Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64060

Can't clone private git repo with username and password at a slave servers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: git-client-plugin
    • Labels:
      None
    • Environment:
      CentOS 7.8.2003
      Jenkins 2.262
    • Similar Issues:

      Description

      We use lot's of pipelines jobs which are relies on our github credentials.

      Our private repos use 2fa, so we use our github username and a token as a password.

      But somehow we can't use that credentials for `checkout` step at slaves server, though it work fine at master.

      Steps to reproduce:

      • create repo with 2fa at github
      • get user's token
      • create "Username wit password"credential with global scope in Jenkins
      • add jenkins slave
      • create the following job

       

      pipeline {
  agent { label 'jenkins-slave'}
  stages {
    stage('checkout'){
        steps {
            checkout([$class: 'GitSCM', branches: [[name: '*/master']], doGenerateSubmoduleConfigurations: false, extensions: [], submoduleCfg: [], userRemoteConfigs: [[credentialsId: 'f7e97206-bd72-4f1c-88dd-9d3d1709eea2', url: 'git@github.com:some/private-repo.git']]])
        }
    }
  }
}

      On a master it works fine, but on a slave I get this error:

       

       

       

      Started by user test
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline
[Pipeline] node
Running on srv in /vol2/jenkins_agent/workspace/debug-ci
[Pipeline] {
[Pipeline] stage
[Pipeline] { (checkout)
[Pipeline] checkout
Selected Git installation does not exist. Using Default
The recommended git tool is: NONE
using credential f7e97206-bd72-4f1c-88dd-9d3d1709eea2
Fetching changes from the remote Git repository
ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from git@github.com:some/private-repo.git
        at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:996)
        at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1237)
        at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1297)
        at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:125)
        at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93)
        at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80)
        at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress -- git@github.com:some/private-repo.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout: 
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.Please make sure you have the correct access rights
and the repository exists.        at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2450)
        at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2051)
        at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84)
        at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:573)
        at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:161)
        at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:154)
        at hudson.remoting.UserRequest.perform(UserRequest.java:211)
        at hudson.remoting.UserRequest.perform(UserRequest.java:54)
        at hudson.remoting.Request$2.run(Request.java:375)
        at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:73)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:118)
        ... 1 more
        Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to JNLP4-connect connection from <ip-addr-here>
                at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1800)
                at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357)
                at hudson.remoting.Channel.call(Channel.java:1001)
                at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
                at sun.reflect.GeneratedMethodAccessor811.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
                at com.sun.proxy.$Proxy108.execute(Unknown Source)
                at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:994)
                at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1237)
                at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1297)
                at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:125)
                at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93)
                at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80)
                at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
                at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
                at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                ... 1 more
[Pipeline] }
[Pipeline] // stage
 > git rev-parse --is-inside-work-tree # timeout=10
 > git config remote.origin.url git@github.com:some/private-repo.git # timeout=10
Fetching upstream changes from git@github.com:some/private-repo.git
 > git --version # timeout=10
 > git --version # 'git version 2.14.0'
using GIT_ASKPASS to set credentials jenkins user at github
 > git fetch --tags --progress -- git@github.com:some/private-repo.git +refs/heads/*:refs/remotes/origin/* # timeout=10
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
[Checks API] No suitable checks publisher found.
ERROR: Error fetching remote repo 'origin'
Finished: FAILURE

      Interesting, that multibranch pipelines which are use the same credentials seems to work fine on slaves.

       

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          Hide
          Permalink
          markewaite Mark Waite added a comment - - edited

          Please don't use the Jenkins issue tracker to request help with configuration issues that are specific to your environment. There are very few people that read Jenkins issues for the git plugin and they tend to be the same people that maintain the git plugin or other components.

          Please share the information in the Jenkins user mailing list or in the Jenkins gitter chat channel and allow other users to assist you. There are many, many more users than there are plugin maintainers.

          In this specific case, you are mixing two different types of credentials. The checkout command is referring to a git repository with the ssh protocol git@github.com:owner/repo.git but the credential you've created ("Username with password") is only used for http and https protocol repositories. You need to create a private key credential and use that private key credential in the checkout statement.

          The checkout probably works on the controller ("master") because of a "happy accident" that you need to investigate. The account that is running the controller probably has an ssh private key available that allows it access to that repository. I prefer to not have private keys installed in the user account of the controller because then any job running on the controller can use the credentials from that user account.

          Show
          markewaite Mark Waite added a comment - - edited Please don't use the Jenkins issue tracker to request help with configuration issues that are specific to your environment. There are very few people that read Jenkins issues for the git plugin and they tend to be the same people that maintain the git plugin or other components. Please share the information in the Jenkins user mailing list or in the Jenkins gitter chat channel and allow other users to assist you. There are many, many more users than there are plugin maintainers. In this specific case, you are mixing two different types of credentials. The checkout command is referring to a git repository with the ssh protocol git@github.com:owner/repo.git but the credential you've created ("Username with password") is only used for http and https protocol repositories. You need to create a private key credential and use that private key credential in the checkout statement. The checkout probably works on the controller ("master") because of a "happy accident" that you need to investigate. The account that is running the controller probably has an ssh private key available that allows it access to that repository. I prefer to not have private keys installed in the user account of the controller because then any job running on the controller can use the credentials from that user account.
          Hide
          Permalink
          kompastver Pavel Znamensky added a comment -

          Mark Waite, it was quite unobvious for me, that the reason was in the type of credentials.

          Though, now it looks very logical.
          Plus it works on the master, but not on slaves; thus, I believed that there was a bug.
          I appreciate what you and other maintainers do and sorry for the interrupting.
          And thanks for the explanation!

          Show
          kompastver Pavel Znamensky added a comment - Mark Waite , it was quite unobvious for me, that the reason was in the type of credentials. Though, now it looks very logical. Plus it works on the master, but not on slaves; thus, I believed that there was a bug. I appreciate what you and other maintainers do and sorry for the interrupting. And thanks for the explanation!

            People

            Assignee:
            markewaite Mark Waite
            Reporter:
            kompastver Pavel Znamensky
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: