在 jenkins master 上进行 Git 克隆,复制到 slave
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20030247/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Git clone on jenkins master, copy to slave
提问by joostdevries
I've set up a CI server running jenkins and a slave with a replica of our production environment. I'm running into a pesky little problem though: Jenkins apparently runs git cloneon the slave which would mean that every slave should have it's publickey added to GitHub.
我已经设置了一个运行 jenkins 的 CI 服务器和一个带有我们生产环境副本的从属服务器。不过,我遇到了一个讨厌的小问题:Jenkins 显然是git clone在奴隶上运行的,这意味着每个奴隶都应该将其公钥添加到 GitHub。
To me this sounds like a pretty weird architecture design. I would prefer the master server (which has all my credentials) to clone/checkoutand copy the workspace to the slave.But after quite some Googling I haven't found a way to do this yet. I have found the Copy to slave pluginbut that doesn't prevent the slave from failing on a git clone.
对我来说,这听起来像是一个非常奇怪的架构设计。我更喜欢主服务器(拥有我所有的凭据)clone/checkout并将工作区复制到从服务器。但是经过相当多的谷歌搜索后,我还没有找到一种方法来做到这一点。我找到了Copy to slave 插件,但这并不能阻止从站在git clone.
I hope someone know a way to achieve this because setting up GitHub publickeys for every slave sounds ridiculous.
我希望有人知道实现这一目标的方法,因为为每个奴隶设置 GitHub 公钥听起来很荒谬。
采纳答案by VonC
Jenkins apparently runs git clone on the slave which would mean that every slave should have it's publickey added to GitHub.
Jenkins 显然在从站上运行 git clone,这意味着每个从站都应该将其公钥添加到 GitHub。
Why not use onedeployment key(for all Jenkins agent to use) for accessing your repo?
为什么不使用一个部署密钥(供所有 Jenkins 代理使用)来访问您的存储库?
A deploy key is an SSH key that is stored on the server and grants access to a single repository on GitHub.
This key is attached directly to the repository instead of to a user account.Pros
- Anyone with access to the server has access to deploy the repository
- Users don't have to change their local SSH settings
Cons
- Deploy keys only grant access to a single repository, more complex projects may have many repositories to pull to the same server
- The key has full read/write access to the repository
- Deploy keys are usually not protected by a passphrase, making the key easily accessible if the server is compromised
部署密钥是存储在服务器上并授予对 GitHub 上单个存储库的访问权限的 SSH 密钥。
此密钥直接附加到存储库而不是用户帐户。优点
- 任何有权访问服务器的人都有权部署存储库
- 用户不必更改其本地 SSH 设置
缺点
- 部署密钥仅授予对单个存储库的访问权限,更复杂的项目可能有多个存储库要拉到同一服务器
- 密钥具有对存储库的完全读/写访问权限
- 部署密钥通常不受密码保护,如果服务器受到威胁,可以轻松访问密钥
The other approach is to use the Credentials Jenkins plugin(initialized in February 2012), which allows to store credentials in Jenkins master.
另一种方法是使用Credentials Jenkins 插件(于2012年2 月初始化),它允许在 Jenkins master 中存储凭证。
A single point for managing each credential. Change it in one place and you are done.
As of version 1.5, the plugin now supports categorizing credentials into different "domains" in order to allow plugins to restrict the choice of credentials to only those that are appropriate.
When a plugin is asking for a list of credentials, it can add some specifications about where and how the credential will be used.
用于管理每个凭证的单点。在一处更改它,您就完成了。
从 1.5 版开始,该插件现在支持将凭据分类到不同的“域”中,以允许插件将凭据的选择限制为仅适合的凭据。
当插件要求提供凭证列表时,它可以添加一些关于凭证将在何处以及如何使用的规范。
Example of Credential Domain configuration:
凭证域配置示例:
回答by joostdevries
This is fixed in recent Jenkins releases by centralizing credentials on master.
这在最近的 Jenkins 版本中通过在 master 上集中凭据来解决。
