Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40217

Git plugin can't clone when SSH Agent is enabled with different credentials

    XMLWordPrintable

Details

    Description

      Hi, ...

      How to replicate:
      1. Create freestyle job
      2. Add git scm with SSH url and select ssh key for it
      3. Enable SSH Agent in Build Environment section and select different key for it

      Result:

      Cloning the remote Git repository
      Cloning repository ssh://git@stash:7999/cm/ansible.git
       > git init /opt/jenkins/workspace/ansible/cm-ansible-potiomkin-sync-34 # timeout=10
      Fetching upstream changes from ssh://git@stash:7999/cm/ansible.git
       > git --version # timeout=10
      using GIT_SSH to set credentials jenkins at stash ssh
       > git fetch --tags --progress ssh://git@stash:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*
      ERROR: Error cloning remote repo 'origin'
      hudson.plugins.git.GitException: Command "git fetch --tags --progress ssh://git@stash:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
      stdout: 
      stderr: Repository not found
      The requested repository does not exist, or you do not have permission to access it.
      fatal: Could not read from remote repository.
      
      Please make sure you have the correct access rights
      

      Disabling SSH Agent fixes the problem.

      Adding two keys to ssh agent doesn't work as expected for me. It looks like only first ssh key is used/visible.

      Attachments

        Issue Links

          Activity

            emdepl Maciej De created issue -
            emdepl Maciej De made changes -
            Field Original Value New Value
            Labels git plugin scm git plugin scm ssh ssh-agent
            emdepl Maciej De made changes -
            Description Hi, ...

            How to replicate:
            1. Create freestyle job
            2. Add git scm with SSH url and select ssh key for it
            3. Enable SSH Agent in Build Environment section and select different key for it

            Result:

            {code}
            Cloning the remote Git repository
            Cloning repository ssh://git@stash.gppl.corp.local:7999/cm/ansible.git
             > git init /opt/jenkins/workspace/ansible/cm-ansible-potiomkin-sync-34 # timeout=10
            Fetching upstream changes from ssh://git@stash.gppl.corp.local:7999/cm/ansible.git
             > git --version # timeout=10
            using GIT_SSH to set credentials jenkins at stash ssh
             > git fetch --tags --progress ssh://git@stash.gppl.corp.local:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*
            ERROR: Error cloning remote repo 'origin'
            hudson.plugins.git.GitException: Command "git fetch --tags --progress ssh://git@stash.gppl.corp.local:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
            stdout:
            stderr: Repository not found
            The requested repository does not exist, or you do not have permission to access it.
            fatal: Could not read from remote repository.

            Please make sure you have the correct access rights
            {code}

            Disabling SSH Agent fixes the problem.

            Adding two keys to ssh agent doesn't work as expected for me. It looks like only first ssh key is used/visible.


             !image-2016-12-05-10-37-34-303.png|thumbnail!

             !image-2016-12-05-10-38-55-269.png|thumbnail!
            Hi, ...

            How to replicate:
            1. Create freestyle job
            2. Add git scm with SSH url and select ssh key for it
            3. Enable SSH Agent in Build Environment section and select different key for it

            Result:

            {code}
            Cloning the remote Git repository
            Cloning repository ssh://git@stash:7999/cm/ansible.git
             > git init /opt/jenkins/workspace/ansible/cm-ansible-potiomkin-sync-34 # timeout=10
            Fetching upstream changes from ssh://git@stash:7999/cm/ansible.git
             > git --version # timeout=10
            using GIT_SSH to set credentials jenkins at stash ssh
             > git fetch --tags --progress ssh://git@stash:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*
            ERROR: Error cloning remote repo 'origin'
            hudson.plugins.git.GitException: Command "git fetch --tags --progress ssh://git@stash:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
            stdout:
            stderr: Repository not found
            The requested repository does not exist, or you do not have permission to access it.
            fatal: Could not read from remote repository.

            Please make sure you have the correct access rights
            {code}

            Disabling SSH Agent fixes the problem.

