Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45228

Git merge requires authentication in LFS merges, plugin does not authenticate the git merge command

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • None
    • Jenkins version: 2.46.3
      Git plugin version: 3.3.0
    • git client plugin 3.1.0

      In case of changes in LFS data git merge requires authentication, but authentication data is not provided.

      Pipeline step:

      def mr_checkout_with_merge(url, account) {
        checkout changelog: true, poll: true, scm: [
          $class: 'GitSCM',
          branches: [[name: '${gitlabSourceBranch}']],
          doGenerateSubmoduleConfigurations: false,
          extensions: [
            [$class: 'RelativeTargetDirectory', relativeTargetDir: 'src'],
            [$class: 'UserIdentity', email: 'jenkins', name: 'jenkins'],
            [$class: 'SubmoduleOption', disableSubmodules: false, parentCredentials: true, recursiveSubmodules: true, reference: '', trackingSubmodules: false],
            [$class: 'PreBuildMerge', options: [fastForwardMode: 'NO_FF', mergeRemote: 'origin', mergeStrategy: 'default', mergeTarget: '${gitlabTargetBranch}']],
            [$class: 'CloneOption', depth: 0, noTags: false, reference: '', shallow: false, timeout: 60],
            [$class: 'GitLFSPull']
          ],
          submoduleCfg: [],
          userRemoteConfigs: [[credentialsId: account, url: url]]
        ]
      }

       Log output:

      ERROR: Branch not suitable for integration as it does not merge cleanly: Command "git merge --no-ff 6af4f83cc9f2fc96d68df589e9822acf2fbf7fee" returned status code 128:
       stdout: 
       stderr: Downloading data/test_data.tar.gz (106.24 MB)
       Error downloading object: data/test_data.tar.gz (1b3d845): Smudge error: Error downloading data/test_data.tar.gz (1b3d845ad0f78327a16db63e03a7bc60dd2f7134bbaeeb117c3602d037893eef): batch request: Permission denied (publickey).: exit status 255
      Errors logged to /home/jenkins/workspace/Precommits/Ubuntu16/src/.git/lfs/objects/logs/20170626T055343.268201821.log
       Use `git lfs logs last` to view the log.
       error: external filter git-lfs smudge – %f failed 2
       error: external filter git-lfs smudge – %f failed
       fatal: data/test_data.tar.gz: smudge filter lfs failed

          [JENKINS-45228] Git merge requires authentication in LFS merges, plugin does not authenticate the git merge command

          Alexander Smorkalov created issue -
          Alexander Smorkalov made changes -
          Summary Original: Git merge cannot merge branches if data changed LFS New: Git merge cannot merge branches if LFS data changed
          Mark Waite made changes -
          Assignee Original: Mark Waite [ markewaite ]

          Mark Waite added a comment -

          Thanks for the report. Another interesting case where the plugin's assumption that authentication is only needed on remote capable commands is being violated (or abused, depending on your opinion of whether git merge should be an entirely local operation or not).

          Mark Waite added a comment - Thanks for the report. Another interesting case where the plugin's assumption that authentication is only needed on remote capable commands is being violated (or abused, depending on your opinion of whether git merge should be an entirely local operation or not).

          Do you know any easy to implement hack to workaround the issue? We use merge in pull request pre-commit testing with internal Gitlab instance. LFS become more and more popular and I want to workaround the issue till plugin update is available.

          Alexander Smorkalov added a comment - Do you know any easy to implement hack to workaround the issue? We use merge in pull request pre-commit testing with internal Gitlab instance. LFS become more and more popular and I want to workaround the issue till plugin update is available.

          Mark Waite added a comment - - edited

          You might be able to insert a step into your build script which performs a "git lfs fetch origin origin/branchname" for the source and the destination of the merge. That brings the large files locally and may avoid "git merge" accessing the LFS server.

          You may also be able to perform the merge yourselves, wrapping the "git merge" command in a withCredentials block. I haven't tried that, but it may be easier than modifying Java source code.

