Where does hudson CI get user to run the cmd.exe ?
I'm trying to start and stop some remote services on various slaves and special credentials that are different than what hudson is using are needed. I can't find a place to override the user. I've tried running the server as various users, but it doesn't change anything.
Any other ideas?
Since you want to start and stop the services on the remote machine you need to login with these credentials on the remote machine, since I haven't found a way to start and stop a service on remote machine.
There are different ways to do that. You can create a slave that runs on the remote machines with the correct credentials. You can even create more than one slave for the same machine without any issues, than you can use different credentials for the same machine. These can then fire up the net stop and net start command.
You can also use the SSH plugin. This allows you to configure pre- and post-build ssh scripts. You 'just' need and ssh server on the windows machine. The password for the connection will be stored encrypted.
Use a commad line tool. So far I haven't found a Windows on board tool to have a scripted login to the remote machine. I would use plink for that task. plink is the scripted version of putty. Putty supports different connection types. So you can also use the build in telnet service (not recommended since telnet does not encrypt the connection). Disadvantage is that you will have the password unencrypted in the job configuration.
We had a similar problem, and I resorted to using PsExec. To my advantage, our machines exist on a separate LAN, within 2 firewalls, so I was OK with unencrypted passwords floating around. I had also explored SSH w/ Putty, which seemed to work, but not straightforward.
If someone can help with single line runas command, that could work too.
You don't say how your slaves are connected to Hudson, but I'll assume it's through the "hudson slave" service, since that's probably the most popular way to connect Windows slaves.
If so, the CMD.EXE is run with the same permissions as the user running the service. This can be checked by:
1. run services.msc
2. double-click hudson-slave service
3. go to Log On tab
By default, the slave service runs as "LocalSystem", which is the most powerful account on the system. It should be able to do whatever you need it to do. (i.e. start/stop services)
Related
There are services like ServerPilot and many others that install on a vps that handle the lamp stack env. I'm wondering if there is a service that does this for databases. I install the service on a fresh vps and that the service would do all the heavy lifting like security, replication, separate read writes, back-ups and monitoring a long with easily setting up private network access for a set fee to use that service on my server.
Looking for a simple service to install on my own fresh vps, not RDS or Google Cloud.
Thank you!
What Does ServerPilot Really Do?
First, ServerPilot deploys complete LAMP stack on your server and that’s including world’s most used web server Apache, PHP5, and MYSQL. To make it even super, ServerPilot also installs and configures Nginx in front of Apache to achieve unbeatable speed and scalability.
Secondly, ServerPilot will secure your server with a firewall. To make it even secure, it will also update your server’s packages and make sure they stay updated all the time to avoid even single bug caused by outdated package.
Thirdly, ServerPilot also offers a premium feature to monitor real-time stats of your server’s performance including CPU, memory, disk space, and more.
What Does ServerPilot Not Do?
Meanwhile Serverpilot does not provide features related to installing, configuring and managing email and DNS. In this case you may need third-party DNS server to be able to point your domain to your VPS. Need recommendations? Try CloudFlare, PointHQ, NameCheap, etc.
Also, ServerPilot does not manage your server running other than Ubuntu.
Get more details at : http://www.servermom.org/install-manage-apache-nginx-php-mysql-easiest-serverpilot/1011/
I'm not sure about services, but assuming that your VPS is Ubuntu or some other Debian-based distro, you could perform sudo apt-get install lamp-server^ phpmyadmin on the command line to get your LAMP stack setup. This will setup Apache web server, PHP, and MySQL on your Linux server. Apache and PHP will come working out-of-the-box, and when you install MySQL, by default it asks for a root password to manage the database.
phpMyAdmin would be the key here because instead of doing all your database tasks via the command line, it provides a GUI interface in your web browser to manage databases and tables. To backup your database with phpMyAdmin, see this article.
With regards to customizations, for the firewall you can simply write a few iptables rules and for the database, you can run scheduled backups of a MySQL database by creating a cron job that runs the following command:/usr/bin/mysqldump -u dbusername -p'dbpassword' dbname > /path/backup.sql
Again, this isn't a service, but at least you wouldn't have to pay for any of the tools.
Unfortunately, there is no ultimate service than can perform all this stuff. However, you can set up this manually:
Database replication:
https://www.digitalocean.com/community/tutorials/how-to-set-up-master-slave-replication-in-mysql
Database backup:
http://www.ducea.com/2006/05/27/backup-your-mysql-databases-automatically-with-automysqlbackup/
or
https://www.backuphowto.info/how-backup-mysql-database-automatically-linux-users
Database optimization:
https://www.tecmint.com/mysql-mariadb-performance-tuning-and-optimization/
and
http://www.monitis.com/blog/101-tips-to-mysql-tuning-and-optimization/
And for the networking, this tutorial may be helpful
http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html
Here's what I'm trying to do: set up a backup server on Google Compute Engine, where employees at my company can have their computers backup nightly via rdiffbackup. A cron job will run that runs rdiffbackup, which uses SSH to send files just like SCP.
