Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Not A Defect
-
Component/s: git-client-plugin
-
Labels:None
-
Environment:CentOS 7.8.2003
Jenkins 2.262
-
Similar Issues:
Description
We use lot's of pipelines jobs which are relies on our github credentials.
Our private repos use 2fa, so we use our github username and a token as a password.
But somehow we can't use that credentials for `checkout` step at slaves server, though it work fine at master.
Steps to reproduce:
- create repo with 2fa at github
- get user's token
- create "Username wit password"credential with global scope in Jenkins
- add jenkins slave
- create the following job
pipeline { agent { label 'jenkins-slave'} stages { stage('checkout'){ steps { checkout([$class: 'GitSCM', branches: [[name: '*/master']], doGenerateSubmoduleConfigurations: false, extensions: [], submoduleCfg: [], userRemoteConfigs: [[credentialsId: 'f7e97206-bd72-4f1c-88dd-9d3d1709eea2', url: 'git@github.com:some/private-repo.git']]]) } } } }
On a master it works fine, but on a slave I get this error:
Started by user test Running in Durability level: MAX_SURVIVABILITY [Pipeline] Start of Pipeline [Pipeline] node Running on srv in /vol2/jenkins_agent/workspace/debug-ci [Pipeline] { [Pipeline] stage [Pipeline] { (checkout) [Pipeline] checkout Selected Git installation does not exist. Using Default The recommended git tool is: NONE using credential f7e97206-bd72-4f1c-88dd-9d3d1709eea2 Fetching changes from the remote Git repository ERROR: Error fetching remote repo 'origin' hudson.plugins.git.GitException: Failed to fetch from git@github.com:some/private-repo.git at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:996) at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1237) at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1297) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:125) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80) at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress -- git@github.com:some/private-repo.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: stdout: stderr: Permission denied (publickey). fatal: Could not read from remote repository.Please make sure you have the correct access rights and the repository exists. at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2450) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2051) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:573) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:161) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:154) at hudson.remoting.UserRequest.perform(UserRequest.java:211) at hudson.remoting.UserRequest.perform(UserRequest.java:54) at hudson.remoting.Request$2.run(Request.java:375) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:73) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:118) ... 1 more Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to JNLP4-connect connection from <ip-addr-here> at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1800) at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357) at hudson.remoting.Channel.call(Channel.java:1001) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146) at sun.reflect.GeneratedMethodAccessor811.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132) at com.sun.proxy.$Proxy108.execute(Unknown Source) at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:994) at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1237) at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1297) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:125) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80) at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ... 1 more [Pipeline] } [Pipeline] // stage > git rev-parse --is-inside-work-tree # timeout=10 > git config remote.origin.url git@github.com:some/private-repo.git # timeout=10 Fetching upstream changes from git@github.com:some/private-repo.git > git --version # timeout=10 > git --version # 'git version 2.14.0' using GIT_ASKPASS to set credentials jenkins user at github > git fetch --tags --progress -- git@github.com:some/private-repo.git +refs/heads/*:refs/remotes/origin/* # timeout=10 [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline [Checks API] No suitable checks publisher found. ERROR: Error fetching remote repo 'origin' Finished: FAILURE
Interesting, that multibranch pipelines which are use the same credentials seems to work fine on slaves.
Please don't use the Jenkins issue tracker to request help with configuration issues that are specific to your environment. There are very few people that read Jenkins issues for the git plugin and they tend to be the same people that maintain the git plugin or other components.
Please share the information in the Jenkins user mailing list or in the Jenkins gitter chat channel and allow other users to assist you. There are many, many more users than there are plugin maintainers.
In this specific case, you are mixing two different types of credentials. The checkout command is referring to a git repository with the ssh protocol git@github.com:owner/repo.git but the credential you've created ("Username with password") is only used for http and https protocol repositories. You need to create a private key credential and use that private key credential in the checkout statement.
The checkout probably works on the controller ("master") because of a "happy accident" that you need to investigate. The account that is running the controller probably has an ssh private key available that allows it access to that repository. I prefer to not have private keys installed in the user account of the controller because then any job running on the controller can use the credentials from that user account.