            Adding two keys to ssh agent doesn't work as expected for me. It looks like only first ssh key is used/visible.


             !image-2016-12-05-10-37-34-303.png|thumbnail!

             !image-2016-12-05-10-38-55-269.png|thumbnail!
            markewaite Mark Waite made changes -
            Assignee Mark Waite [ markewaite ]
            markewaite Mark Waite made changes -
            Component/s git-plugin [ 15543 ]
            jglick Jesse Glick added a comment -

            Maybe a flaw in one of the (almost-)pure-Java implementations. Try again with the native one coming up in 1.14.

            jglick Jesse Glick added a comment - Maybe a flaw in one of the (almost-)pure-Java implementations. Try again with the native one coming up in 1.14.
            geerlingguy Jeff Geerling added a comment -

            I'm still having this issue on Jenkins 2.58 with the SSH Agent plugin version 1.15.

            Steps to reproduce:

            1. Add a Job with Git source code management
            2. Choose a deploy key for the Repository
            3. Save the job and build it
            4. Verify that the job clones the Repository correctly (SUCCESS)
            5. Configure the Job again
            6. Enable SSH Agent
            7. Add two keys in SSH Agent config—and set the deploy key used for Git as the second key
            8. Run the job again
            9. Now the job fails when attempting to connect to the SCM repo.

            I've also verified that if I set the SCM repo key as the first one used by the SSH Agent plugin, that git clone works.

            So I guess the bug is actually: Only the first key added to the SSH Agent seems to work in the Job build process.

            geerlingguy Jeff Geerling added a comment - I'm still having this issue on Jenkins 2.58 with the SSH Agent plugin version 1.15. Steps to reproduce: Add a Job with Git source code management Choose a deploy key for the Repository Save the job and build it Verify that the job clones the Repository correctly (SUCCESS) Configure the Job again Enable SSH Agent Add two keys in SSH Agent config—and set the deploy key used for Git as the second key Run the job again Now the job fails when attempting to connect to the SCM repo. I've also verified that if I set the SCM repo key as the first one used by the SSH Agent plugin, that git clone works. So I guess the bug is actually: Only the first key added to the SSH Agent seems to work in the Job build process.
            geerlingguy Jeff Geerling added a comment -

            As a workaround, I'm disabling the SSH Agent plugin for this job (since I need to use two different keys), and choosing the key for the SCM task, then as part of the build process, I've added:

            eval `ssh-agent -s`
            ssh-add /var/lib/jenkins/.ssh/private_key_here
            geerlingguy Jeff Geerling added a comment - As a workaround, I'm disabling the SSH Agent plugin for this job (since I need to use two different keys), and choosing the key for the SCM task, then as part of the build process, I've added: eval `ssh-agent -s` ssh-add / var /lib/jenkins/.ssh/private_key_here
            jglick Jesse Glick added a comment -

            Not sure offhand. Jenkins is just running ssh-add so see what happens when you do the same things from the command line.

            jglick Jesse Glick added a comment - Not sure offhand. Jenkins is just running ssh-add so see what happens when you do the same things from the command line.
            killuazhu xianjun zhu added a comment -

            This sounds like `git-plugin` issue to me instead of `ssh-agent plugin` issue. Once explicitly specify a ssh key for the scm clone, `git-plugin` should use that key to clone the repo instead of using entries in `ssh-agent` environment.

            killuazhu xianjun zhu added a comment - This sounds like `git-plugin` issue to me instead of `ssh-agent plugin` issue. Once explicitly specify a ssh key for the scm clone, `git-plugin` should use that key to clone the repo instead of using entries in `ssh-agent` environment.
            killuazhu xianjun zhu made changes -
            Component/s git-plugin [ 15543 ]
            jglick Jesse Glick added a comment -

            I suspect this is a dupe of JENKINS-30600.

            jglick Jesse Glick added a comment - I suspect this is a dupe of  JENKINS-30600 .
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-30600 [ JENKINS-30600 ]

            People

              Unassigned Unassigned
              emdepl Maciej De
              Votes:
              4 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: