-
Bug
-
Resolution: Fixed
-
Major
-
Windows 7 & 8 slaves
Mac slave (see comments)
Reproduced on RHEL Linux 6.5
Ubuntu 14.04
- Configure a git project that uses a remote and submodule URL of the form https://
- Ensure credentials added to Jenkins
- Add advanced submodule behaviors with no options selected
- First build (where repo is cloned) pulls the submodule correctly
- Subsequent builds fail authorization on the submodule part (possibly submodule update if this is being used)
- is duplicated by
-
-
- Closed
-
[JENKINS-20941] Stored git credentials not used when submodule is updated
Steven Shipton
created issue -
Steven Shipton
made changes -
| Environment |
New:
Windows 7 & 8 slaves Cannot reproduce on Mac slave |
Michael Kahn
made changes -
| Component/s | New: git-client [ 17423 ] |
Michael Kahn
added a comment - I also have this problem on a Fedora slave using SSH instead of HTTPS.
It looks like this happens because the submoduleUpdate() function of git-client uses launchCommand() instead of launchCommandWithCredentials().
Michael Kahn
added a comment - I also have this problem on a Fedora slave using SSH instead of HTTPS.
It looks like this happens because the submoduleUpdate() function of git-client uses launchCommand() instead of launchCommandWithCredentials(). 
Su Shi
added a comment - "Cannot reproduce on Mac slave"?
I ran into this issue on a mac slave with https protocol
00:00:16.330 originally caused by:
00:00:16.330 Started by user anonymous
00:00:16.435 [EnvInject] - Loading node environment variables.
00:00:16.482 Building remotely on slave_ios_02 in workspace
00:00:16.552 Fetching changes from the remote Git repository
00:00:16.665 Fetching upstream changes from https://xxx
00:00:17.499 using .gitcredentials to set credentials
00:00:19.708 Checking out Revision b9230db5cf984dfe268bbe4dd6e4aa203743dc0b (origin/master)
00:00:21.652 FATAL: Command "git submodule update --init --recursive" returned status code 1:
00:00:21.652 stdout: Cloning into 'xxx'...
00:00:21.652
00:00:21.652 stderr: fatal: Authentication failed for 'xxx'
00:00:21.652 Clone of 'xxx' into submodule path xxx' failed
00:00:21.652
00:00:21.653 hudson.plugins.git.GitException: Command "git submodule update --init --recursive" returned status code 1:
00:00:21.654 stdout: Cloning into 'xxx'...
00:00:21.654
00:00:21.654 stderr: fatal: Authentication failed for 'xxx'
00:00:21.654 Clone of 'xxx' into submodule path 'xxx' failed
00:00:21.654
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1148)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1125)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1121)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommand(CliGitAPIImpl.java:937)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:598)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:579)
00:00:21.654 at sun.reflect.GeneratedMethodAccessor52.invoke(Unknown Source)
00:00:21.654 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
00:00:21.654 at java.lang.reflect.Method.invoke(Method.java:606)
00:00:21.654 at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299)
00:00:21.654 at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280)
00:00:21.654 at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239)
00:00:21.654 at hudson.remoting.UserRequest.perform(UserRequest.java:118)
00:00:21.654 at hudson.remoting.UserRequest.perform(UserRequest.java:48)
00:00:21.654 at hudson.remoting.Request$2.run(Request.java:326)
00:00:21.654 at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
00:00:21.654 at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
00:00:21.654 at java.util.concurrent.FutureTask.run(FutureTask.java:166)
00:00:21.654 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
00:00:21.654 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
00:00:21.654 at java.lang.Thread.run(Thread.java:724)
Su Shi
added a comment - "Cannot reproduce on Mac slave"?
I ran into this issue on a mac slave with https protocol
00:00:16.330 originally caused by:
00:00:16.330 Started by user anonymous
00:00:16.435 [EnvInject] - Loading node environment variables.
00:00:16.482 Building remotely on slave_ios_02 in workspace
00:00:16.552 Fetching changes from the remote Git repository
00:00:16.665 Fetching upstream changes from https://xxx
00:00:17.499 using .gitcredentials to set credentials
00:00:19.708 Checking out Revision b9230db5cf984dfe268bbe4dd6e4aa203743dc0b (origin/master)
00:00:21.652 FATAL: Command "git submodule update --init --recursive" returned status code 1:
00:00:21.652 stdout: Cloning into 'xxx'...
00:00:21.652
00:00:21.652 stderr: fatal: Authentication failed for 'xxx'
00:00:21.652 Clone of 'xxx' into submodule path xxx' failed
00:00:21.652
00:00:21.653 hudson.plugins.git.GitException: Command "git submodule update --init --recursive" returned status code 1:
00:00:21.654 stdout: Cloning into 'xxx'...
00:00:21.654
00:00:21.654 stderr: fatal: Authentication failed for 'xxx'
00:00:21.654 Clone of 'xxx' into submodule path 'xxx' failed
00:00:21.654
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1148)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1125)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1121)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommand(CliGitAPIImpl.java:937)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:598)
00:00:21.654 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:579)
00:00:21.654 at sun.reflect.GeneratedMethodAccessor52.invoke(Unknown Source)
00:00:21.654 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
00:00:21.654 at java.lang.reflect.Method.invoke(Method.java:606)
00:00:21.654 at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299)
00:00:21.654 at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280)
00:00:21.654 at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239)
00:00:21.654 at hudson.remoting.UserRequest.perform(UserRequest.java:118)
00:00:21.654 at hudson.remoting.UserRequest.perform(UserRequest.java:48)
00:00:21.654 at hudson.remoting.Request$2.run(Request.java:326)
00:00:21.654 at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
00:00:21.654 at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
00:00:21.654 at java.util.concurrent.FutureTask.run(FutureTask.java:166)
00:00:21.654 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
00:00:21.654 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
00:00:21.654 at java.lang.Thread.run(Thread.java:724) I figured out the root cause of this in my installation. The problem is that the initial checkout is using the credentials plugin but the submodule checkout is using the default user credentials defined in `~/.ssh/config`. If there is not `config` then SSH by default will look for `~/.ssh/id_rsa` as the private key for the connection. My jenkins system user has default credentials in `~/.ssh/id_rsa` and so I had to give the user using those credentials access to the submodule project with read permissions.
Hopefully that was clear. Essentially, the git plugin claims it is reusing credentials plugin for the submodule check out but it is actually not using it at all. I'll try to dig through the source to point out where it is doing this.
This behavior was observed by viewing the SSH logs on the git server while Jenkins was checking out the submodules.
Sam Gleske
added a comment - - edited I figured out the root cause of this in my installation. The problem is that the initial checkout is using the credentials plugin but the submodule checkout is using the default user credentials defined in `~/.ssh/config`. If there is not `config` then SSH by default will look for `~/.ssh/id_rsa` as the private key for the connection. My jenkins system user has default credentials in `~/.ssh/id_rsa` and so I had to give the user using those credentials access to the submodule project with read permissions.
Hopefully that was clear. Essentially, the git plugin claims it is reusing credentials plugin for the submodule check out but it is actually not using it at all. I'll try to dig through the source to point out where it is doing this.
This behavior was observed by viewing the SSH logs on the git server while Jenkins was checking out the submodules. Sam Gleske
made changes -
| Environment |
Original:
Windows 7 & 8 slaves Cannot reproduce on Mac slave |
New:
Windows 7 & 8 slaves Cannot reproduce on Mac slave Reproduced on RHEL Linux 6.5 |
For me, the solution was to update the sub-modules in a batch script prior to the build. I created a new SSH keypair (C:\Program Files (x86)\Git\bin\ssh-keygen.exe (no passphrase)) and saved the public key to the bitbucket user account (C:\users\USERNAME\.ssh\id_rsa.pub) Then I ssh'd into git@bitbucket.com to generate a known_hosts file. Since Jenkins runs as a Windows service, I copied my SSH keys (id_rsa, id_rsa.pub, known_hosts) from C:\users\USERNAME\.ssh to C:\Windows\SysWOW64\config\systemprofile\.ssh.
After that was all sorted, I added a build step (needs to be the first build step). I created a Windows batch command that contained the following entries:
git config submodule.SUBMODULENAME.url git@bitbucket.org:SUBMODULE/DIRECTORY.git <-- ssh access url
git submodule update --init --recursive
Jon Proietti
added a comment - - edited For me, the solution was to update the sub-modules in a batch script prior to the build. I created a new SSH keypair (C:\Program Files (x86)\Git\bin\ssh-keygen.exe (no passphrase)) and saved the public key to the bitbucket user account (C:\users\USERNAME\.ssh\id_rsa.pub) Then I ssh'd into git@bitbucket.com to generate a known_hosts file. Since Jenkins runs as a Windows service, I copied my SSH keys (id_rsa, id_rsa.pub, known_hosts) from C:\users\USERNAME\.ssh to C:\Windows\SysWOW64\config\systemprofile\.ssh.
After that was all sorted, I added a build step (needs to be the first build step). I created a Windows batch command that contained the following entries:
git config submodule.SUBMODULENAME.url git@bitbucket.org:SUBMODULE/DIRECTORY.git <-- ssh access url
git submodule update --init --recursive 
Simon Howkins
added a comment - I've encountered this problem too, I think, on a Mac slave using SSH:
Fetching changes from the remote Git repository Fetching upstream changes from git@github.com:proj/repo.git using GIT_SSH to set credentials Jenkins@github.com Checking out Revision 370b0a3e37251b4a4898134a073c61e5624445f7 (origin/release) FATAL: Command "git submodule update --init --recursive" returned status code 1: stdout: Cloning into 'subrepo1'... stderr: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Clone of 'git@github.com:proj/subrepo1.git' into submodule path 'subrepo1' failed hudson.plugins.git.GitException: Command "git submodule update --init --recursive" returned status code 1: stdout: Cloning into 'subrepo1'... stderr: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Clone of 'git@github.com:proj/subrepo1.git' into submodule path 'subrepo1' failed at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1086) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1063) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommand(CliGitAPIImpl.java:900) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:570) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:551) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239) at hudson.remoting.UserRequest.perform(UserRequest.java:118) at hudson.remoting.UserRequest.perform(UserRequest.java:48) at hudson.remoting.Request$2.run(Request.java:328) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:695)
Putting a id_rsa file onto the slave fixes that slave. However, we've got plenty of slaves, and plenty of jobs that run on them, so it would be a lot easier for us if it did what it says on the tin. Vote cast.
Simon Howkins
added a comment - I've encountered this problem too, I think, on a Mac slave using SSH:
Fetching changes from the remote Git repository
Fetching upstream changes from git@github.com:proj/repo.git
using GIT_SSH to set credentials Jenkins@github.com
Checking out Revision 370b0a3e37251b4a4898134a073c61e5624445f7 (origin/release)
FATAL: Command "git submodule update --init --recursive" returned status code 1:
stdout: Cloning into 'subrepo1'...
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Clone of 'git@github.com:proj/subrepo1.git' into submodule path 'subrepo1' failed
hudson.plugins.git.GitException: Command "git submodule update --init --recursive" returned status code 1:
stdout: Cloning into 'subrepo1'...
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Clone of 'git@github.com:proj/subrepo1.git' into submodule path 'subrepo1' failed
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1086)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1063)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommand(CliGitAPIImpl.java:900)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:570)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239)
at hudson.remoting.UserRequest.perform(UserRequest.java:118)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:328)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:695)
Putting a id_rsa file onto the slave fixes that slave. However, we've got plenty of slaves, and plenty of jobs that run on them, so it would be a lot easier for us if it did what it says on the tin. Vote cast.
Example failure log:
Fetching changes from the remote Git repository
Fetching upstream changes from https://github.com/xxx
Checking out Revision xxx (origin/master)
Cleaning workspace
Resetting working tree
FATAL: Command "submodule update" returned status code 1:
stdout:
stderr: remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/xxx.git/'
Unable to fetch in submodule path 'xxx'
hudson.plugins.git.GitException: Command "submodule update" returned status code 1:
stdout:
stderr: remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/xxx.git/'
Unable to fetch in submodule path 'xxx'
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:981)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:961)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:957)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommand(CliGitAPIImpl.java:877)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:546)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.submoduleUpdate(CliGitAPIImpl.java:527)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239)
at hudson.remoting.UserRequest.perform(UserRequest.java:118)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:328)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at hudson.remoting.Engine$1$1.run(Engine.java:63)
at java.lang.Thread.run(Unknown Source)