[JIRA] [git-client-plugin] (JENKINS-20941) Stored git credentials not used when submodule is updated

1,073 views
Skip to first unread message

jared.szechy@gmail.com (JIRA)

unread,
Jun 26, 2015, 5:10:07 PM6/26/15
to jenkinsc...@googlegroups.com
Jared Szechy commented on Bug JENKINS-20941
 
Re: Stored git credentials not used when submodule is updated

This issue still exists.

For the fetch of the main repo it uses...

using GIT_SSH to set credentials Kiln SSH Key

The error is: FATAL: Command "git submodule update --init --recursive" returned status code 1

The fix is probably to simply prefix the git submodule command with the GIT_SSH='.....' environment variable.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

luvarga@gmail.com (JIRA)

unread,
Jul 3, 2015, 8:46:02 AM7/3/15
to jenkinsc...@googlegroups.com

Workaround is to save your key in /var/lib/jenkins/.ssh/id_rsa file and than it works. In jenkins credentials I have changed custom file to this custom file. No passphrase on private key.

rohel01@gmail.com (JIRA)

unread,
Aug 26, 2015, 11:25:07 AM8/26/15
to jenkinsc...@googlegroups.com

This issue does not seem specific to ssh authentification. User/password based update show the same behavior.

FATAL: Command "git submodule update" returned status code 1:
stdout: Cloning into 'subrepo'...

stderr: fatal: Authentication failed
Clone of 'http://*****/stash/scm/test/subrepo.git' into submodule path 'subrepo' failed

hudson.plugins.git.GitException: Command "git submodule update" returned status code 1:
stdout: Cloning into 'subdepot'...

stderr: fatal: Authentication failed
Clone of 'http://****/stash/scm/test/subrepo.git' into submodule path 'subrepo' failed

	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1572)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:62)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$6.execute(CliGitAPIImpl.java:874)
	at hudson.plugins.git.extensions.impl.SubmoduleOption.onCheckoutCompleted(SubmoduleOption.java:83)
	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1047)
	at hudson.scm.SCM.checkout(SCM.java:485)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1276)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:610)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:532)
	at hudson.model.Run.execute(Run.java:1744)
	at hudson.matrix.MatrixBuild.run(MatrixBuild.java:306)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:374)
Finished: FAILURE

Current workaround is to allow anonymous read access for all involved repo and subrepos.

There are pending PR in Github that seems to address this long standing issue. Maybe we should help getting them merged ?

rohel01@gmail.com (JIRA)

unread,
Aug 26, 2015, 11:25:25 AM8/26/15
to jenkinsc...@googlegroups.com
Michaël Melchiore edited a comment on Bug JENKINS-20941
This issue does not seem specific to ssh authentification. User/password based update show the same behavior.

{noformat}

FATAL: Command "git submodule update" returned status code 1:
stdout: Cloning into 'subrepo'...

stderr: fatal: Authentication failed
Clone of 'http://*****/stash/scm/test/subrepo.git' into submodule path 'subrepo' failed

hudson.plugins.git.GitException: Command "git submodule update" returned status code 1:
stdout: Cloning into ' subdepot subrepo '...

stderr: fatal: Authentication failed
Clone of 'http://****/stash/scm/test/subrepo.git' into submodule path 'subrepo' failed


at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1572)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:62)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$6.execute(CliGitAPIImpl.java:874)
at hudson.plugins.git.extensions.impl.SubmoduleOption.onCheckoutCompleted(SubmoduleOption.java:83)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1047)
at hudson.scm.SCM.checkout(SCM.java:485)
at hudson.model.AbstractProject.checkout(AbstractProject.java:1276)
at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:610)
at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:532)
at hudson.model.Run.execute(Run.java:1744)
at hudson.matrix.MatrixBuild.run(MatrixBuild.java:306)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:374)
Finished: FAILURE
{noformat}


Current workaround is to allow anonymous read access for all involved repo and subrepos.

There are [pending|https://github.com/jenkinsci/git-plugin/pull/342] [PR|https://github.com/jenkinsci/git-client-plugin/pull/180] in Github that seems to address this long standing issue. Maybe we should help getting them merged ?

mark.earl.waite@gmail.com (JIRA)

unread,
Aug 26, 2015, 11:51:05 PM8/26/15
to jenkinsc...@googlegroups.com

I'd certainly love to see more unit tests of submodules, since the current unit tests cover very little on submodules. There are so many ways that submodule checkout and update and init could fail and tests to check behavior will help us preserve the behaviors in the future.

ncarpenter@ebsco.com (JIRA)

unread,
Sep 13, 2015, 7:35:05 PM9/13/15
to jenkinsc...@googlegroups.com

Just adding in that there are 69 votes at time of writing for this....

Confirmed to fail with GitBash 1.9.5 on 2008R2 and 2012. Also failing on RHEL 7.1. We are using HTTP.

mark.earl.waite@gmail.com (JIRA)

unread,
Sep 13, 2015, 7:54:02 PM9/13/15
to jenkinsc...@googlegroups.com

I'm glad to hear that there is still interest. Jacob Keller is actively developing and testing two pull requests to implement authentication for git submodules. The pull requests are git-client-plugin PR180 and git-plugin PR342.

The git client plugin pull request makes a fundamental change to the authentication inside the plugin, so it is higher risk than most pull requests. It will need a deep beta test cycle. In the comments on the pull request you can usually find a link to a recent build of the pull request if you'd like to test with a pre-release of the plugin.

The current git plugin pull request is struggling to place the user interface settings for credentials into the correct part of the git plugin user interface. It will also need a deep beta test cycle. In the comments on the pull request you can usually find a link to a recent build of the pull request.

mark.earl.waite@gmail.com (JIRA)

unread,
Sep 14, 2015, 7:27:18 PM9/14/15
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on Bug JENKINS-20941
I'm glad to hear that there is still interest.  Jacob Keller is actively developing and testing two pull requests to implement authentication for git submodules.  The pull requests are [git-client-plugin PR180|https://github.com/jenkinsci/git-client-plugin/pull/180] and [git-plugin PR342|https://github.com/jenkinsci/git-plugin/pull/342].


The git client plugin pull request makes a fundamental change to the authentication inside the plugin, so it is higher risk than most pull requests. It will need a deep beta test cycle.  In the comments on the pull request you can usually find a link to a recent build of the pull request if you'd like to test with a pre-release of the plugin.

The current git plugin pull request is struggling to place the user interface settings for credentials into the correct part of the git plugin user interface.  It will also need a deep beta test cycle.  In the comments on the pull request you can usually find a link to a recent build of the pull request.


Comments from users who have deployed the pre-release build are much appreciated and are one of the best ways to help with the delivery of this request.

pto@linuxbog.dk (JIRA)

unread,
Sep 23, 2015, 12:34:04 PM9/23/15
to jenkinsc...@googlegroups.com

Sure that I have big interest in this (discussed yesterday in

JENKINS-29604 ). I can test this too Mark

jgfouca@sandia.gov (JIRA)

unread,
Oct 11, 2015, 5:20:19 PM10/11/15
to jenkinsc...@googlegroups.com

My project just added submodules to our repository and this bug has become a show-stopper for us.

mark.earl.waite@gmail.com (JIRA)

unread,
Oct 11, 2015, 5:55:13 PM10/11/15
to jenkinsc...@googlegroups.com

James Foucar you're welcome to test the proposed patch as well. I believe we are months away from allowing this change into the main plugin because of the breadth of the change.

jgfouca@sandia.gov (JIRA)

unread,
Oct 12, 2015, 1:23:09 PM10/12/15
to jenkinsc...@googlegroups.com

Sorry for the newbie question, how would I obtain and install the patch in my Jenkins instance?

mark.earl.waite@gmail.com (JIRA)

unread,
Oct 12, 2015, 1:43:03 PM10/12/15
to jenkinsc...@googlegroups.com

There isn't a standard way to obtain the build for a pull request, but you can grab the builds that I created and used for some of my testing as the git-client-plugin.hpi and git-plugin.hpi. Use the "Manage Plugins" / "Advanced" page to upload those two hpi files. Those are not released plugin versions. They are prototypes that I've used in my testing and evaluation of the pull requests.

That will add two new "Additional Behaviours" to the git section of your jobs which use git as their SCM. One of those is to add credentials for specific repository URLs. The other is to add default credentials for those repository URLs which don't match the specific repositories. That is likely not the way the plugin will ultimately be implemented when it is released, but it gives you a chance to experiment with the current implementation and provide feedback on any problems you detect.

sam.mxracer@gmail.com (JIRA)

unread,
Oct 12, 2015, 2:28:10 PM10/12/15
to jenkinsc...@googlegroups.com
Sam Gleske edited a comment on Bug JENKINS-20941
You have to:

# build the  {{  git-client-plugin }}  and  {{  git-plugin }}  from source with those merge requests merged locally.
# Run a local instance of Jenkins
# install the *.hpi files manually (by copying to the JENKINS_HOME/plugins folder or by using the web UI plugin manager advanced tab).
# Restart Jenkins and start testing.

In a nutshell, here's how you do that (assuming you have prerequisite Java and Maven installed).  I'm building with jdk 1.8.0_60 and maven 3.2.3 on Mac OS X 10.9.5.

Build {{git-client-plugin}}:

{code}
git clone g...@github.com:jenkinsci/git-client-plugin.git
cd git-client-plugin
git fetch origin refs/pull/180/head
git checkout FETCH_HEAD
mvn package
{code}

Build {{git-plugin}}:

{code}
git clone g...@github.com:jenkinsci/git-plugin.git
cd git-plugin
git fetch origin refs/pull/342/head
git checkout FETCH_HEAD
mvn package
{code}

Then you copy {{target/*.hpi}} files into the plugins directory.  Keep in mind I could not successfully build either of those pull requests.  So I doubt there's a decent way to test them at this time.  The OP would need to post more environment information (version of java used, version of maven used, etc) before this could be built correctly.

sam.mxracer@gmail.com (JIRA)

unread,
Oct 12, 2015, 2:28:10 PM10/12/15
to jenkinsc...@googlegroups.com

You have to:

  1. build the git-client-plugin and git-plugin from source with those merge requests merged locally.
  1. Run a local instance of Jenkins
  1. install the *.hpi files manually (by copying to the JENKINS_HOME/plugins folder or by using the web UI plugin manager advanced tab).
  1. Restart Jenkins and start testing.

In a nutshell, here's how you do that (assuming you have prerequisite Java and Maven installed). I'm building with jdk 1.8.0_60 and maven 3.2.3 on Mac OS X 10.9.5.

Build git-client-plugin:

git clone g...@github.com:jenkinsci/git-client-plugin.git
cd git-client-plugin
git fetch origin refs/pull/180/head
git checkout FETCH_HEAD
mvn package

Build git-plugin:

git clone g...@github.com:jenkinsci/git-plugin.git
cd git-plugin
git fetch origin refs/pull/342/head
git checkout FETCH_HEAD
mvn package

Then you copy target/*.hpi files into the plugins directory. Keep in mind I could not successfully build either of those pull requests. So I doubt there's a decent way to test them at this time. The OP would need to post more environment information (version of java used, version of maven used, etc) before this could be built correctly.

sam.mxracer@gmail.com (JIRA)

unread,
Oct 12, 2015, 2:31:02 PM10/12/15
to jenkinsc...@googlegroups.com
Sam Gleske edited a comment on Bug JENKINS-20941
You have to:

# build the {{git-client-plugin}} and {{git-plugin}} from source with those merge requests merged locally.
# Run a local instance of Jenkins
# install the *.hpi files manually (by copying to the JENKINS_HOME/plugins folder or by using the web UI plugin manager advanced tab).
# Restart Jenkins and start testing.


In a nutshell, here's how you do that (assuming you have prerequisite Java and Maven installed).  I'm building with jdk 1.8.0_60 and maven 3.2.3 on Mac OS X 10.9.5.

Build {{git-client-plugin}}:

{code}

git clone g...@github.com:jenkinsci/git-client-plugin.git
cd git-client-plugin
git fetch origin refs/pull/180/head
git checkout FETCH_HEAD
mvn package
{code}

Build {{git-plugin}}:

{code}

git clone g...@github.com:jenkinsci/git-plugin.git
cd git-plugin
git fetch origin refs/pull/342/head
git checkout FETCH_HEAD
mvn package
{code}


Then you copy {{target/*.hpi}} files into the plugins directory.  Keep in mind I could not successfully build either of those pull requests.  So I doubt there's a decent way to test them at this time.  The OP would need to post more environment information (version of java used, version of maven used, etc) before this could be built correctly.


I found those pull requests with {{git ls-remote}}.  e.g.

{code}
git ls-remote origin | grep 180
{code}

mark.earl.waite@gmail.com (JIRA)

unread,
Oct 12, 2015, 2:50:03 PM10/12/15
to jenkinsc...@googlegroups.com

Sam Gleske your steps should work fine, so long as you use Java 7 and not Java 8. Because there are many Jenkins versions on which the git client plugin and the git plugin are supported and users like to update their plugins, (even if they don't update their main Jenkins), the git plugin and the git client plugin both depend on Jenkins versions which require Java 7 to build.

The Jenkins blog has announced the end of Java 6 support in April 2015, with Jenkins versions after 1.609. The end of Java 7 support is likely a long ways in the future.

Git plugin and git client plugin builds using Java 8 probably won't happen until a year (or more) after Jenkins stops supporting Java 7.

mark.earl.waite@gmail.com (JIRA)

unread,
Oct 12, 2015, 2:53:03 PM10/12/15
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on Bug JENKINS-20941
[~sag47] your steps should work fine, so long as you use Java 7 and not Java 8.  Because there are many Jenkins versions on which the git client plugin and the git plugin are supported and users like to update their plugins, (even if they don't update their main Jenkins), the git plugin and the git client plugin both depend on Jenkins versions which require Java 7 to build.

The Jenkins blog has announced the [end of Java 6 support|http://jenkins-ci.org/content/good-bye-java6] in April 2015, with Jenkins versions after 1.609.  The end of Java 7 support is likely a long ways in the future.


Git plugin and git client plugin builds using Java 8 probably won't happen until a year (or more) after Jenkins stops supporting Java 7.


The Cloudbees Jenkins instances which monitor pull requests ([git-client-plugin|https://jenkins.ci.cloudbees.com/job/plugins/job/git-client-plugin/] and [git-plugin|https://jenkins.ci.cloudbees.com/job/plugins/job/git-plugin/]) also can be used to grab working builds of a pull request.  However, the work to find the specific pull request you're seeking (search through the list of builds, find your pull request, then browse the artifacts of that build to grab the hpi file) is too painful for most users.

mark.earl.waite@gmail.com (JIRA)

unread,
Nov 4, 2015, 5:32:03 PM11/4/15
to jenkinsc...@googlegroups.com

The git client plugin 1.20.0-beta1 and git plugin 2.5.0-beta1 have been released to the experimental update center. They include Jacob Keller's git client plugin extensions for submodule authentication support and his addition of a checkbox to the submodule "Additional Behaviours" which will allow all submodules of a particular git repository to attempt to use the same credentials which were used with the parent repository.

This will need significant beta testing before it can be merged to the master branch for general release, since it changes some core authentication behaviors in the git client plugin.

nonname123@gmail.com (JIRA)

unread,
Nov 6, 2015, 3:56:07 AM11/6/15
to jenkinsc...@googlegroups.com

New beta plugins not working. I checked checkbox "Use credentials from default remote of parent repository", but i get same error. If open job setting page checkbox is not checked again.

mark.earl.waite@gmail.com (JIRA)

unread,
Nov 6, 2015, 8:17:04 AM11/6/15
to jenkinsc...@googlegroups.com

Vitaly Voronkin my apologies to you and to others attempting to use the beta plugins. Thanks very much for attempting the beta.

I was not careful enough in my verification of the beta1 build. I'm preparing a beta2 build which contains Jacob Keller's latest changes. I've confirmed that the "use parent credentials" setting in the submodules section of the job definition persists, and is honored by the beta2 code.

There is still a problem that the "use parent credentials" setting in the submodules section is not retained when a job is copied, even though other settings in the job definition are retained when the job is copied. That problem won't be fixed in beta2, but will need to wait for a later change.

I'll post the link to the beta2 builds when they are available. Shouldn't be more than an hour from now.

mark.earl.waite@gmail.com (JIRA)

unread,
Nov 6, 2015, 11:58:05 AM11/6/15
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on Bug JENKINS-20941
[~nonname123] my apologies to you and to others attempting to use the beta plugins.  Thanks very much for attempting the beta.

I was not careful enough in my verification of the beta1 build.   I'm preparing a   The [git plugin 2.5.0-  beta2 build  which contains |https://repo.jenkins-ci.org/jenkinsci/releases/org/jenkins-ci/plugins/git/2.5.0-beta2/git-2.5.0-beta2.hpi] and [git client plugin 1.20.0-beta2|https://repo.jenkins-ci.org/jenkinsci/releases/org/jenkins-ci/plugins/git-client/1.20.0-beta2/git-client-1.20.0-beta2.hpi] contain  Jacob Keller's latest changes.  I've confirmed that the "use parent credentials" setting in the submodules section of the job definition persists, and is honored by the beta2 code.


There is still a problem that the "use parent credentials" setting in the submodules section is not retained when a job is copied, even though other settings in the job definition are retained when the job is copied.  That problem won't be fixed in beta2, but will need to wait for a later change.

I'll post the link to the beta2 builds when they are available.  Shouldn't be more than an hour from now.

tflinders@ezesoft.com (JIRA)

unread,
Nov 9, 2015, 9:32:04 AM11/9/15
to jenkinsc...@googlegroups.com

I've been trying out Beta2 and it doesn't seem to be working for configuration but I think the submodule authentication is actually working. The "Use credentials from default remote of parent repository" doesn't appear to stay configured from the front end, I set it and then when you return into the configuration for the job it becomes unset. However if you look in the config.xml in the job directory the value in <parentCredentials>true</parentCredentials> is set true, until you save the config again.

I've managed to clone though with this code, it previously didn't work.

b2jrock@java.net (JIRA)

unread,
Nov 12, 2015, 6:43:09 PM11/12/15
to jenkinsc...@googlegroups.com
b2jrock commented on Bug JENKINS-20941

The beta worked for me for a freestyle job. Also, launching an SSH agent and making the ssh key available in the homedir on the slaves were also valid workarounds (clear workspace between attempted workarounds).
However for workflows, the snippet generator doesn't yet produce valid code to test this. (JENKINS-31532). I attempted this in the config:
{{checkout([$class: 'GitSCM', branches: [[name: '*/master']], doGenerateSubmoduleConfigurations: false, extensions: [[$class: 'RelativeTargetDirectory', relativeTargetDir: 'src'], [$class: 'SubmoduleOption', disableSubmodules: false, recursiveSubmodules: true, trackingSubmodules: false]], submoduleCfg: [], userRemoteConfigs: [[ url: 'g...@git.example.com.com:foo/bar.git']]])
}}
However, that still resulted in auth failures in submodules still. I also tried wrapping the checkout step in an ssh-agent with the same key which also failed. The only workaround for workflows seems to be making the ssh key available on the slave currently.

x.van_dessel@ieee.org (JIRA)

unread,
Nov 16, 2015, 12:27:04 PM11/16/15
to jenkinsc...@googlegroups.com

The Beta worked for me also, while it failed before with auth issues.
Jenkins: 1.635 running on Linux Fedora 20
Target slave: Windows, running native Windows GIT stack (no cygwin)
git repository accessed via SSH on an Atlassian BitBucket server (aka Stash) on a Linux server using an SSH key from the Jenkins master (from ~/.ssh).

I have only 1 submodule, and I had no more auth issues. The code expanded correctly and started its compilation phase correctly.

Thanks a lot!

x.van_dessel@ieee.org (JIRA)

unread,
Nov 16, 2015, 4:46:10 PM11/16/15
to jenkinsc...@googlegroups.com

Further to the above, I also tested this combination (same Jenkins and target slave config):
git repository accessed via HTTP to the same BitBucket server, using a normal user with password.
However, I had first to checkout the .submodules file, then modify the url to convert that one to the HTTP protocol with the same userid as the main fetch will use.
When that is done, the fetch of the submodule worked OK.
I think it is safe to assume that people will be using a unique way to fetch data (both the main fetch and submodule fetch).

mark.earl.waite@gmail.com (JIRA)

unread,
Nov 16, 2015, 6:25:09 PM11/16/15
to jenkinsc...@googlegroups.com

Xavier Van Dessel I'm not confident I understand the condition you're describing. I think you're saying that the submodule authenticaiton did not work for you if the submodule did not use the same protocol (ssh or https) as the parent repository. Did I understand you correctly?

x.van_dessel@ieee.org (JIRA)

unread,
Nov 18, 2015, 4:06:04 AM11/18/15
to jenkinsc...@googlegroups.com

Mark,
Indeed, the original test (SSH with keys switched to http(s) with passwords) failed.
But I'm not saying it has to do with the code of the Jenkins plugins. Situation 1 uses an SSH key. Hence, the ssh call to expand the submodule only disposes of the userid/password combination that worked fine on the main http(s) call. But the ssh engine does not share the same user an psw db with the BitBucket http(s) server on my system, which explains the failure.
I would even say more: the other way arround would certainly never work: if the main repo uses an SSH key, but the submodule is referenced as a http(s) link, then it can never work (unless the http(s) server has no security) simply because an SSH key would not work on a http(s) link AFAIK.
Given that the git protocol nor the local file protocol require any kind of authentication, these 2 are unaffected by this ticket.

Thus if keys are used, all repo access MUST use the SSH protocol otherwise the git client has no credentials at all to use.
This gives the below overview:

Auth type: SSH KEY
main repo=ssh, submodule=ssh : tested OK (my first test report)

Auth type: User & PSW
main repo=http(s), submodule=http(s) : tested OK (my second test report)
main repo=ssh, submodule=ssh : to test
main repo=http(s), submodule=ssh : to test
main repo=ssh, submodule=http(s) : to test

Has anybody validated any such combination yet?

mark.earl.waite@gmail.com (JIRA)

unread,
Nov 19, 2015, 8:48:04 AM11/19/15
to jenkinsc...@googlegroups.com

I would not expect your last two examples (https parent/ssh submodule and ssh parent/https submodule) to work with the current implementation. The current implementation uses the same authentication in the submodule as is used in the parent repository.

The authentication methods used with https and ssh are different authentication methods within the code, so the "use the same authentication" setting will cause the code to attempt to apply the parent authentication technique to the submodule and it will fail.

sam.mxracer@gmail.com (JIRA)

unread,
Nov 19, 2015, 6:30:05 PM11/19/15
to jenkinsc...@googlegroups.com

I'd like to add that I would also expect the last two cases to fail. To me it wouldn't make sense to expect them to succeed. If such a case were desired then I would say post-merge of this change would be a PR to define custom credentials for all submodules separating the authentication of the parent and submodules (perhaps even fine grained as providing customization by domain and protocol so multiple submodule auth types are supported).

However, I think the focus of this PR should only be applying parent auth method to submodules as originally described in the issue. Let's not lose focus of what is initially requested. Something I value as very important.

x.van_dessel@ieee.org (JIRA)

unread,
Nov 20, 2015, 6:34:05 AM11/20/15
to jenkinsc...@googlegroups.com

I fully agree with Mark and Sam comments regarding different protocols between main and submodule. Most installations will use a homogenuous approach.
I would however recommend to add this requirement/limitation in the info box that opens for the new submodule authentication option.

There are however still other (less commonly used) protocols which may require testing. Git supports ftp as a protocol using passwords. I have no idea whether the code changes between http(s) and ftp justify an explicit test setup. My test setup (BitBucket based) does not support it.

mark.earl.waite@gmail.com (JIRA)

unread,
Nov 20, 2015, 7:55:05 AM11/20/15
to jenkinsc...@googlegroups.com

The plugin has some limited tests for the less commonly used protocols (ftp, rsync) and less commonly used authentication techniques (netrc file in the home directory of the Jenkins user). I consider those outside the scope of this change. It does not have a way of using the Jenkins credentials mechanism with those protocols as far as I can tell.

ingo.janssen@netonic.de (JIRA)

unread,
Dec 3, 2015, 1:26:04 PM12/3/15
to jenkinsc...@googlegroups.com

I encountered the same error with username password credentials.
After testing a lot of suggested workarounds I added the two beta plugin versions (beta2 builds of git and git-client plugins) to my jenkins installation.
Everything works fine now and Jenkins is able to get the submodules.

Great Job and thanks a lot for the beta2 build !

ps.grove@gmail.com (JIRA)

unread,
Dec 23, 2015, 8:21:08 AM12/23/15
to jenkinsc...@googlegroups.com

How can I get hold of the beta 2 plugins?
Any ideas when this will get into a Jenkins release?

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 23, 2015, 10:44:31 AM12/23/15
to jenkinsc...@googlegroups.com

The 2.5.0 beta build of the git plugin and the latest 1.20.0 beta build of the git client plugin are available from the Jenkins experimental update center. If you switch your test Jenkins configuration to the experimental update center and perform an "Update Now", you'll see them in the usual update center as plugin updates you may choose to install.

If you'd rather download and install them directly from artifactory, the current versions are git plugin 2.5.0beta3 and git client plugin 1.20.0beta2.

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 23, 2015, 10:46:13 AM12/23/15
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on Bug JENKINS-20941
The  latest  2.5.0 beta build of the git plugin and the latest 1.20.0 beta build of the git client plugin are available from the [Jenkins experimental update center|http://jenkins-ci.org/content/experimental-plugins-update-center].  If you switch your test Jenkins configuration to the experimental update center and perform an "Update Now", you'll see them in the usual update center as plugin updates you may choose to install.

If you'd rather download and install them directly from artifactory, the current versions are [git plugin 2.5.0beta3|https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/git/2.5.0-beta3/git-2.5.0-beta3.hpi] and [git client plugin 1.20.0beta2|https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/git-client/1.20.0-beta2/git-client-1.20.0-beta2.hpi].

srparamatmuni@deloitte.com (JIRA)

unread,
Dec 28, 2015, 6:28:06 AM12/28/15
to jenkinsc...@googlegroups.com

Hi,

We had similar issue with sub-modules in our project and I had installed latest beta plugins for Git and Git client. Apparently, the authentication issue seems to be resolved, but facing a new issue. Each time the project tries to run git sub-module update, it fails with this error:
_
git submodule update --init --recursive --remote generators # timeout=10
FATAL: Command "/bin/git submodule update --init --recursive --remote generators" returned status code 1:
stdout:
stderr: error: pathspec 'generators' did not match any file(s) known to git.
Did you forget to 'git add'?

_hudson.plugins.git.GitException: Command "/bin/git submodule update --init --recursive --remote generators" returned status code 1:
stdout:
stderr: error: pathspec 'generators' did not match any file(s) known to git.
Did you forget to 'git add'?_

We are using https git url.

Can some one guide us please.

Thanks
Sri
_

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 28, 2015, 8:05:05 AM12/28/15
to jenkinsc...@googlegroups.com

Doesn't that indicate that your submodule definition is somehow inconsistent? A stackoverflow article gives a few possible alternatives.

srparamatmuni@deloitte.com (JIRA)

unread,
Dec 29, 2015, 3:34:05 AM12/29/15
to jenkinsc...@googlegroups.com

Thanks for your reply Mark.
Prior to installing the git plugins, the same setup worked fine with workaround for sub-module authentication. the commands fired by Git plugin seemed to have changed from earlier version plugin to the latest one.

Earlier version plugin:
git submodule update --init --recursive --remote # timeout=10

Latest version plugin:


git submodule update --init --recursive --remote generators # timeout=10

The command is adding each sub-module separately in the latest plugin. Just wanted to verify if that could be causing any issue. There are 6 sub-modules in our repository and when tried with each of them on Command line also, the same error happens whereas issuing the same command with just "-

remote" instead of " -remote <sub-module name>" works fine.

Thanks
Sri

emilvarona@gmail.com (JIRA)

unread,
Dec 31, 2015, 3:11:15 AM12/31/15
to jenkinsc...@googlegroups.com
E Varona edited a comment on Bug JENKINS-20941
After struggling with this for much longer than I cared for, I was not able to get the git submodules working using either ssh or https from my EC2 backed Jenkins host to our private GitHub organization repo. I tried every suggestion in this post with no luck.

What did however work although it's a far less than ideal solution, is to put the credentials in  `  {{ ~/.netrc ` }}  on both the master and slaves. Now not only do my configs not require an external p/w but my submodule sync is working.

emilvarona@gmail.com (JIRA)

unread,
Dec 31, 2015, 3:11:15 AM12/31/15
to jenkinsc...@googlegroups.com
E Varona commented on Bug JENKINS-20941

ryan@sensics.com (JIRA)

unread,
Feb 9, 2016, 4:41:06 PM2/9/16
to jenkinsc...@googlegroups.com

What I believe is the same problem is happening here, with a private github repo accessed over ssh, that have other private github repos (over ssh) as submodules. The experimental plugin did not help. The same SSH credential should be usable for all repos (the super-repo and the submodules), and it clones the main repo fine:

using GIT_SSH to set credentials sensics-bot on github and gitlab

before the main clone, but then the individual git.exe submodule update --init --recursive path/to/private/submodule calls fail (and are not preceded by a similar line mentioning GIT_SSH).

This is on a Windows machine running the Jenkins server as a service (as "Local System").

ryan@sensics.com (JIRA)

unread,
Feb 9, 2016, 4:51:07 PM2/9/16
to jenkinsc...@googlegroups.com
Ryan Pavlik edited a comment on Bug JENKINS-20941
What I believe is the same problem is happening here, with a private github repo accessed over ssh, that have other private github repos (over ssh) as submodules. The experimental plugin did not help. The same SSH credential should be usable for all repos (the super-repo and the submodules), and it clones the main repo fine:

{{using GIT_SSH to set credentials sensics-bot on github and gitlab}}

before the main clone, but then the individual {{git.exe submodule update --init --recursive path/to/private/submodule}} calls fail (and are not preceded by a similar line mentioning GIT_SSH).

This is on a Windows machine running the Jenkins server as a service (as "Local System").

My only limited workaround I was able to find was to launch a cmd prompt as the Local System account with {{psexec -i -s cmd.exe}} - see this info http://stackoverflow.com/a/78691/265522 , in the new window change to the home directory's .ssh dir with {{cd %USERPROFILE%\.ssh}}, and copy my ssh keys in {{copy c:\jenkins-server\id_rsa c:\jenkins-server\id_rsa.pub .}}  That makes those keys the default to use by SSH, so it lets me complete the task, but it's still not using the stored/specified credentials, it's just that I only have one set of credentials I want this server to use.

mark.earl.waite@gmail.com (JIRA)

unread,
Feb 9, 2016, 4:54:03 PM2/9/16
to jenkinsc...@googlegroups.com

Ryan Pavlik I think you may be seeing JENKINS-20356 (Windows service doesn't work with private key credentials)

ryan@sensics.com (JIRA)

unread,
Feb 9, 2016, 5:04:24 PM2/9/16
to jenkinsc...@googlegroups.com

Ah, thank you - it might be that one, though as I said it works fine with the main repo, it's just the submodules that it can't deal with. Since it seemed specific to submodules that's what I searched for so I ended up here, but I will follow that issue as well. Is there any information I can provide on my setup to help diagnose this? Windows 8.1 x64, standard git for windows (64-bit) installed with Chocolatey, git version 2.6.3.windows.1, running the latest (non-LTS) Jenkins installed as a service using the regular method IIRC.

kostanos@gmail.com (JIRA)

unread,
Feb 12, 2016, 8:42:10 AM2/12/16
to jenkinsc...@googlegroups.com
Kostya Kostyushko updated an issue
 
Jenkins / Bug JENKINS-20941
Change By: Kostya Kostyushko
Environment: Windows 7 & 8 slaves
Mac slave (see comments)
Reproduced on RHEL Linux 6.5
Ubuntu 14.04

jim.klo@sri.com (JIRA)

unread,
Mar 7, 2016, 7:36:05 PM3/7/16
to jenkinsc...@googlegroups.com
Jim Klo commented on Bug JENKINS-20941
 
Re: Stored git credentials not used when submodule is updated

Mark Waite I've downloaded and installed the betas as you noted in comment-244707, however I see no change in behavior when authenticating submodules over https.

jim.klo@sri.com (JIRA)

unread,
Mar 7, 2016, 7:38:03 PM3/7/16
to jenkinsc...@googlegroups.com
Jim Klo edited a comment on Bug JENKINS-20941
[~markewaite] I've downloaded and installed the betas as you noted in [ your comment |https://issues.jenkins-ci.org/browse/JENKINS-20941?focusedCommentId=244707&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel #comment-244707] , however  above. However  I see no change in behavior when authenticating submodules over https.

jim.klo@sri.com (JIRA)

unread,
Mar 7, 2016, 7:45:03 PM3/7/16
to jenkinsc...@googlegroups.com
Jim Klo updated an issue
 
Change By: Jim Klo
Comment: [~markewaite] I've downloaded and installed the betas as you noted in [your comment |https://issues.jenkins-ci.org/browse/JENKINS-20941?focusedCommentId=244707&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-244707] above. However I see no change in behavior when authenticating submodules over https.

annemoroney@alum.mit.edu (JIRA)

unread,
Apr 6, 2016, 7:49:04 PM4/6/16
to jenkinsc...@googlegroups.com
AnneTheAgile commented on Bug JENKINS-20941
 
Re: Stored git credentials not used when submodule is updated

As I see it;
1.The Jenkins Git plugin ticket is not solved anywhere yet, the best I can see. The v2.5 experimental patch was not accepted, is no longer on the beta, and the last release is 2.4.4. Its PR was closed, not implemented in favor of an edit to the credentials plugin.
https://issues.jenkins-ci.org/browse/JENKINS-20941

2.The Jenkins Credentials plugin PR has similarly not been accepted (but it needs work so is not standalone).
https://github.com/jenkinsci/git-plugin/pull/342

annemoroney@alum.mit.edu (JIRA)

unread,
Apr 6, 2016, 7:51:03 PM4/6/16
to jenkinsc...@googlegroups.com
AnneTheAgile edited a comment on Bug JENKINS-20941
As I see it; 
1.The Jenkins Git plugin ticket is not solved anywhere yet, the best I can see. The v2.5 experimental patch was not accepted, is no longer on the beta, and the last release is 2.4.4. Its PR was closed, not implemented in favor of an edit to the credentials plugin. 
https://issues.jenkins-ci.org/browse/JENKINS-20941

2.The Jenkins Credentials plugin PR has similarly not been accepted (but it needs work so is not standalone).
 
https://github.com/jenkinsci/ git credentials -plugin/pull/ 342 32

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 6, 2016, 9:19:04 PM4/6/16
to jenkinsc...@googlegroups.com

AnneTheAgile this is not yet implemented in any official release of the Jenkins git plugin. It is a large enough change that I wanted an extended beta period to test it. Breaking the authentication techniques of a plugin used in 60 000 installations was too scary for me to not want an extended beta period.

I'm not sure why you say that the "2.5 experimental patch ... is no longer on the beta". I just configured a fresh installed Jenkins to use the experimental plugins update center and confirmed that git plugin 2.5.0-beta4 is available there, as is git client plugin 1.20.0-beta3.

The git plugin changelog includes references to git plugin beta versions 2.5.0-beta1, 2.5.0-beta2, and 2.5.0-beta3. Sorry, I forgot to publish an update to describe 2.5.0-beta4 on the wiki.

The git client plugin changelog includes references to git client plugin beta versions 1.20.0-beta1 and 1.20.0-beta3.

Could you try the experimental update center to see if it shows you the same thing it shows me?

lduarte@luisduarte.net (JIRA)

unread,
Apr 13, 2016, 5:37:04 AM4/13/16
to jenkinsc...@googlegroups.com

Why not add a Checkbox on Repository Clone config asking if we want a recursive clone?

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 13, 2016, 8:11:05 AM4/13/16
to jenkinsc...@googlegroups.com
Mark Waite updated an issue
 
Change By: Mark Waite
Attachment: screenshot-1.png

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 13, 2016, 8:12:04 AM4/13/16
to jenkinsc...@googlegroups.com
Mark Waite commented on Bug JENKINS-20941
 
Re: Stored git credentials not used when submodule is updated

Luís Duarte I don't know why we would add a repository clone checkbox for recursive submodule clone when there is already a checkbox for recursive clone in the "Advanced submodule behaviours" section. Can you explain further where you mean by "Repository Clone config"?

Refer to

lduarte@luisduarte.net (JIRA)

unread,
Apr 13, 2016, 10:18:08 AM4/13/16
to jenkinsc...@googlegroups.com

Mark Waite

Output

18:08:03 > git submodule update --init --recursive
18:08:09 FATAL: Command "git submodule update --init --recursive" returned status code 1:
18:08:09 stdout:
18:08:09 stderr: Cloning into 'plugins/ruby-build'...
18:08:09 Permission denied (publickey).
18:08:09 fatal: Could not read from remote repository.
18:08:09
18:08:09 Please make sure you have the correct access rights
18:08:09 and the repository exists.
18:08:09 Clone of 'git@<git_provider>:<org>/<repo>.git' into submodule path 'plugins/ruby-build' failed
18:08:09
18:08:09 hudson.plugins.git.GitException: Command "git submodule update --init --recursive" returned status code 1:
18:08:09 stdout:
18:08:09 stderr: Cloning into 'plugins/ruby-build'...
18:08:09 Permission denied (publickey).
18:08:09 fatal: Could not read from remote repository.
18:08:09
18:08:09 Please make sure you have the correct access rights
18:08:09 and the repository exists.
18:08:09 Clone of 'git@<git_provider>:<org>/<repo>.git' into submodule path 'plugins/ruby-build' failed

The problem is that the "Advanced submodule behaviours" is not integrating properly with the Credentials Plugin, meaning it does not use the Credentials for the --recursive update modules. And we don't upload Private Keys to Slave machines.

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 13, 2016, 10:30:23 AM4/13/16
to jenkinsc...@googlegroups.com

Luís Duarte If you want to use credentials with submodules, you need to use the experimental update center with the git plugin 2.5.0 beta and the git client plugin 1.20.0 beta. That has nothing to do with the location of the "recursive update submodules" checkbox as far as I can tell.

Refer to older postings in this bug report for the details of how to install those two beta plugin versions.

lduarte@luisduarte.net (JIRA)

unread,
Apr 13, 2016, 10:51:03 AM4/13/16
to jenkinsc...@googlegroups.com

I was just making a suggestion to add the "--recursive" checkbox below the Repository URL so that the SubModules are cloned recursively on the first update and not a Post-Action.
You have any ETA on the Git Plugin 2.5.0 Final and Git Client Plugin 1.20.0 Final ?

lduarte@luisduarte.net (JIRA)

unread,
Apr 13, 2016, 10:54:04 AM4/13/16
to jenkinsc...@googlegroups.com
Luís Duarte edited a comment on Bug JENKINS-20941
I was just making a suggestion to add the "--recursive" checkbox below the Repository URL so that the SubModules are cloned recursively on the  first update  inital clone  and not a Post-Action.

You have any ETA on the Git Plugin 2.5.0 Final and Git Client Plugin 1.20.0 Final ?

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 13, 2016, 11:38:13 AM4/13/16
to jenkinsc...@googlegroups.com

I'm not sure what you mean by "cloned recursively on the initial clone and not a Post-Action". The initial clone (fetch) brings in the remote repository and performs a checkout of the selected branch. It can't know the submodules being referenced until after the selected branch checkout has completed. Once the initial branch checkout is complete, then the submodules are cloned.

All those steps happen in the "checkout" of the initial repository, without any "post-action" as far as I know.

lduarte@luisduarte.net (JIRA)

unread,
Apr 13, 2016, 11:43:03 AM4/13/16
to jenkinsc...@googlegroups.com

Mark Waite
What i'm trying to explain is that the git clone is executed with the Credentials, but the git submodule update --recursive doesn't use Credentials, therefore causing our builds to fail.

paul@nkey.com.br (JIRA)

unread,
Apr 13, 2016, 4:47:04 PM4/13/16
to jenkinsc...@googlegroups.com

Today I am using SSH Agent Plugin, which works with Git Plugin both for clone and submodule as is.

Does this new beta feature removes the need for SSH Agent Plugin in that case?

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 13, 2016, 5:19:06 PM4/13/16
to jenkinsc...@googlegroups.com

Yes, the beta plugin does not require ssh-agent.

jens.chorus@raisenow.com (JIRA)

unread,
Apr 14, 2016, 1:59:10 PM4/14/16
to jenkinsc...@googlegroups.com

Hi Paul Eipper,

I am struggling with the same issue. I tried the SSH Agent Plugin, setting private key. The parent repository is still checked out as usual but it seem to have done nothing for the submodules. Do you have any advice?
Thanks

paul@nkey.com.br (JIRA)

unread,
Apr 14, 2016, 2:16:23 PM4/14/16
to jenkinsc...@googlegroups.com

Our environment is OSX master and slave.

I compiled SSH Agent plugin to enable the native ssh-agent with this patch: https://github.com/jenkinsci/ssh-agent-plugin/pull/2
The credentials provided work for both the main and submodule clone operations. In my setup the credential is a single SSH key that has read access to the main and all submodule repos. I have not tested if you need to unlock multiple keys.

jens.chorus@raisenow.com (JIRA)

unread,
Apr 14, 2016, 2:56:04 PM4/14/16
to jenkinsc...@googlegroups.com

Thanks a lot Paul Eipper. I will give that a try.

jenkins@bo3b.net (JIRA)

unread,
Apr 15, 2016, 11:07:25 PM4/15/16
to jenkinsc...@googlegroups.com
Bo3b Johnson edited a comment on Bug JENKINS-20941
The 2.5.0-beta4 plugin is not working for me.  Switching to experimental plugins, and downloading and restart shows no errors in the startup log.
This is on a clean 1.634. 2 3  installation.

Two problems that I see:

1) Corrupted jobs after restart.  Any prior job will get an exception in the configure page.

{code:java}
Caused by: org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
jar:file:/var/lib/jenkins/plugins/git/WEB-INF/lib/git.jar!/hudson/plugins/git/extensions/impl/SubmoduleOption/config.groovy: 52: expecting '}', found '' @ line 52, column 1.
{code}

2) Creating a new job from scratch does not allow me to set sub-module behavior.  The "Additional Behaviors" Add-> pop down, then choosing "Advanced sub-module behaviors" doesn't do anything.  No sub-pane is added to allow me to check "recursive".

The log show the same exception.

jenkins@bo3b.net (JIRA)

unread,
Apr 15, 2016, 11:07:25 PM4/15/16
to jenkinsc...@googlegroups.com

The 2.5.0-beta4 plugin is not working for me. Switching to experimental plugins, and downloading and restart shows no errors in the startup log.

This is on a clean 1.634.2 installation.

Two problems that I see:

1) Corrupted jobs after restart. Any prior job will get an exception in the configure page.

Caused by: org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
jar:file:/var/lib/jenkins/plugins/git/WEB-INF/lib/git.jar!/hudson/plugins/git/extensions/impl/SubmoduleOption/config.groovy: 52: expecting '}', found '' @ line 52, column 1.

2) Creating a new job from scratch does not allow me to set sub-module behavior. The "Additional Behaviors" Add-> pop down, then choosing "Advanced sub-module behaviors" doesn't do anything. No sub-pane is added to allow me to check "recursive".

The log show the same exception.

jenkins@bo3b.net (JIRA)

unread,
Apr 15, 2016, 11:07:38 PM4/15/16
to jenkinsc...@googlegroups.com
Bo3b Johnson edited a comment on Bug JENKINS-20941
The 2.5.0-beta4 plugin is not working for me.  Switching to experimental plugins, and downloading and restart shows no errors in the startup log.
This is on a clean 1. 634 642 .3 installation.


Two problems that I see:

1) Corrupted jobs after restart.  Any prior job will get an exception in the configure page.

{code:java}

Caused by: org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
jar:file:/var/lib/jenkins/plugins/git/WEB-INF/lib/git.jar!/hudson/plugins/git/extensions/impl/SubmoduleOption/config.groovy: 52: expecting '}', found '' @ line 52, column 1.
{code}


2) Creating a new job from scratch does not allow me to set sub-module behavior.  The "Additional Behaviors" Add-> pop down, then choosing "Advanced sub-module behaviors" doesn't do anything.  No sub-pane is added to allow me to check "recursive".

The log show the same exception.

jenkins@bo3b.net (JIRA)

unread,
Apr 15, 2016, 11:25:12 PM4/15/16
to jenkinsc...@googlegroups.com
Bo3b Johnson edited a comment on Bug JENKINS-20941
The 2.5.0- beta4 beta3  plugin is not working for me.  Switching to experimental plugins, and downloading and restart shows no errors in the startup log.
This is on a clean 1.642.3 installation.


Two problems that I see:

1) Corrupted jobs after restart.  Any prior job will get an exception in the configure page.

{code:java}
Caused by: org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
jar:file:/var/lib/jenkins/plugins/git/WEB-INF/lib/git.jar!/hudson/plugins/git/extensions/impl/SubmoduleOption/config.groovy: 52: expecting '}', found '' @ line 52, column 1.
{code}

2) Creating a new job from scratch does not allow me to set sub-module behavior.  The "Additional Behaviors" Add-> pop down, then choosing "Advanced sub-module behaviors" doesn't do anything.  No sub-pane is added to allow me to check "recursive".

The log show the same exception.

jenkins@bo3b.net (JIRA)

unread,
Apr 15, 2016, 11:25:12 PM4/15/16
to jenkinsc...@googlegroups.com

Manually downloaded and manually installed the 2.5.0-beta4 plugin, and get the same exception.

Top few lines:

Apr 15, 2016 8:21:36 PM WARNING hudson.widgets.RenderOnDemandClosure$1 generateResponse
Failed to evaluate the template closure
org.apache.commons.jelly.JellyTagException: jar:file:/var/cache/jenkins/war/WEB-INF/lib/jenkins-core-1.642.3.jar!/lib/form/hetero-list.jelly:131:100: <st:include> org.kohsuke.stapler.ScriptLoadException: org.apache.commons.jelly.JellyException: Failed to load /hudson/plugins/git/extensions/impl/SubmoduleOption/config from org.kohsuke.stapler.jelly.groovy.GroovyFacet@5c993a07
	at org.apache.commons.jelly.impl.TagScript.handleException(TagScript.java:726)
	at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:281)

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 16, 2016, 12:59:04 AM4/16/16
to jenkinsc...@googlegroups.com

Bo3b Johnson My apologies! You're absolutely correct. The beta4 build of the plugin won't allow the user to set the submodule options at all. I'll need to research why it is failing and deliver a new beta release to fix the problem.

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 16, 2016, 1:33:05 PM4/16/16
to jenkinsc...@googlegroups.com

I've released git plugin 2.5.0-beta5 to fix the problem. I ran some basic interactive regression tests with it and confirmed that it correctly passes credentials from the parent project to the submodule for ssh based credentials.

jenkins@bo3b.net (JIRA)

unread,
Apr 16, 2016, 10:47:04 PM4/16/16
to jenkinsc...@googlegroups.com

Mark WaiteThanks! Really appreciate the fast turnaround for this problem.

I confirm that the 2.5.0-beta5 fixes the exception in my use case.

I also confirm that once I set the Recursively update submodules and Use credentials from default remote of parent repository settings in the Advanced sub-modules behaviors pane, that I can also successfully clone my repot with supporting sub-module, with SSH key authentication.

Using git:2.5.0-beta5 and git-client:1.20.0-beta3

ben@detroitsoftwareworks.com (JIRA)

unread,
Apr 19, 2016, 6:13:03 PM4/19/16
to jenkinsc...@googlegroups.com

I've looked in http://mirror.xmission.com/jenkins/updates/experimental/update-center.json for git:2.5.0-beta5, but all I see is git:2.5.0-beta4. Is there some other place I can look for it? Do I just need to wait for it to propagate to other mirrors?

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 19, 2016, 6:31:19 PM4/19/16
to jenkinsc...@googlegroups.com

That's a different URL than I'm accustomed to using for the experimental update center.

If you don't mind downloading it directly from artifactory (and then uploading it using the Advanced page of "Manage plugins"), you can get it at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/git/2.5.0-beta5/git-2.5.0-beta5.hpi

aferrari@paychex.com (JIRA)

unread,
Apr 22, 2016, 1:16:18 PM4/22/16
to jenkinsc...@googlegroups.com

We have Jenkins ver. 1.596.2 with plugins:

  • git 2.5.0-beta5
  • git-client 1.20.0-beta3
    Unfortunately, we still see the error when retrieving submodules.:

    C:\git\bin\git.exe config --get remote.origin.url # timeout=10
    > C:\git\bin\git.exe config --get-regexp ^submodule # timeout=10
    > C:\git\bin\git.exe config --get submodule.helloivy.url # timeout=10
    > C:\git\bin\git.exe submodule update --init --recursive helloivy
    FATAL: Command "C:\git\bin\git.exe submodule update --init --recursive helloivy" returned status code 1:
    stdout:
    stderr: Cloning into 'helloivy'...
    Permission denied (publickey).


  • fatal: Could not read from remote repository.

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 22, 2016, 1:39:03 PM4/22/16
to jenkinsc...@googlegroups.com

Anthony Ferrari, the same credentials are used for the parent repository and the submodule repositories. That generally means you need to use the same protocol for the parent repository and the submodules. For example, if the parent is g...@github.com:MarkEWaite/git-plugin.git (ssh protocol), then the submodules cannot be https://github.com/MarkEWaite/git-client-plugin.git, they must also be ssh protocol.

Are you using the same protocol for parent repository and submodule repositories?

Do the the parent repository credentials work for the submodule repositories outside the Jenkins job?

aferrari@paychex.com (JIRA)

unread,
Apr 22, 2016, 1:52:03 PM4/22/16
to jenkinsc...@googlegroups.com

Thank you for the quick response!
Yes, we are using SSH in the git plugin settings referencing a global credentials store in Jenkins/Manage/Credentials (username/key).
SSH works fine with the git plugin except when we attempt to retrieve submodules. We have the "Recursively update submodules" checkbox checked.
I can do this no problem using command line git....the submodules are resolved ok.
Any ideas?

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 22, 2016, 1:57:05 PM4/22/16
to jenkinsc...@googlegroups.com

I didn't get from your response that you had actually checked that the same protocol is used in the submodules as is used in the parent. Can you check that?

alex.zykov@willjin.com (JIRA)

unread,
May 4, 2016, 5:09:18 PM5/4/16
to jenkinsc...@googlegroups.com

Hi
I've got the same issue

Cloning repository ssh://ro...@192.168.0.20:22/srv/repos/git/root-module.git
Clone of 'ssh://ro...@XXX.XXX.XXX.XXX:YYYYY/srv/repos/git/sub-module.git' into submodule path 'marksman-c' failed
Permission denied (publickey,password).

I think plugin doesn't use the original credentials

BR
AlexZ

alex.zykov@willjin.com (JIRA)

unread,
May 4, 2016, 5:33:22 PM5/4/16
to jenkinsc...@googlegroups.com
Alex Zykov edited a comment on Bug JENKINS-20941
Hi
I've got the same issue

Cloning repository ssh://ro...@192.168.0.20:22/srv/repos/git/root-module.git
Clone of 'ssh://ro...@XXX.XXX.XXX.XXX:YYYYY/srv/repos/git/sub-module.git' into submodule path 'marksman-c' failed
Permission denied (publickey,password).

I think plugin doesn't use the original credentials

BR
AlexZ

P.S.

I 'm using  use  ssh user name with private key authentication 
Scope is Global

alex.zykov@willjin.com (JIRA)

unread,
May 4, 2016, 5:33:22 PM5/4/16
to jenkinsc...@googlegroups.com
Alex Zykov edited a comment on Bug JENKINS-20941
Hi
I've got the same issue

Cloning repository ssh://ro...@192.168.0.20:22/srv/repos/git/root-module.git
Clone of 'ssh://ro...@XXX.XXX.XXX.XXX:YYYYY/srv/repos/git/sub-module.git' into submodule path 'marksman-c' failed
Permission denied (publickey,password).

I think plugin doesn't use the original credentials

BR
AlexZ

P.S.

I'm using ssh user name with private key authentication 
Scope is Global

samuel.garcia@kinesys.co.uk (JIRA)

unread,
May 10, 2016, 8:31:20 AM5/10/16
to jenkinsc...@googlegroups.com

git-client-plugin 1.20.0-beta3 works fine for me.

However I can't find the way to set the "Use credentials from default remote of parent repository" option from a DSL script, I have to alter the jobs manually after they've been generated.

It would be nice to be able to set it with a parentCredentials(true) method call inside the job.scm.git.extensions.submoduleOptions section.

captrespect@gmail.com (JIRA)

unread,
May 18, 2016, 10:10:04 AM5/18/16
to jenkinsc...@googlegroups.com

I'm still having trouble with this bug even with the 1.20.0-beta3 update.
I'm using an http repo with a username and password login. It looks like it's trying to use the credentials but still fails:

using GIT_ASKPASS to set credentials Gitlab Jenkins User
> git submodule update --init --recursive libraries
FATAL: Command "git submodule update --init --recursive libraries" returned status code 1:
stdout:
stderr: Cloning into 'libraries'...


Permission denied (publickey).
fatal: Could not read from remote repository.

mark.earl.waite@gmail.com (JIRA)

unread,
May 18, 2016, 10:13:03 AM5/18/16
to jenkinsc...@googlegroups.com

Jon Roberts have you confirmed that all the authenticated submodules in the repository use the same protocol (https) as the parent repository? One of the limitations of the current technique is that all authenticated submodules must use the same authentication technique as the parent.

captrespect@gmail.com (JIRA)

unread,
May 18, 2016, 11:08:03 AM5/18/16
to jenkinsc...@googlegroups.com

Yes, thanks that looks like my issue. Any easy way to override the url of the submodule for this jenkins instance?

captrespect@gmail.com (JIRA)

unread,
May 18, 2016, 11:26:14 AM5/18/16
to jenkinsc...@googlegroups.com

Nevermind! I was able to update the the submodule path in .gitmodule a relative path to get them to clone.

sbrain@imagus.com.au (JIRA)

unread,
May 19, 2016, 6:36:04 PM5/19/16
to jenkinsc...@googlegroups.com

Hi,

I noticed that if the .gimodules submodule name is not the same as the path spec the submodule update fails by trying to use the name.

submodule defined like this fails
[submodule "rpm"]
path = linux/rpm
url = ../rpm.git

with error
> git config --get submodule.rpm.url # timeout=60
> git submodule update --init --recursive rpm # timeout=100
FATAL: Command "git submodule update --init --recursive rpm" returned status code 1:
stdout:
stderr: error: pathspec 'rpm' did not match any file(s) known to git.
Did you forget to 'git add'?

the workaround is to name the submodule the same as the path
[submodule "linux/rpm"]
path = linux/rpm
url = ../rpm.git

sbrain@imagus.com.au (JIRA)

unread,
May 20, 2016, 8:07:04 AM5/20/16
to jenkinsc...@googlegroups.com
Steve Brain edited a comment on Bug JENKINS-20941
Hi,

I noticed that if the .gimodules submodule name is not the same as the path spec the submodule update fails by trying to use the name.

submodule defined like this fails
  [submodule "rpm"]
       path = linux/rpm
       url = ../rpm.git


 with error
 > git config --get submodule.rpm.url # timeout=60
 > git submodule update --init --recursive rpm # timeout=100
FATAL: Command "git submodule update --init --recursive rpm" returned status code 1:
stdout: 
stderr: error: pathspec 'rpm' did not match any file(s) known to git.
Did you forget to 'git add'?

the workaround is to name the submodule the same as the path
 [submodule "linux/rpm"]
       path = linux/rpm
       url = ../rpm.git

using 
git 2.5.0-beta5
git-client 1.20.0-beta3

pvandyk@salesforce.com (JIRA)

unread,
Jun 2, 2016, 6:29:05 PM6/2/16
to jenkinsc...@googlegroups.com

We are having this issue using SSH for the primary project and the submodules. I have not tried the beta plugin as the description above indicates that the issue is related to http git links. Does this fix include a fix for refreshing the submodules for SSH connections?

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 2, 2016, 6:47:21 PM6/2/16
to jenkinsc...@googlegroups.com

Peter van Dijk the beta version of the plugin supports https (username/password) parent repositories referencing https (username/password) submodules and it supports ssh (private key) parent repositories referencing ssh (private key) submodules. I've recently checked that it works with a github ssh (private key) parent repository and github ssh (private key) submodules.

chypalex@gmail.com (JIRA)

unread,
Jun 15, 2016, 7:46:04 AM6/15/16
to jenkinsc...@googlegroups.com

Guys, do someone have any information about possible date of solution ?
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 15, 2016, 8:08:18 AM6/15/16
to jenkinsc...@googlegroups.com

Andrey Molochnikov can you further describe what you mean by "possible date of solution"?

If you want to use credentials with submodules today, you can use the Jenkins experimental update center to install the beta versions of the git plugin and the git client plugin.

aferrari@paychex.com (JIRA)

unread,
Jun 20, 2016, 3:00:05 PM6/20/16
to jenkinsc...@googlegroups.com

Update:
submodules are working for us now with the beta release.

Sorry - I did not have the: "Use credentials from default remote of parent repository" checked before.

Thank you!

pvandyk@salesforce.com (JIRA)

unread,
Jun 22, 2016, 12:50:20 PM6/22/16
to jenkinsc...@googlegroups.com

Thanks Mark Waite. It looks like the Wiki is having issues:
https://wiki.jenkins-ci.org/pages/viewpage.action?pageId=99057971

Just looking for an update and if I can get notification when 1.20.0 will be released to production.

Thanks!

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 23, 2016, 11:42:04 PM6/23/16
to jenkinsc...@googlegroups.com

That has been a relatively common problem with that wiki page. The solution I've been told to use is to add a parameter to the end of the URL. I used https://wiki.jenkins-ci.org/display/JENKINS/Git+Client+Plugin?foo=bar to read the correct page.

The git client plugin 2.0.0-beta1 has been released to the experimental update center. It includes git submodule authentication, JGit 4.3, and requires JDK 7. It requires at least Jenkins 1.625 (the first version to mandate JDK 7).

The process of preparing that release (with JGit 4.3) exposed an incompatibility which I haven't yet decided how to resolve. The incompatibility is described in a posting to the Jenkins developers mailing list. I need some more time to choose the best compromise. I really want JDK 7 because it makes the git client plugin cleaner and less susceptible to file leaks. I also want JGit 4, because JGit 4 is receiving active development, while JGit 3 is not.

yury.zaytsev@traveltainment.de (JIRA)

unread,
Jul 6, 2016, 11:00:14 AM7/6/16
to jenkinsc...@googlegroups.com

FYI, very sadly, the ability to select advanced git behaviors in multibranch pipeline projects is gone again after upgrade from 2.5.2 to 3.0.0-beta1 of the git plugin. I was assuming 3.0.0-beta1 is necessary to go with 2.0.0-beta1 of the git client plugin. After I downgraded to git plugin 2.5.2 again, but left git client 2.0.0-beta1 in, submodule (public key) authentication on the agents still doesn't seem to work even though the main repository is checked out just fine 

> git submodule update --init --recursive XXX
hudson.plugins.git.GitException: Command "git submodule update --init --recursive XXX" returned status code 128:
stdout: 
stderr: Cloning into 'XXX'...
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
fatal: Could not read from remote repository.

yury.zaytsev@traveltainment.de (JIRA)

unread,
Jul 6, 2016, 11:06:04 AM7/6/16
to jenkinsc...@googlegroups.com
Yury Zaytsev edited a comment on Bug JENKINS-20941
FYI, very sadly, the ability to select advanced git behaviors in multibranch pipeline projects is gone again after upgrade from 2.5.2 to 3.0.0-beta1 of the git plugin. I was assuming 3.0.0-beta1 is necessary to go with 2.0.0-beta1 of the git client plugin. After I downgraded to git plugin 2.5.2 again, but left git client 2.0.0-beta1 in, submodule (public key) authentication on the agents still doesn't seem to work even though the main repository is checked out just fine :(

{noformat}

> git submodule update --init --recursive XXX
hudson.plugins.git.GitException: Command "git submodule update --init --recursive XXX" returned status code 128:
stdout:
stderr: Cloning into 'XXX'...
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
fatal: Could not read from remote repository.
{noformat}

P.S. I was not able to find "Use credentials from default remote of parent repository" under "Additional Behaviours", maybe for that git plugin 3.0.0-beta1 is needed, but see above: if I install it, then "Additional Behaviours" vanish from the multibranch pipeline job scm settings.

mark.earl.waite@gmail.com (JIRA)

unread,
Jul 6, 2016, 1:15:05 PM7/6/16
to jenkinsc...@googlegroups.com

Yury Zaytsev thanks for detecting that, and thanks for reporting it.

Git plugin 3.0.0-beta1 was released a month ago (changelog). Git plugin 2.5.1 (followed by 2.5.2) was released a few days ago (changelog) with the advanced git behaviors in multibranch pipeline projects (and in literate projects). A new release of git plugin 3.0.0-beta will be needed before the advanced git behaviors will be visible in multibranch pipeline projects with a plugin version that supports submodule authentication.

I hope to release that new version of git plugin 3.0.0-beta within the next 12 hours.
It is loading more messages.
0 new messages