Sonatype Nexus 3 最低运行环境要求:
Minimum CPUs: 4 Recommended CPUs: 8+ Host Physical/RAM Minimum ( default ) 4GB
安装JDK 1.8环境
查看Java版本信息
访问Sonatype Nexus下载页面
选择对应操作系统版本点击下载
解压缩文件到指定路径
进入安装目录
进入可执行程序bin目录
快捷键:Shift+鼠标右键,在此处打开命令窗口
注册nexus为系统服务
确认服务注册成功
启动nexu服务并查看运行状态
使用浏览器访问Web管理控制台
首次登录的初始密码设置
下载JDK
https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
下载Maven
http://maven.apache.org/download.cgi
准备就绪的安装包
安装JDK
安装JDK
验证JAVA版本信息
解压缩Maven压缩包
查看Maven完整安装包路径
设置环境变量
控制面板-系统与安全-系统-高级系统设置
高级-环境变量
系统变量-PATH-新增
变量路径
C:\apache-maven-3.6.1-bin\apache-maven-3.6.1\bin
验证maven环境配置及版本信息
修改公共代理仓库为国内镜像服务器
修改conf/settings.xml配置文件,在<mirrors></mirrors>添加以下配置
阿里云镜像配置
<mirror> <id>aliyunmaven</id> <mirrorOf>*</mirrorOf> <name>阿里云公共仓库</name> <url>https://maven.aliyun.com/repository/public</url> </mirror>
网易163镜像配置
<mirror> <id>nexus-163</id> <mirrorOf>*</mirrorOf> <name>Nexus 163</name> <url>http://mirrors.163.com/maven/repository/maven-public/</url> </mirror>
为jenkins服务配置域名指向
C:\Users\harveymei>ping jenkins.bcoc.site
正在 Ping jenkins.bcoc.site [18.162.148.195] 具有 32 字节的数据:
来自 18.162.148.195 的回复: 字节=32 时间=169ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=153ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=168ms TTL=46
来自 18.162.148.195 的回复: 字节=32 时间=167ms TTL=46
18.162.148.195 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 153ms,最长 = 169ms,平均 = 164ms
C:\Users\harveymei>
安装完成后启动jenkins服务并查看端口监听
[root@ip-172-31-40-41 ~]# service jenkins start
Starting jenkins (via systemctl): [ OK ]
[root@ip-172-31-40-41 ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::8080 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
[root@ip-172-31-40-41 ~]#
使用浏览器访问未启用SSL加密的Web控制台
申请Let’s Encrypt证书
[root@ip-172-31-40-41 ~]# yum -y install certbot [root@ip-172-31-40-41 ~]# certbot certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): harvey.mei@linuxcache.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Starting new HTTPS connection (1): supporters.eff.org Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): jenkins.bcoc.site Obtaining a new certificate Performing the following challenges: http-01 challenge for jenkins.bcoc.site Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem Your cert will expire on 2020-05-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@ip-172-31-40-41 ~]#
转换证书格式(使用certtool命令)
[root@ip-172-31-40-41 ~]# yum -y install gnutls-utils [root@ip-172-31-40-41 ~]# rpm -lq gnutls-utils /usr/bin/certtool /usr/bin/crywrap /usr/bin/danetool /usr/bin/gnutls-cli /usr/bin/gnutls-cli-debug /usr/bin/gnutls-serv /usr/bin/ocsptool /usr/bin/p11tool /usr/bin/psktool /usr/bin/tpmtool /usr/share/doc/gnutls-utils-3.3.29 /usr/share/doc/gnutls-utils-3.3.29/certtool.cfg /usr/share/man/man1/certtool.1.gz /usr/share/man/man1/danetool.1.gz /usr/share/man/man1/gnutls-cli-debug.1.gz /usr/share/man/man1/gnutls-cli.1.gz /usr/share/man/man1/gnutls-serv.1.gz /usr/share/man/man1/ocsptool.1.gz /usr/share/man/man1/p11tool.1.gz /usr/share/man/man1/psktool.1.gz /usr/share/man/man1/tpmtool.1.gz [root@ip-172-31-40-41 ~]#
合并证书公钥私钥为PKCS12格式并设置密码保护(123456)