          You may also want to download the git client plugin source code and test drive adding authentication to the git merge command. jekeller at Intel added submodule authentication to the git plugin, so he might be able to assist with adding authentication to the merge command. I suspect it will be simpler to add authentication to the merge command than it was to add it to submodules.

          As an aside, pipeline scripts should use the dir('src') block around the checkout rather than using the git specific RelativeTargetDirectory. An upcoming git plugin change will deprecate the use of RelativeTargetDirectory in pipeline, because the dir('src') block is more general to pipeline.

          Mark Waite added a comment - - edited You might be able to insert a step into your build script which performs a "git lfs fetch origin origin/branchname" for the source and the destination of the merge. That brings the large files locally and may avoid "git merge" accessing the LFS server. You may also be able to perform the merge yourselves, wrapping the "git merge" command in a withCredentials block. I haven't tried that, but it may be easier than modifying Java source code. You may also want to download the git client plugin source code and test drive adding authentication to the git merge command. jekeller at Intel added submodule authentication to the git plugin, so he might be able to assist with adding authentication to the merge command. I suspect it will be simpler to add authentication to the merge command than it was to add it to submodules. As an aside, pipeline scripts should use the dir('src') block around the checkout rather than using the git specific RelativeTargetDirectory. An upcoming git plugin change will deprecate the use of RelativeTargetDirectory in pipeline, because the dir('src') block is more general to pipeline.
          Mark Waite made changes -
          Summary Original: Git merge cannot merge branches if LFS data changed New: Git merge requires authentication in LFS merges, plugin does not authenticate
          Mark Waite made changes -
          Summary Original: Git merge requires authentication in LFS merges, plugin does not authenticate New: Git merge requires authentication in LFS merges, plugin does not authenticate the git merge command

          Alexander Smorkalov added a comment - - edited

          As ad-hoc workaround I replace Git plugin call with sshagent & direct console git calls:

          {code:groovy}

          def mr_checkout_with_merge(account)
          {
          sshagent(credentials: [account])
          {
          dir('src')
          {
          sh "git clone ${env.gitlabSourceRepoURL} ."
          sh "git lfs install"
          sh "git config user.email 'jenkins@localhost'"
          sh "git config user.name 'jenkins'"
          sh "git checkout ${env.gitlabSourceBranch}"
          sh "git checkout ${env.gitlabTargetBranch}"
          sh "git merge --no-ff ${env.gitlabSourceBranch}"
          sh "git submodule update --init --recursive"
          sh "git lfs pull"
          }
          }
          }

          {code}

          Alexander Smorkalov added a comment - - edited As ad-hoc workaround I replace Git plugin call with sshagent & direct console git calls: {code:groovy} def mr_checkout_with_merge(account) { sshagent(credentials: [account] ) { dir('src') { sh "git clone ${env.gitlabSourceRepoURL} ." sh "git lfs install" sh "git config user.email 'jenkins@localhost'" sh "git config user.name 'jenkins'" sh "git checkout ${env.gitlabSourceBranch}" sh "git checkout ${env.gitlabTargetBranch}" sh "git merge --no-ff ${env.gitlabSourceBranch}" sh "git submodule update --init --recursive" sh "git lfs pull" } } } {code}

          Emil Styrke added a comment -

          I am getting bitten by this as well now, in git plugin version 3.8.0: 

