Comments (30)
Depends; the cleaner solution would be an improvement to Juseppe IMO, while not relying on this file would be more compatible.
FWIW release-history
is pretty terrible: It doesn't list more than one release of a given plugin per day, i.e. some releases are just not listed. So seems unsuitable beyond use as a data source for an automated Twitter account.
from plugin-installation-manager-tool.
https://stackoverflow.com/a/44605372/4951015
or pass JAVA_OPTS to the plugin cli which contain a custom truststore...
https://github.com/jenkinsci/docker/blob/master/jenkins-plugin-cli.sh#L3
from plugin-installation-manager-tool.
Ok the recommendation is to use a custom image:
https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins#consider-using-a-custom-image
that way you don't need the Jenkins project image to be up in order for your Jenkins to start, (assuming you're downloading plugins on startup)
from plugin-installation-manager-tool.
I went with another path. and now it works: Nexus + repos proxy + one repo groups all proxies under one + env vars.
export JENKINS_UC=http://nexus.cicd/repository/updates.jenkins.io/update-center.json
export JENKINS_UC_EXPERIMENTAL=http://nexus.cicd/repository/updates.jenkins.io/experimental/update-center.json
export JENKINS_PLUGIN_INFO=http://nexus.cicd/repository/updates.jenkins.io/plugin-versions.json
export JENKINS_INCREMENTALS_REPO_MIRROR=http://nexus.cicd/repository/repo.jenkins-ci.org/incrementals
export JENKINS_UC_DOWNLOAD=http://nexus.cicd/repository/all-jenkins-repos/download
This is works !
Thank you @timja
from plugin-installation-manager-tool.
Hi
You need to determine which truststore is being used by your Java installation and ensure it's updated with your internal cert, (or get a trusted cert via something like let's encrypt normally makes things a lot easier).
Here's a post about how to locate it: https://www.ibm.com/support/pages/how-identify-ssltls-keystore-and-truststore-being-used-java%E2%84%A2-application
from plugin-installation-manager-tool.
Thanks @timja for a quick response.
I have it in my Dockerfile like this:
RUN jenkins-plugin-cli --verbose --jenkins-update-center https://<INTERNAL_FQDN>/repository/jenkins-plugins/update-center.json -f /usr/share/jenkins/plugins.txt
So do I need to use keytool to import my root ca into the Java's trust store inside the Jenkins docker image?
from plugin-installation-manager-tool.
Yes you do, or add your custom truststore to your image
from plugin-installation-manager-tool.
I'll try keystore and get back shortly.
I have already tried adding custom trust store like below but it didn't work:
COPY <INTERNAL_ROOT_CA>.pem /usr/local/share/ca-certificates/ RUN chmod 644 /usr/local/share/ca-certificates/<INTERNAL_ROOT_CA>.pem && update-ca-certificates
Additionally is it possible to add a feature that sets a flag to the cli to ignore self-signed certificates?
from plugin-installation-manager-tool.
I would rather document the proper solution, so once you get it working would be good if you can report back
from plugin-installation-manager-tool.
Still fails
Step 10/21 : RUN keytool -import -trustcacerts -alias "<REDACTED>" -file /usr/local/share/ca-certificates/<REDACTED>.pem -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -noprompt
---> Running in bd55ee69a176
Certificate was added to keystore
Removing intermediate container bd55ee69a176
---> 3f3d42dcd4ed
Step 11/21 : RUN keytool -list -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit | grep -i <REDACTED>
---> Running in 6cce19a2fe76
<REDACTED>, Nov 16, 2020, trustedCertEntry,
Removing intermediate container 6cce19a2fe76
I'm out of ideas now :-(
Wouldnt it be a proper solution to add a flag to the jenkins-plugin-cli tool to ignore SSL warning for self-signed cert?
from plugin-installation-manager-tool.
have you verified that's the trust store actually in use?
you can also for using your own truststore as well.
from plugin-installation-manager-tool.
Ignore the above error. The CA certificate was invalid, used the correct one and now its past that problem.
However now I'm stuck here:
Cache miss for: plugin-versions
Basically I'm not hosting this https://updates.jenkins.io/plugin-versions.json, I am using https://github.com/jenkinsci/juseppe to generate the release-history and update-centre json files and it doesn't support plugin-versions.json file at the moment.
Is there a way to skip experimental, incrementals and plugin info ?
from plugin-installation-manager-tool.
It looks like it should work if you override the configuration and point it at your update-center.json
is it not release-history.json
btw? just looking at the docs?
from plugin-installation-manager-tool.
No, in release-history.json the key is called release-history whereas for plugins.version its called plugins.
The content is also different, release-history gives info about the releases itself whereas plugins gives history of the plugin versions.
I just did an override pointing to the update-centre.json for all three URLs and now it fails because it can't find certain keys in the data:
org.json.JSONException: JSONObject["requiredCore"] not found.
from plugin-installation-manager-tool.
💩 any thoughts @oleg-nenashev / @daniel-beck, is it better to add to juseppe these files or should we handle that these files may not be there?
from plugin-installation-manager-tool.
I copied the plugin-versions.json from update.jenkins.io and put it in our Nexus repo however still getting the exception (given below) for some plugins.
The exception doesn't provide the name of the plugin so I put the plugins list in a for loop and echo the plugin name before the install command however because it runs in async mode the output is all jumbled up so I can't really tell from 150+ plugins that I'm trying to install for which plugin requiredCore is missing in plugins-version.json if at all.
org.json.JSONException: JSONObject["requiredCore"] not found.
at org.json.JSONObject.get(JSONObject.java:572)
at org.json.JSONObject.getString(JSONObject.java:859)
at io.jenkins.tools.pluginmanager.impl.PluginManager.getPluginDependencyJsonArray(PluginManager.java:629)
at io.jenkins.tools.pluginmanager.impl.PluginManager.resolveDependenciesFromJson(PluginManager.java:742)
at io.jenkins.tools.pluginmanager.impl.PluginManager.resolveDirectDependencies(PluginManager.java:794)
at io.jenkins.tools.pluginmanager.impl.PluginManager.resolveRecursiveDependencies(PluginManager.java:831)
at io.jenkins.tools.pluginmanager.impl.PluginManager.findPluginsAndDependencies(PluginManager.java:490)
at io.jenkins.tools.pluginmanager.impl.PluginManager.start(PluginManager.java:153)
at io.jenkins.tools.pluginmanager.impl.PluginManager.start(PluginManager.java:113)
at io.jenkins.tools.pluginmanager.cli.Main.main(Main.java:63)
JSONObject["requiredCore"] not found.```
from plugin-installation-manager-tool.
I think we need to add this to Juseppe really
from plugin-installation-manager-tool.
I think we need to add this to Juseppe really
Does that mean orgs not using juseppe but using this tool should work out a way to make sure these files are available?
Also would you like for me to raise an issue in the juseppe repo given that we should be generating these files there anyways?
We are kind of blocked from rolling out Jenkins using Docker at the moment because of this, I'll try to use a workaround but not 100% sure at the moment if it works.
from plugin-installation-manager-tool.
Please do raise the issue, you should be able to use the (deprecated) install-plugins.sh script for now.
from plugin-installation-manager-tool.
Tried it, took me a while to get all the external requests pointing to Nexus.
Similar problem though with that script, SSL certificate was not getting picked up inspite of passing CURL_OPTS -k. I'll try again tomorrow and let you know.
In the meantime, will raise the issue in juseppe.
from plugin-installation-manager-tool.
When i was using the bash script (/usr/local/bin/install_plugins.sh ) everything was working fine because it understand CURL_OPTS='-k'
, however after using this tool, i cannot see a way to skip the ssl. :(
from plugin-installation-manager-tool.
When i was using the bash script (/usr/local/bin/install_plugins.sh ) everything was working fine because it understand
CURL_OPTS='-k'
, however after using this tool, i cannot see a way to skip the ssl. :(
You need to add your cert to the truststore for your java installation or pass a custom truststore on the command line
from plugin-installation-manager-tool.
but the docker container of jenkins is running without root user.
jenkins@jenkins-staging-0:/$ export KEYSTORE_PASS=changeit
jenkins@jenkins-staging-0:/$ export KEYSTOREFILE=${JAVA_HOME}/jre/lib/security/cacerts
jenkins@jenkins-staging-0:/$ ${JAVA_HOME}/bin/keytool -import -noprompt -trustcacerts -alias jenkins-io -file /jenkins-certs/jenkinsio.crt -keystore ${KEYSTOREFILE} -storepass ${KEYSTORE_PASS}
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /usr/local/openjdk-8/jre/lib/security/cacerts (Permission denied)
i am now in miserable situation
from plugin-installation-manager-tool.
i understand that these 3 lines requires creating new image:
User root
RUN ... keystore
USER jenkins
However, i am avoiding creating new image even though we had auto delivery of all of our custom images.
Instead, we are using volume mounts from configmap which includes the keystool command + initContainers
from plugin-installation-manager-tool.
I like the second option:
or pass JAVA_OPTS to the plugin cli which contain a custom truststore...
https://github.com/jenkinsci/docker/blob/master/jenkins-plugin-cli.sh#L3
I am trying it now by using these docs
from plugin-installation-manager-tool.
