[JIRA] (JENKINS-37557) Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

gentoozoid@gmail.com (JIRA)

unread,

Aug 19, 2016, 12:03:01 PM8/19/16

to jenkinsc...@googlegroups.com

Max P created an issue

Jenkins /

JENKINS-37557

Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

Issue Type:	Bug
Assignee:	Unassigned
Components:	repo-plugin
Created:	2016/Aug/19 4:02 PM
Environment:	Jenkins 2.18, pipeline-plugins, ssh-agent 1.13, repo-plugin 1.10.3
Priority:	Minor
Reporter:	Max P

Same error as in JENKINS-23262 but only in pipeline style jobs. It is not working with ssh-agent and ignore all variables set inside withEnv block (for example http_proxy).

Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

anaumann@ultratronik.de (JIRA)

unread,

Dec 23, 2016, 4:57:01 AM12/23/16

to jenkinsc...@googlegroups.com

Andreas Naumann commented on

JENKINS-37557

Re: Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

Same here. Since using credentials is not possible, the SSH-Agent support is crucial. Without it, I cant use this plugin at all and need to checkout in the shell step.. needless to say this is not what Jenkins is about.
Blocker for me!

Add Comment

anaumann@ultratronik.de (JIRA)

unread,

Dec 23, 2016, 4:57:01 AM12/23/16

to jenkinsc...@googlegroups.com

Andreas Naumann updated an issue

Jenkins /

JENKINS-37557

Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

Change By:	Andreas Naumann
Priority:	Minor Critical

Add Comment

thetypz@gmail.com (JIRA)

unread,

May 29, 2018, 4:08:02 AM5/29/18

to jenkinsc...@googlegroups.com

Francois Ferrand commented on

JENKINS-37557

Re: Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

The issue is in function checkout, at line 721, there is a call to Run.getEnvironment() to get tje environment: however, this does fully not work in pipeline. According to this page:

There is no equivalent to AbstractBuild.getBuildVariables() for WorkflowRun (any Groovy local variables are not accessible as such). Also, WorkflowRun.getEnvironment(TaskListener)is implemented, but only yields the initial build environment, irrespective of withEnv blocks and the like.

To overcome this, I see few options:

One approach is a dirty hack in workflow-scm-step (in ScmStep.StepExecutionImpl.run()): wrap the actual Run object with a decorator class, which would simply return the actual environment vars (using StepContext.get(EnvVars.class)) when Run.getEnvironment() is called
A cleaner approach would be to modify the SCM api, so that checkout takes an extra EnvVars parameter: which would be initialized from Run.getEnvironment() is not provided. But this requires changing a core API and the workflow-scm-step plugin...
Finally, a last approach is to integrate the ssh-agent functionallity directly in the repoScm : specify the credentials directly in the SCM configuration and run the agent automatically when required. This side-steps the problem, by not depending on environment variables, but is probably more complicated (and the environment dependency may still be required in other cases)

Jesse Glick, Andrew Bayer : what do you think about this? any advice?

Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

thetypz@gmail.com (JIRA)

unread,

May 29, 2018, 7:15:03 AM5/29/18

to jenkinsc...@googlegroups.com

Francois Ferrand edited a comment on

JENKINS-37557

Re: Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

The issue is in function checkout, at line 721, there is a call to Run.getEnvironment() to get tje environment: however, this does fully not work in pipeline. According to [this page|https://jenkins.io/doc/developer/plugin-development/pipeline-integration/#variable-substitutions]:
{quote}There is no equivalent to {{AbstractBuild.getBuildVariables()}} for {{WorkflowRun}} (any Groovy local variables are not accessible as such). Also, {{WorkflowRun.getEnvironment(TaskListener)}}_is_ implemented, but only yields the initial build environment, irrespective of {{withEnv}} blocks and the like.
{quote}

To overcome this, I see few options:

* One approach is a dirty hack in workflow-scm-step (in ScmStep .StepExecutionImpl.run( class ) ) : wrap the actual Run object with a decorator class, which would simply return the actual environment vars (using StepContext.get(EnvVars.class)) when Run.getEnvironment() is called
* A cleaner approach would be to modify the SCM api, so that checkout takes an extra EnvVars parameter: which would be initialized from Run.getEnvironment() is not provided. But this requires changing a core API and the workflow-scm-step plugin...
* Finally, a last approach is to integrate the ssh-agent functionallity directly in the repoScm : specify the credentials directly in the SCM configuration and run the agent automatically when required. This side-steps the problem, by not depending on environment variables, but is probably more complicated (and the environment dependency may still be required in other cases)

[~jglick], [~abayer] : what do you think about this? any advice?

Add Comment

thetypz@gmail.com (JIRA)

unread,

May 29, 2018, 7:47:02 AM5/29/18

to jenkinsc...@googlegroups.com

Francois Ferrand edited a comment on

JENKINS-37557

Re: Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

The issue is in function checkout, at line 721, there is a call to Run.getEnvironment() to get tje environment: however, this does fully not work in pipeline. According to [this page|https://jenkins.io/doc/developer/plugin-development/pipeline-integration/#variable-substitutions]:
{quote}There is no equivalent to {{AbstractBuild.getBuildVariables()}} for {{WorkflowRun}} (any Groovy local variables are not accessible as such). Also, {{WorkflowRun.getEnvironment(TaskListener)}}_is_ implemented, but only yields the initial build environment, irrespective of {{withEnv}} blocks and the like.
{quote}
To overcome this, I see few options:

* One approach is a dirty hack in workflow-scm-step (in ScmStep class): wrap the actual Run object with a decorator class, which would simply return the actual environment vars (using StepContext.get(EnvVars.class)) when Run.getEnvironment() is called

* A cleaner approach would be to modify the SCM api, so that checkout takes an extra EnvVars parameter: which would be initialized from Run.getEnvironment() is not provided. But this requires changing a core API and the workflow-scm-step plugin...

* Finally, a last approach is to integrate the ssh-agent functionallity directly in the repoScm : specify the credentials directly in the SCM configuration and run the agent automatically when required. This side-steps the problem, by not depending on environment variables, but is probably more complicated (and the environment dependency may still be required in other cases) . Or it could be done like the Git plugin, setting SSH_ASKPASS / GIT_ASKPASS depending on the type of credentials. Either these approach may also imly that configuration will be more complicated, as more than one kind of credential may be used (e.g. different key/password for each server referenced in manifest.xml).

[~jglick], [~abayer] : what do you think about this? any advice?

Add Comment

jglick@cloudbees.com (JIRA)

unread,

Jun 5, 2018, 6:46:01 PM6/5/18

to jenkinsc...@googlegroups.com

Jesse Glick commented on

JENKINS-37557

Re: Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

The third. This is an SCM plugin, yes? And it supports SSH-based clones? So it should take a credentialsId potentially of SSH private key type.

Add Comment

thetypz@gmail.com (JIRA)

unread,

Sep 16, 2019, 11:34:07 AM9/16/19

to jenkinsc...@googlegroups.com

Francois Ferrand commented on

JENKINS-37557

Re: Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

I created a pull-request which allows to overcome this, by passing explicitely `getContext(hudson.EnvVars)` when creating the RepoScm object.

https://github.com/jenkinsci/repo-plugin/pull/54

May not be a full solution, but works fine as a stop-gap pending, until support for (multiple) credentials is baked into the plugin.

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

thetypz@gmail.com (JIRA)

unread,

Nov 19, 2019, 5:08:13 AM11/19/19

to jenkinsc...@googlegroups.com

Francois Ferrand updated

JENKINS-37557

Solution available in repo 1.10 release, by explicitely specifying the 'extraEnvVars' argument:

 
                                                                sshAgent(['gerrit-ssh-credentials-id']) {
  checkout([$class: 'RepoScm', manifestRepositoryUrl: 'ssh://server/project',
            extraEnvVars: getContext(hudson.EnvVars)])
}

Jenkins /

JENKINS-37557

Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

Change By:	Francois Ferrand
Status:	Open Fixed but Unreleased
Assignee:	Francois Ferrand
Resolution:	Fixed
Released As:	https://github.com/jenkinsci/repo-plugin/releases/tag/repo-1.11.0

Add Comment

thetypz@gmail.com (JIRA)

unread,

Nov 19, 2019, 5:08:14 AM11/19/19

to jenkinsc...@googlegroups.com

Francois Ferrand updated

JENKINS-37557

Jenkins /

JENKINS-37557

Permission denied when using repo plugin with ssh-agent plugin in pipeline jobs

Change By:	Francois Ferrand
Status:	Fixed but Unreleased Resolved

Add Comment

Reply all

Reply to author

Forward