateKey=key.pem--httpPort=-1

 

UsingJenkins-cli.jar

 

•      Convert the cert.pem tocert.der: 转换证书

 

 openssl x509 -outform der -incert.pem -out cert.der

 

•      create keystore, containingthis cert:  创建keystore文件

 

 

keytool -import -alias testweb.local -keystore cacerts -file cert.der

# reply trust certificate=yes

# put keystore password of 'changeit', or make your own password

 

查看 cacerts文件信息的命令是

Keytool -list -v -keystore cacerts

 

然后执行下面这个命令 就可以通过 Jenkins-cli 远程操控jenkins了

 

java -Djavax.net.ssl.trustStore=cacerts -jar jenkins-cli.jar -shttps://username:password@localhost:9002 help

 

url中的username & password 就是你在jenkins上面创建的user

 

 

 

如果实验成功的话会看到如下输出

 

 

 

 

 

 

好了

到这里https on jenkins的教程应该是结束了

但是大家如果用客户端访问jenkins的话 会发现一句警告

 

也就是说:在jenkins上面打开 EnableCLI over Remoting 系统默认是会提示警告的

 

 

如果要关闭Enable CLI over Remoting 又能够远程访问的话

就需要配置

SSh + Jenkins

 

Step3 配置 ssh key

 

在配置ssh + Jenkins 之前 我们需要一个准备动作

 

查看路径

系统管理-> ConfigureGlobal Security -> SSH Server(目的地)

 

 

这个端口 大家可以根据自己电脑的端口占用情况 自己设置

 

官方教程 https://jenkins.io/doc/book/managing/cli/

看了一下 就是说 怎么把ssh 公钥文件 copy到 Jenkins 上面去

但是很多像我一样的小白  连ssh 的公钥和私钥都不知道怎么来的 怎么办呢

 

下面上教程

build1:~ jenkins$ ssh-keygen

Generating public/private rsa key pair.

 

下面会有几个问题 直接回车就可以了

Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa):

Created directory '/var/lib/jenkins/.ssh'.(回车)

Enter passphrase (empty for no passphrase): (回车)

Enter same passphrase again: (回车)

Your identification has been saved in /var/lib/jenkins/.ssh/id_rsa.

Your public key has been saved in /var/lib/jenkins/.ssh/id_rsa.pub.

The key fingerprint is:

[...]

The key's randomart image is:

[...]

build1:~ jenkins$ ls -l .ssh

total 2

-rw-------  1 jenkins  jenkins 1679 Feb 28 11:55 id_rsa

-rw-r--r--  1 jenkins  jenkins  411 Feb 28 11:55 id_rsa.pub

build1:~ jenkins$ cat .ssh/id_rsa.pub 

ssh-rsa AAAlskdjfalskdfjaslkdjf... jenkins@myserver.com

(把打印出来的信息 copy 到 Jenkins 用户的 sshkey 表单里面就可以了)

Step 2, paste the pub file contents onto the target server.

最后还是一个 测试的例子

ssh -l yourusername -p 16022 localhost create-job  16022是自己设置的监听端口号

created by Leon  2017-07-06

### Jenkins QPS Configuration and Monitoring for Performance Testing For configuring and monitoring Jenkins regarding queries per second (QPS), especially focusing on performance testing, one must consider several aspects including but not limited to plugin usage, system metrics collection, and log analysis. While direct references to specific configurations for controlling or measuring QPS within Jenkins are sparse, insights can be derived from practices involving continuous integration/continuous deployment (CI/CD) pipeline optimization and server resource management. To effectively monitor the performance of Jenkins during high-load scenarios such as those characterized by increased query rates, integrating tools like Prometheus along with Grafana provides valuable insight into how well Jenkins handles requests over time[^1]. These platforms allow administrators to set up alerts based on thresholds that could indicate when the number of incoming jobs exceeds what the infrastructure comfortably supports. Additionally, employing logging solutions similar to the ELK stack mentioned elsewhere, which includes Elasticsearch, Logstash, and Kibana, enables detailed examination of activity patterns across all nodes involved in executing builds triggered through Jenkins. This setup facilitates identifying bottlenecks caused either directly by excessive API calls made against Jenkins itself or indirectly via dependencies managed outside its core functionality. Moreover, tuning Java Virtual Machine (JVM) parameters underpinning Jenkins operations plays an essential role in ensuring optimal response times even amidst spikes in traffic volume. Adjustments here may involve tweaking garbage collection strategies or allocating more heap space depending upon observed behavior post-deployment of any changes aimed at improving scalability properties relative to handling higher levels of concurrent access attempts. ```bash # Example command line options for adjusting JVM settings java -Xms512m -Xmx2g -XX:+UseG1GC ... ``` Furthermore, leveraging plugins designed specifically around enhancing operational efficiency—such as Blue Ocean for visualizing workflows; Job DSL Plugin for programmatically defining job structures; Throttle Concurrent Builds Plugin for limiting simultaneous executions—can contribute positively towards maintaining stable performance characteristics despite varying workloads imposed upon the platform. --related questions-- 1. How does setting up alerting rules in Prometheus help manage Jenkins' load? 2. What benefits do visualization tools offer when analyzing Jenkins logs using the ELK stack? 3. Can modifying JVM arguments improve Jenkins’ ability to handle large numbers of users simultaneously? 4. Which Jenkins plugins support better control over build execution frequency and concurrency limits?
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值