          Checking out git http://<bitbucket_server>/<repo>.git http://<bitbucket_server>/<repo>.git into /var/lib/jenkins/workspace/<repo>_PR-109-ZFFDADYA3J6CFXJFIAHHACXI6SU7323HOW62DUSZOKSYPGIJTAKA@script to read Jenkinsfile
           > git rev-parse --is-inside-work-tree # timeout=10
          Fetching changes from 2 remote Git repositories
           > git config remote.origin.url http://<bitbucket_server>/<repo>.git # timeout=10
          Fetching upstream changes from http://<bitbucket_server>/<repo>.git
           > git --version # timeout=10
          using GIT_ASKPASS to set credentials Jenkins @ Bitbucket
           > git fetch --tags --progress http://<bitbucket_server>/<repo>.git +refs/pull-requests/109/from:refs/remotes/origin/PR-109
           > git config remote.upstream.url http://<bitbucket_server>/<repo>.git # timeout=10
          Fetching upstream changes from http://<bitbucket_server>/<repo>.git
          using GIT_ASKPASS to set credentials Jenkins @ Bitbucket
           > git fetch --tags --progress http://<bitbucket_server>/<repo>.git +refs/heads/release/VER_4-17:refs/remotes/upstream/release/VER_4-17
          Merging remotes/upstream/release/VER_4-17 commit 9e203652b8fabc0062fd8a6c8f0f6c3d30d96dcf into PR head commit 366c0da12a0856d527cf40b87d61ed9b30662283
          Enabling Git LFS pull
           > git config core.sparsecheckout # timeout=10
           > git checkout -f 366c0da12a0856d527cf40b87d61ed9b30662283
           > git config --get remote.origin.url # timeout=10
          using GIT_ASKPASS to set credentials Jenkins @ Bitbucket
           > git lfs pull origin
           > git merge 9e203652b8fabc0062fd8a6c8f0f6c3d30d96dcf # timeout=10
          

          And the last command hangs until it times out because "GIT_ASKPASS" is set to "echo". markewaite, would it be possible to let the "git lfs pull" behavior implementation add the necessary credentials for merge commands? (or alternatively make sure that all relevant LFS objects are pulled before attempting the merge, I guess)

           

          Emil Styrke added a comment - I am getting bitten by this as well now, in git plugin version 3.8.0:  Checking out git http: //<bitbucket_server>/<repo>.git http://<bitbucket_server>/<repo>.git into / var /lib/jenkins/workspace/<repo>_PR-109-ZFFDADYA3J6CFXJFIAHHACXI6SU7323HOW62DUSZOKSYPGIJTAKA@script to read Jenkinsfile > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from 2 remote Git repositories > git config remote.origin.url http: //<bitbucket_server>/<repo>.git # timeout=10 Fetching upstream changes from http: //<bitbucket_server>/<repo>.git > git --version # timeout=10 using GIT_ASKPASS to set credentials Jenkins @ Bitbucket > git fetch --tags --progress http: //<bitbucket_server>/<repo>.git +refs/pull-requests/109/from:refs/remotes/origin/PR-109 > git config remote.upstream.url http: //<bitbucket_server>/<repo>.git # timeout=10 Fetching upstream changes from http: //<bitbucket_server>/<repo>.git using GIT_ASKPASS to set credentials Jenkins @ Bitbucket > git fetch --tags --progress http: //<bitbucket_server>/<repo>.git +refs/heads/release/VER_4-17:refs/remotes/upstream/release/VER_4-17 Merging remotes/upstream/release/VER_4-17 commit 9e203652b8fabc0062fd8a6c8f0f6c3d30d96dcf into PR head commit 366c0da12a0856d527cf40b87d61ed9b30662283 Enabling Git LFS pull > git config core.sparsecheckout # timeout=10 > git checkout -f 366c0da12a0856d527cf40b87d61ed9b30662283 > git config --get remote.origin.url # timeout=10 using GIT_ASKPASS to set credentials Jenkins @ Bitbucket > git lfs pull origin > git merge 9e203652b8fabc0062fd8a6c8f0f6c3d30d96dcf # timeout=10 And the last command hangs until it times out because "GIT_ASKPASS" is set to "echo". markewaite , would it be possible to let the "git lfs pull" behavior implementation add the necessary credentials for merge commands? (or alternatively make sure that all relevant LFS objects are pulled before attempting the merge, I guess)  

            Unassigned Unassigned
            asmorkalov Alexander Smorkalov
            Votes:
            15 Vote for this issue
            Watchers:
            25 Start watching this issue

              Created:
              Updated:
              Resolved: