[JIRA] (JENKINS-53877) sshagent + git checkout on local agent: ssh key not found
Title: Message Title Thomas Riccardi commented on JENKINS-53877 Re: sshagent + git checkout on local agent: ssh key not found I don't understand what you're trying to accomplish. Can you explain further why you're not passing a Jenkins credential to the `git` Pipeline step rather than passing an empty string as the argument to ssh-agent and then adding the default private key? I'm sorry, I made a typo in my example. I now fixed it: the credentialsId in`sshagent` should not be empty (that's what happens when you clean sensitive data from examples...): I want to make available a ssh key handled by jenkins. (Side note: What do you mean by "adding the default private key"? Is there a notion of "default private key" ? or does it just rely on other mechanisms for authentication (standard ssh, outside of jenkins) (that's what I believe).) My end-goal is more complex, and I reduced one possible solution to it to this issue. There may indeed be alternate solutions. (But I believe this simple issue is still valid and should ideally be fixed anyway). In this simple case, I am trying to accomplish the following: use `sshagent` to setup an ssh key handled by jenkins credentials use that previously setup ssh key in git commands with a git+ssh remote I could indeed just use `sh 'git'` but it would make less sense in my more complex/initial case/scenario. More complex case: use `checkout` with recursive submodules checkout, where the submodules use a different credentials than the parent repository This is not that unusual when: using `multi branch pipeline` with `github branch source`: the latter imposes HTTPS git clone (because it re-uses the only credentials it asks, which is only of type user/apikey-as-password, because it needs API access to implement branch/tags discovery and such) submodule remotes URLs are git+ssh:// URLs (submodule URLs are hardcoded in the parent git repository, not configurable from the jenkins pipeline) In this case I have the parent repo cloned with HTTPS, using a specified user/password credentials, then when trying to checkout the submodules, I here need a ssh key. I tried to work around this limitation by using the `sshagent` to make available the need ssh key for submodules: it didn't work, and this lead me to the simple case I initially reported here. Maybe I should open a second issue for the more general case? Other workarounds could be: be able to specify credentials for submodules on `checkout` (I have many submodules, so it would be great with a "default credential" for all submodules for this `checkout`, or something along these lines) be able to give a second credentials to `github branch source` of type ssh key so that it uses the apikey for the api, and the
[JIRA] (JENKINS-53877) sshagent + git checkout on local agent: ssh key not found
Title: Message Title
Thomas Riccardi updated an issue
Jenkins / JENKINS-53877
sshagent + git checkout on local agent: ssh key not found
Change By:
Thomas Riccardi
sshagent + git checkout doesn't seem to work: the `SSH_AUTH_SOCK` env var disappears from the git process environment, and thus the ssh-agent is not available to ssh started by git... Scenario:- create a ssh key credentials `ssh-key`- create a pipeline job with Jenkinsfile:{code:groovy}node {stage('Preparation') {sshagent ([' my-ssh-key ']) {sh 'printenv'sh 'ssh-add -l'git 'g...@github.com:foo/bar.git'}}}{code}- run created jobExpected result:ssh started by git finds the correct ssh key via the ssh agent.Actual Result:- git fetch fails : no valid ssh key found- `ssh-add -l` works though, and shows the key added by `sshagent`Other tests:- `checkout` scm instead of `git` command: same behavior: it fails to find the key- direct `sh 'ssh -vvv g...@github.com'` worksMore digging:- configure a git wrapper as `git` tool in global jenkins config to observe what happens:{code:bash}#!/bin/bash printenv >& /tmp/$$.git-envssh-add -l >& /tmp/$$.git-ssh-add-listexport GIT_TRACE=1export GIT_SSH_COMMAND="ssh -vvv" git "${@}"{code}- run job againResult:- `ssh-add -l` fails: "Could not open a connection to your authentication agent."- `printenv` shows `SSH_AUTH_SOCK` env var is *not* here, which explains why the ssh agent is not usable/usedSo the remaining question is: why is the `SSH_AUTH_SOCK` env var removed when executing git commands ?
Add Comment
[JIRA] (JENKINS-53877) sshagent + git checkout on local agent: ssh key not found
Title: Message Title Mark Waite commented on JENKINS-53877 Re: sshagent + git checkout on local agent: ssh key not found I don't understand what you're trying to accomplish. Can you explain further why you're not passing a Jenkins credential to the `git` Pipeline step rather than passing an empty string as the argument to ssh-agent and then adding the default private key? Doesn't the ssh-add technique that you're using require that you place the private key into the ~/.ssh directory of each user that runs an agent? Passing a Jenkins credential will avoid that agent-specific configuration and will simplify the build script. If you truly need fine-grained control of the git command, you might choose to place the git command inside an `sh` step that is wrapped by the ssh-agent command. If you've decided that you're not using Jenkins credentials to manage credentials, you can probably just as readily decide that you won't use the git plugin to manage checkout. Note that I have not attempted the steps you've described, so I don't know if there is a way to accomplish what you're describing. I won't duplicate the bug report until later. I wanted to ask the clarifying questions before I invest the time to duplicate what you've described. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-53877) sshagent + git checkout on local agent: ssh key not found
Title: Message Title
Thomas Riccardi created an issue
Jenkins / JENKINS-53877
sshagent + git checkout on local agent: ssh key not found
Issue Type:
Bug
Assignee:
Mark Waite
Components:
git-plugin, ssh-agent-plugin
Created:
2018-10-02 17:24
Environment:
Jenkins 2.138.1 (from docker) plugins up-to-date as of 2018-10-02 17:00:00 UTC
Labels:
sshagent git checkout
Priority:
Minor
Reporter:
Thomas Riccardi
sshagent + git checkout doesn't seem to work: the `SSH_AUTH_SOCK` env var disappears from the git process environment, and thus the ssh-agent is not available to ssh started by git... Scenario:
create a ssh key credentials `ssh-key`
create a pipeline job with Jenkinsfile:
node {
stage('Preparation') {
sshagent (['']) {
sh 'printenv'
sh 'ssh-add -l'
git 'g...@github.com:foo/bar.git'
}
}
}
run created job
Expected result: ssh started by git finds the correct ssh key via the