Trying the second option
by running 2 commands:
KEYSTOREFILE=/tmp/jx.jks
${JAVA_HOME}/bin/keytool -import -noprompt -trustcacerts -alias jenkins-io -file /jenkins-certs/jenkinsio.crt -keystore ${KEYSTOREFILE} -storepass ${KEYSTORE_PASS}
## Then
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=${KEYSTOREFILE} -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=changeit"
## Then
jenkins-plugin-cli --war "/usr/share/jenkins/jenkins.war" --verbose --plugins token-macro:2.12
I got this error now :
io.jenkins.tools.pluginmanager.impl.UpdateCenterInfoRetrievalException: Error getting update center json at io.jenkins.tools.pluginmanager.impl.PluginManager.getJson(PluginManager.java:606) at io.jenkins.tools.pluginmanager.impl.PluginManager.getUCJson(PluginManager.java:625) at io.jenkins.tools.pluginmanager.impl.PluginManager.start(PluginManager.java:150) at io.jenkins.tools.pluginmanager.impl.PluginManager.start(PluginManager.java:117) at io.jenkins.tools.pluginmanager.cli.Main.main(Main.java:76)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
Notes
-
Note that
curl -O --cacert /jenkins-certs/jenkinsio.crt https://updates.jenkins.io/download/plugins/structs/1.20/structs.hpi
works successfully.
I mean we don't have doubt that/jenkins-certs/jenkinsio.crt
is a right certificate. -
Note that the script pass JAVA_OPTS :
jenkins@jenkins-staging-0:/tmp$ cat /bin/jenkins-plugin-cli
#!/bin/bash
exec /bin/bash -c "java $JAVA_OPTS -jar /usr/lib/jenkins-plugin-manager.jar $*"
My question is :
- am i use it the right JAVA_OPTS (
-Djavax.net.ssl.keyStore
,... so on) - What about the others (
Djavax.net.ssl.trustStore
, ... so on) ? should i put them ? if so, what are the values?
from plugin-installation-manager-tool.
Did you start from your system trust store, copy it to somewhere you can write it, import your cert on top of it?
from plugin-installation-manager-tool.
copy it to somewhere you can write it
i didcat ${JAVA_HOME}/jre/lib/security/cacerts > /tmp/mytrustted-stor
, import your cert on top of it?
how ?
If you could do to me a favor and list all steps including keytool command. seems that there is order and some options in cmds
from plugin-installation-manager-tool.
Ok ! so seems like i succeeded 👍 to do the right steps.
Credits to @timja then this link
But now , i got a different error 👎 when i installed any plugin with the tool :
Retrieving update center information
Cache entry expired
Cache miss for: update-center-2.263.3
io.jenkins.tools.pluginmanager.impl.UpdateCenterInfoRetrievalException: Error getting update center json
at io.jenkins.tools.pluginmanager.impl.PluginManager.getJson(PluginManager.java:606)
at io.jenkins.tools.pluginmanager.impl.PluginManager.getUCJson(PluginManager.java:625)
at io.jenkins.tools.pluginmanager.impl.PluginManager.start(PluginManager.java:150)
at io.jenkins.tools.pluginmanager.impl.PluginManager.start(PluginManager.java:117) at io.jenkins.tools.pluginmanager.cli.Main.main(Main.java:76)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:666)
at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268) at java.net.URL.openStream(URL.java:1068)
at org.apache.commons.io.IOUtils.toString(IOUtils.java:2795)
at io.jenkins.tools.pluginmanager.impl.PluginManager.getJson(PluginManager.java:600)
... 4 more
Error getting update center json
from plugin-installation-manager-tool.
that's connecting to updates.jenkins.io
from plugin-installation-manager-tool.
Related Issues (20)
- Deprecated actions need updating HOT 1
- Move developer instructions to a new contributing guide HOT 3
- Dependency Dashboard
- Port already in use when jmx enabled HOT 3
- Improve plugin not found error message
- Changing user/group causes strange NoSuchFileException HOT 5
- Release 2.12.12 incomplete (JAR file not published) HOT 12
- jenkins-plugin-cli --plugins ansicolor is not working HOT 4
- plugin-x requires a greater version of Jenkins when using internal remote repository as mirror of jenkins UC HOT 3
- Write checksum to output list
- Sample command in README.md misses download directory option HOT 2
- Improve the CLI output when the plugin is already present in the directory HOT 9
- Improve the console log after downloading the plugin HOT 2
- Plugin dependencies not properly downloaded HOT 1
- CLI tool does not return an error code when it says "War not found"
- Allow Jenkins plugin to downgrade package
- Trying to download a plugin version that has not yet been published but is on github HOT 6
- Added in different repo deleting it
- org.jenkins-ci.plugins.workflow:workflow-aggregator:2.6 : Not able to build with UAT enabled. (Java Version Incompatibility) HOT 9
- `/experimental` UC receiving the same amount of requests than normal UC
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from plugin-installation-manager-tool.