certtool --to-p12 --load-privkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \ --pkcs-cipher 3des-pkcs12 \ --load-certificate /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \ --outfile jenkins.p12 --outder [root@ip-172-31-40-41 ~]# certtool --to-p12 --load-privkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \ > --pkcs-cipher 3des-pkcs12 \ > --load-certificate /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \ > --outfile jenkins.p12 --outder Generating a PKCS #12 structure... Loading private key list... Loaded 1 private keys. Enter a name for the key: jenkins.bcoc.site Enter password: Confirm password: [root@ip-172-31-40-41 ~]# ls anaconda-ks.cfg jenkins.p12 original-ks.cfg [root@ip-172-31-40-41 ~]#
转换PKCS12格式为JAVA支持的JKS格式
keytool -importkeystore -srckeystore jenkins.p12 \ -srcstorepass '123456' -srcstoretype PKCS12 \ -srcalias jenkins.bcoc.site -deststoretype JKS \ -destkeystore jenkins_keystore.jks \ -deststorepass '123456' -destalias jenkins.bcoc.site [root@ip-172-31-40-41 ~]# keytool -importkeystore -srckeystore jenkins.p12 \ > -srcstorepass ‘123456’ -srcstoretype PKCS12 \ > -srcalias jenkins.bcoc.site -deststoretype JKS \ > -destkeystore jenkins_keystore.jks \ > -deststorepass ‘123456’ -destalias jenkins.bcoc.site Importing keystore jenkins.p12 to jenkins_keystore.jks... keytool error: java.io.IOException: keystore password was incorrect [root@ip-172-31-40-41 ~]# keytool -importkeystore -srckeystore jenkins.p12 \ > -srcstorepass '123456' -srcstoretype PKCS12 \ > -srcalias jenkins.bcoc.site -deststoretype JKS \ > -destkeystore jenkins_keystore.jks \ > -deststorepass '123456' -destalias jenkins.bcoc.site Importing keystore jenkins.p12 to jenkins_keystore.jks... Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore jenkins_keystore.jks -destkeystore jenkins_keystore.jks -deststoretype pkcs12". [root@ip-172-31-40-41 ~]# [root@ip-172-31-40-41 ~]# ls anaconda-ks.cfg jenkins_keystore.jks jenkins.p12 original-ks.cfg [root@ip-172-31-40-41 ~]#
修改证书文件属性
[root@ip-172-31-40-41 ~]# chown jenkins.jenkins jenkins_keystore.jks [root@ip-172-31-40-41 ~]# chmod 600 jenkins_keystore.jks [root@ip-172-31-40-41 ~]# mv jenkins_keystore.jks /var/lib/jenkins/ [root@ip-172-31-40-41 ~]#
修改jenins配置文件
[root@ip-172-31-40-41 ~]# vi /etc/sysconfig/jenkins
初始配置文件(SSL部分)
## Type: integer(0:65535) ## Default: "" ## ServiceRestart: jenkins # # HTTPS port Jenkins is listening on. # Default is disabled. # JENKINS_HTTPS_PORT="" ## Type: string ## Default: "" ## ServiceRestart: jenkins # # Path to the keystore in JKS format (as created by the JDK 'keytool'). # Default is disabled. # JENKINS_HTTPS_KEYSTORE="" ## Type: string ## Default: "" ## ServiceRestart: jenkins # # Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE. # Default is disabled. # JENKINS_HTTPS_KEYSTORE_PASSWORD="" ## Type: string ## Default: "" ## ServiceRestart: jenkins # # IP address Jenkins listens on for HTTPS requests. # Default is disabled. # JENKINS_HTTPS_LISTEN_ADDRESS=""
修改
## Type: integer(0:65535) ## Default: "" ## ServiceRestart: jenkins # # HTTPS port Jenkins is listening on. # Default is disabled. # JENKINS_HTTPS_PORT="8443" ## Type: string ## Default: "" ## ServiceRestart: jenkins # # Path to the keystore in JKS format (as created by the JDK 'keytool'). # Default is disabled. # JENKINS_HTTPS_KEYSTORE="/var/lib/jenkins/jenkins_keystore.jks" ## Type: string ## Default: "" ## ServiceRestart: jenkins # # Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE. # Default is disabled. # JENKINS_HTTPS_KEYSTORE_PASSWORD="123456" ## Type: string ## Default: "" ## ServiceRestart: jenkins # # IP address Jenkins listens on for HTTPS requests. # Default is disabled. # JENKINS_HTTPS_LISTEN_ADDRESS="0.0.0.0"
禁用8080端口监听
