[JIRA] (JENKINS-61016) Git LFS clone failing when using credentials via GIT

colin.newell@gmail.com (JIRA)

unread,

Feb 7, 2020, 11:31:03 AM2/7/20

to jenkinsc...@googlegroups.com

Colin Newell created an issue

Jenkins /

JENKINS-61016

Git LFS clone failing when using credentials via GIT_SSH

Issue Type:	Bug
Assignee:	Mark Waite
Components:	git-plugin
Created:	2020-02-07 16:30
Priority:	Minor
Reporter:	Colin Newell

When using git lfs and cloning a repo that uses a set of credentials that are hooked up via the GIT_SSH environment variable the 'pull' fails.

 
                                                                using credential xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Cloning the remote Git repository
Cloning repository g...@bitbucket.org:someorg/ourrepo.git
 > git init /home/jenkins2/workspace/ourrepo # timeout=10 
Fetching upstream changes from g...@bitbucket.org:someorg/ourrepo.git
 > git --version # timeout=10
using GIT_SSH to set credentials Our Bitbucket PR Builder
 > git fetch --tags --progress g...@bitbucket.org:someorg/ourrepo.git +refs/heads/*:refs/remotes/origin/* # timeout=10 
 > git config remote.origin.url g...@bitbucket.org:someorg/ourrepo.git # timeout=10 
 > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10 
 > git config remote.origin.url g...@bitbucket.org:someorg/ourrepo.git # timeout=10 
Fetching upstream changes from g...@bitbucket.org:someorg/ourrepo.git
using GIT_SSH to set credentials Our Bitbucket PR Builder
 > git fetch --tags --progress g...@bitbucket.org:someorg/ourrepo.git +refs/heads/*:refs/remotes/origin/* # timeout=10 
Checking out Revision fffffffffff2883fd545b3723b59dccd234c90e5 (refs/remotes/origin/master)
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
 > git config core.sparsecheckout # timeout=10
 > git checkout -f ffffffffffff883fd545b3723b59dccd234c90e5 # timeout=10
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
hudson.plugins.git.GitException: Command "git checkout -f ffffffffff32883fd545b3723b59dccd234c90e5" returned status code 128:
stdout:
stderr: Downloading code/someClassification.model (50 KB)
Error downloading object: code/someClassification.model (951f9b4): Smudge error: Error downloading code/someClassification.model (fffffffffffffffffffffffffffffffffffffffffffffffffffffffff6a35802): batch request: Permission denied (publickey).: exit status 255Errors logged to /home/jenkins2/workspace/ourrepo/.git/lfs/logs/20200207T160753.778675346.log
Use `git lfs logs last` to view the log.
error: external filter 'git-lfs filter-process' failed
fatal: code/someClassification.model: smudge filter lfs failed    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2298)
 
                                                            

Jenkins logs the line 'using GIT_SSH' before each of the commands where it expects to be using ssh to download content from the network, the git checkout line isn't one of those.

If I replicate the problem, I can fix it locally by doing the exact same git checkout, but if I have GIT_SSH setup to sort out the credentials it will work.

The config for this job is in a Jenkinsfile where I've asked it to do an LFS pull too:

 
                                                                                checkout([$class: 'GitSCM',
                        branches: [[name: '*/master']],
                        doGenerateSubmoduleConfigurations: false,
                        extensions: [[$class: 'GitLFSPull']],
                        submoduleCfg: [],
                        userRemoteConfigs: [[credentialsId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
                        url: 'g...@bitbucket.org:someorg/ourrepo.git']]])

 
                                                            

When doing git lfs, and using credentials that are provided using the GIT_SSH env var I would expect it to run the git checkout step with the env var setup so that the checkout works.

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

mark.earl.waite@gmail.com (JIRA)

unread,

Feb 7, 2020, 11:38:03 AM2/7/20

to jenkinsc...@googlegroups.com

Mark Waite assigned an issue to Unassigned

Jenkins /

JENKINS-61016

Git LFS clone failing when using credentials via GIT_SSH

Change By:	Mark Waite
Assignee:	Mark Waite

Add Comment

mark.earl.waite@gmail.com (JIRA)

unread,

Feb 7, 2020, 11:43:04 AM2/7/20

to jenkinsc...@googlegroups.com

Mark Waite commented on

JENKINS-61016

Re: Git LFS clone failing when using credentials via GIT_SSH

Please explain further what you mean by

uses a set of credentials that are hooked up via the GIT_SSH environment variable

Are you defining a GIT_SSH environment variable without using a Jenkins credential?

If so, then why are you providing the credential ID in the userRemoteConfigs portion of the Jenkinsfile?

The plugin definitely clones repositories using both the SSH protocol and the HTTPS protocol when Git LFS is enabled.

Add Comment

mark.earl.waite@gmail.com (JIRA)

unread,

Feb 7, 2020, 11:44:03 AM2/7/20

to jenkinsc...@googlegroups.com

Mark Waite edited a comment on

JENKINS-61016

Re: Git LFS clone failing when using credentials via GIT_SSH

Please explain further what you mean by

bq. uses a set of credentials that are hooked up via the GIT_SSH environment variable

Are you defining a {{GIT_SSH}} environment variable without using a Jenkins credential?

If so, then why are you providing the credential ID in the userRemoteConfigs portion of the Jenkinsfile?

If not, then please describe in more detail how you are performing the checkout and how others can duplicate the issue you are seeing.

The plugin definitely clones repositories using both the SSH protocol and the HTTPS protocol when Git LFS is enabled.

Add Comment

colin.newell@gmail.com (JIRA)

unread,

Feb 7, 2020, 11:52:02 AM2/7/20

to jenkinsc...@googlegroups.com

Colin Newell commented on

JENKINS-61016

Re: Git LFS clone failing when using credentials via GIT_SSH

We have an ssh username with private key setup in the Jenkins Credentials.

In our checkout stage of our pipeline build we are calling checkout providing it with which set of credentials to use. The GIT_LFS env var is something I noticed from the logs.

The git fetch does indeed work as you'd expect, and before each of those lines you'll notice the log says 'using GIT_SSH to set credentials'. I assume it uses that env var to setup the ssh command to point to the key it must manage on the worker box.

The checkout however chokes because it tries to ssh over to grab the lfs files and that env var isn't set, and there aren't credentials that will work available by other means.

Add Comment

colin.newell@gmail.com (JIRA)

unread,

Feb 7, 2020, 12:00:03 PM2/7/20

to jenkinsc...@googlegroups.com

Colin Newell commented on

JENKINS-61016

Re: Git LFS clone failing when using credentials via GIT_SSH

Thinking about this some more, I haven't tried downloading the latest Jenkins to verify that it's not something that hasn't already been fixed. I should try to replicate with a fresh (new) Jenkins.