With a "normal" server, I can create each employee a new user, and set permissions so they cannot read another employee's files.
It seems like using the "gcloud compute ssh" tool, or configuring regular ssh using "gcloud compute config-ssh", only allows you to allow users to connect who are added to the project and have connected their computer to their google account. My issue with this is that I don't see a way for a user to have read-write abilities on a server without also being a sudoer (anyone added to a project with "Can Edit" can get sudo as far as I know). Obviously if they have sudo, they can read others' files.
Can I give someone the ability to SSH remotely without having sudo? Thank you.
I recommend avoiding gcloud all together for this. gcloud's SSH tools are geared towards easily administering a constantly changing set of machines in your project. It is not made to cover all use cases that would also use SSH.
Instead, I recommend you setup your backup service as you would a normal server:
assign a static address
(optional) assign a dns name
setup users on the box using adduser
You have couple of options
1) You can manage non-root users on your instances as you would on any normal Linux machine with by manually adding them with the standard commands like 'adduser' and not gsutil/UI/metadata update path.
2) Alternatively if you need to manage a large cluster of machines you can disable the entire ACL management provided by Google and run your own LDAP server for this. The file which is responsible for the account updates and needs to be disabled to run is this one
https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google-daemon/etc/init/google-accounts-manager-service.conf
3) Finally you can lock down write access to the root users ie. disable writes propagating from metadata server by setting the immutable flag on the sudoers file 'chattr +i /etc/sudoers' Its not a graceful solution but effective. This way you lock in Root for the already added users and any new users will be added as non-root privileged, any new root level user needs to be added manually machine by machine though.
I need to review the mysql 5.5 server logs but I cannot find a way to get access them via ssh, sftp or mysqlworkbench. The mysql cartridge is in a scaled application. A solution?
There are a couple things here I'd like to point out that should provide some more information on how things work and how to get to the information you're looking for.
Scalable applications with DB's actually have the DB running in a separate gear than the application framework (for scaling purposes). For instance, if you ran rhc app show <appname> --gears for one of your scalable applications you would see that there are 2 gears being used and that the ssh information for each of them is different. So if you're just looking to take a quick look at your logs via ssh, you'll need to ssh into the appropriate gear to get to them.
You will need to use the rhc port-forward command to forward the right local ports to your database gear and then be able to connect mysqlworkbench from there.
Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.
I want to try out some of the MySQL software, like Workbench, on the MySQL Db I develop on at work. After many failed attempts to make the connection, I finally asked one of the server admins if I was doing something wrong and was informed that the Db is behind firewall. So I can use phpMyAdmin, since it's installed server-side, but not Excel, Workbench, etc (from my machine).
So I would like to know if there is a fairly standard way to make a VPN-like connection to the server. Currently I use an SSH client to connect with no problem. But obviously that's not linking my local apps to the server. So can I make the connection in such a way that my whole system (so to speak) is considered signed on to the server? VPN is the closest analogy I can make, but that's not an option.
And....
Is that considered fairly "black hat" or is just something I don't know how to do but all the cool kids are doing it legitimately?
Thanks
This is simple using SSH tunneling. Simply do something akin to the following:
ssh -f username#your.remote.host -L 4040:your.remote.host:3306 -N
This does the following:
-f - forks SSH into background
username#your.remote.host - the user & host for SSH to connect to
-L 4040:your.remote.host:3306 - Listen for local connections on port 4040, and forward them via SSH to your.remote.host port 3306
-N - tells SSH not to issue a command on the remote host
You would then be able to connect to your mysql server (assuming the above ports are correct) using:
mysql --host=localhost --port=4040 --user=mysqluser -p
SSH tunnelling is excellent and can make life a lot easier.
The advantages are that it is all running over an encrypted port, 22, so the security is better and you can also compress the session, so over a slow network might see a bit of a performance improvement...
If you are using Windows, I would recommend puTTY which is available easily if you google it... Once connected, you can assign a local port which forwards to a port on the remote machine. In puTTY, this is in the Connection->SSH->Tunnels dialog.
I often use this for forwarding VNC - so if you have localport 5900 forwarding to the remote address 5900, you can connect to localhost:5900 as if you were connecting to the remote IP address.
It is also useful if there is a "hop" to a remote network - e.g. you aren't limited to forwarding to the ssh server you are connected to, you can also connect to other servers via the ssh server you are using.
Finally, I don't think that there is anything illegitimate about this option - you are using the ssh connection as intended and have been granted access to the server you are using. If anything, it is increased security...
Admins where I am have an Open-VPN that connect their personnal computer at home to servers at work, but it is used only for maintenance and 'emergency'.
I don't think it is good for security to have "holes" in the firewall, especially to a private place, where there is no firewall to protect your personnal computer.
These kind of practise is possible but has to be retricted to minimum