SSH agent uses username 'jenkins' instead of the one configured in the credential

DexterMagnific

unread,

Sep 17, 2019, 6:27:07 AM9/17/19

to Jenkins Users

Hi all,

I have big troubles making 'git' commands inside a pipeline file.

I have the following command:

 stage('Download test database') {
      steps {
        sshagent(credentials: ['aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee']) {*/
          sh 'git submodule update --init --recursive'
        }
      }
    }

The problem is that git is called with the user 'jenkins' instead of the one that is specified inside the credential (which is 'jenkins-serv') I get a "permission denied" from the git server.

[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Download test database)
[Pipeline] sh
+ git submodule update --init --recursive
Cloning into '/var/lib/jenkins/workspace/MyProject/testDB'...
jenkins@192.168.20.23: Permission denied (publickey).
fatal: Could not read from remote repository.

Did I miss something on the pipeline setup ?

Thanks

Mark Waite

unread,

Sep 18, 2019, 8:19:55 PM9/18/19

to Jenkins Users

If you're running an outdated version of the git client plugin and a newer version of OpenSSH (7.7 and later), then you might be encountering https://issues.jenkins-ci.org/browse/JENKINS-50573 . Git plugin versions prior to

If you're running the current git client plugin (2.8.6) or running an OpenSSH older than 7.7, then you might be mistakenly using an http or https protocol URL. The ssh protocol is either ssh://hostname/dir/path or username@hostname:dir/path. `git remote -v` will report the URL of the remote in that repository.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b5f85d92-adfd-496c-b7c8-2d7a34ad4b21%40googlegroups.com.

--

Thanks!

Mark Waite

DexterMagnific

unread,

Sep 19, 2019, 3:56:38 AM9/19/19

to Jenkins Users

Thank you for your response.

I'm afraid I'm using the latest Git client plugin: 2.8.6, and also the right protocol (ssh): the SCM checkout went well when running the pipeline on the parent repo. Out test database is a submodule of the repository and we only clone it if the build is OK, hence the stage "download test db":

jenkins@192.168.20.23: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'ssh://192.168.20.23:29418/testDB' into submodule path '/var/lib/jenkins/workspace/MyProject/testDB' failed
Failed to clone 'testDB'. Retry scheduled

You see that I did not include an URL in the git command because I only want to checkout the submodules.

Regarding openSSH, I think I'm up to date, I'm using the latest Ubuntu 18.04 packages.

On Thursday, September 19, 2019 at 2:19:55 AM UTC+2, Mark Waite wrote:

If you're running an outdated version of the git client plugin and a newer version of OpenSSH (7.7 and later), then you might be encountering https://issues.jenkins-ci.org/browse/JENKINS-50573 . Git plugin versions prior to

If you're running the current git client plugin (2.8.6) or running an OpenSSH older than 7.7, then you might be mistakenly using an http or https protocol URL. The ssh protocol is either ssh://hostname/dir/path or username@hostname:dir/path. `git remote -v` will report the URL of the remote in that repository.

On Tue, Sep 17, 2019 at 4:27 AM DexterMagnific <said....@gmail.com> wrote:

Hi all,

I have big troubles making 'git' commands inside a pipeline file.

I have the following command:

stage('Download test database') { steps { sshagent(credentials: ['aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee']) {*/ sh 'git submodule update --init --recursive' } } }

The problem is that git is called with the user 'jenkins' instead of the one that is specified inside the credential (which is 'jenkins-serv') I get a "permission denied" from the git server.

[Pipeline] // stage [Pipeline] stage [Pipeline] { (Download test database) [Pipeline] sh + git submodule update --init --recursive Cloning into '/var/lib/jenkins/workspace/MyProject/testDB'... jenkins@192.168.20.23: Permission denied (publickey). fatal: Could not read from remote repository.

Did I miss something on the pipeline setup ?

Thanks

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b5f85d92-adfd-496c-b7c8-2d7a34ad4b21%40googlegroups.com.

--
Thanks!
Mark Waite

Mark Waite

unread,

Sep 20, 2019, 9:42:17 AM9/20/19

to Jenkins Users

On Thu, Sep 19, 2019 at 1:56 AM DexterMagnific <said....@gmail.com> wrote:

Thank you for your response.

I'm afraid I'm using the latest Git client plugin: 2.8.6, and also the right protocol (ssh): the SCM checkout went well when running the pipeline on the parent repo. Out test database is a submodule of the repository and we only clone it if the build is OK, hence the stage "download test db":

jenkins@192.168.20.23: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. fatal: clone of 'ssh://192.168.20.23:29418/testDB' into submodule path '/var/lib/jenkins/workspace/MyProject/testDB' failed Failed to clone 'testDB'. Retry scheduled

The URL in the output, 'ssh://192.168.20.23:29418/testDB', indicates that the username is not included in the URL. In the absence of a user name in the URL, the user name of the current user is used. That is standard git and ssh behavior, not something that the git plugin controls.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8a34fbbe-80e3-41f5-b501-10e0582079d8%40googlegroups.com.

--

Thanks!

Mark Waite

DexterMagnific

unread,

Sep 20, 2019, 11:24:21 AM9/20/19

to Jenkins Users

I do not agree with this since this perfectly works in a standalone command line, outside Jenkins.

The fact is that the submodule URL is like this:

[submodule "testDB"]
        path = testDB
        url = ../testDB

The path is relative to the "parent" repository URL (git supports this well). This allows not to provide usernames inside the submodule definitions so that every user which clones the parent can get the submodule using its own username.

The .gitconfig is like this:

[remote "origin"]
        url = ssh://m...@192.168.20.23:29418/MyProject
        fetch = +refs/heads/*:refs/remotes/origin/*

After the user "me" cloned the project, the submodule cloning will reuse its username, and it is this the standard git behavior.

So the git plugin is changing something that forces the git user switch at some time.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8a34fbbe-80e3-41f5-b501-10e0582079d8%40googlegroups.com.

--
Thanks!
Mark Waite

Reply all

Reply to author

Forward