初始配置文件
## Type: integer(0:65535) ## Default: 8080 ## ServiceRestart: jenkins # # Port Jenkins is listening on. # Set to -1 to disable # JENKINS_PORT="8080"
修改(禁用8080端口监听)
## Type: integer(0:65535) ## Default: 8080 ## ServiceRestart: jenkins # # Port Jenkins is listening on. # Set to -1 to disable # JENKINS_PORT="-1"
重启服务并查看端口监听变化
[root@ip-172-31-40-41 ~]# service jenkins restart Restarting jenkins (via systemctl): [ OK ] [root@ip-172-31-40-41 ~]# netstat -lnt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::8443 :::* LISTEN [root@ip-172-31-40-41 ~]#
使用https协议及配置端口访问jenkins服务控制台
使用openssl命令合并公钥私钥为PKCS12命令用法
openssl pkcs12 -export -out jenkins.p12 \ -passout 'pass:123456' -inkey /etc/letsencrypt/live/jenkins.bcoc.site/privkey.pem \ -in /etc/letsencrypt/live/jenkins.bcoc.site/fullchain.pem \ -name jenkins.bcoc.site
官方Yum仓库地址
https://pkg.jenkins.io/redhat-stable/
安装Jenkin LTS版本的Yum仓库源
[root@iZj6cehstgjoj3qav88fidZ ~]# wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo --2019-06-12 18:27:21-- https://pkg.jenkins.io/redhat-stable/jenkins.repo Resolving pkg.jenkins.io (pkg.jenkins.io)... 52.202.51.185 Connecting to pkg.jenkins.io (pkg.jenkins.io)|52.202.51.185|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 85 Saving to: ‘/etc/yum.repos.d/jenkins.repo’ 100%[=======================================================================================================================================================>] 85 --.-K/s in 0s 2019-06-12 18:27:22 (19.3 MB/s) - ‘/etc/yum.repos.d/jenkins.repo’ saved [85/85] [root@iZj6cehstgjoj3qav88fidZ ~]# rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key [root@iZj6cehstgjoj3qav88fidZ ~]# 安装OpenJDK环境并查看版本信息
[root@iZj6cehstgjoj3qav88fidZ ~]# yum install java-1.8.0-openjdk [root@iZj6cehstgjoj3qav88fidZ ~]# java -version openjdk version "1.8.0_212" OpenJDK Runtime Environment (build 1.8.0_212-b04) OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode) [root@iZj6cehstgjoj3qav88fidZ ~]#
使用Yum源安装Jenkins服务
[root@iZj6cehstgjoj3qav88fidZ ~]# yum install jenkins
查看安装路径
[root@iZj6cehstgjoj3qav88fidZ ~]# rpm -lq jenkins /etc/init.d/jenkins /etc/logrotate.d/jenkins /etc/sysconfig/jenkins /usr/lib/jenkins /usr/lib/jenkins/jenkins.war /usr/sbin/rcjenkins /var/cache/jenkins /var/lib/jenkins /var/log/jenkins [root@iZj6cehstgjoj3qav88fidZ ~]#
查看Jenkins服务注册信息
[root@iZj6cehstgjoj3qav88fidZ ~]# chkconfig --list jenkins Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. jenkins 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@iZj6cehstgjoj3qav88fidZ ~]#
启动服务
[root@iZj6cehstgjoj3qav88fidZ ~]# service jenkins start Starting jenkins (via systemctl): [ OK ] [root@iZj6cehstgjoj3qav88fidZ ~]#
查看监听
使用浏览器访问
查看初始密码
[root@iZj6cehstgjoj3qav88fidZ ~]# cat /var/lib/jenkins/secrets/initialAdminPassword 5228940ac30a481d97a4efbabe4147a3 [root@iZj6cehstgjoj3qav88fidZ ~]#
安装推荐的插件
插件安装过程
创建第一个管理员用户
实例配置
安装完成
控制台首页
Apache Tomcat非root权限加固配置
[root@www_cluster1 ~]# cd /data/ [root@www_cluster1 data]# chown -R root.opsuser apache-tomcat-7.0.79/ [root@www_cluster1 data]# cd apache-tomcat-7.0.79/ [root@www_cluster1 apache-tomcat-7.0.79]# chmod -R g+w logs/ temp/ work/ webapps/ [root@www_cluster1 apache-tomcat-7.0.79]# chmod -R g+r conf/* [root@www_cluster1 apache-tomcat-7.0.79]#