I am trying to setting up Jenkins on my Ubuntu server.
$ sudo -u otherUser /bin/bash
$ whoami # I expected "otherUser" but show "jenkins"
$ start_build_script.sh # This file will clones multiple remote repository
But when git cloning, its process will be failed because it clone with "jenkins" user.
jenkins#repo.com: Permission denied (publickey).
# The public key (for "otherUser") is already added to repo.com
# I want to clone as otherUser#repo.com
I know why this error is happened, but unfortunately I cannot add "jenkins" user to the repository site. So I must use "otherUser" user.
I can modify files only in my ubuntu server, but I cannot modify anything on remote repository.
How can I change user to others when running build script, instead of "jenkins"?
You can change JENKINS_USER in /etc/sysconfig/jenkins where all jenkins related information present.
Then shell command will run with that user on your master.
If running on agent then you can configure by which user agent should be connected.
As of the latest version, the above changes need to be made in "/usr/lib/systemd/system/jenkins"
Related
In a GitLab repo, I have a Dockerfile with the following lines,
FROM python:alpine
RUN addgroup -S java
RUN adduser -s /bin/bash -S -G java java
USER java
WORKDIR /home/java
so that when the image is instantiated (container running), it will run as user ‘java’
When GitLab CI/CD clones the project code however, it is owned by root in directory /home/java
This is unexpected behavior, I would expect it to be owned by user ‘java’
How do I get the code to be cloned by user ‘java’, and owned (user:group), by user:group ‘java:java’?
GitLab CI clones the code outside your job container using the gitlab/gitlab-runner-helper docker image (repository for runner helper). If you're running your own executor you can override what helper image is used for cloning the repository to one that clones using a java user though you'd have to make sure that the user/group ID matched in the two containers to prevent issues. This would also mean you're maintaining your own extended runner helper and you couldn't use the shared runners hosted by GitLab.
You have an alternate possible approach though I wouldn't recommend it: You could set your git strategy to not clone your repo, then clone it in a before_script: action within your job container, which would cause it to clone with your java user. However this will only clone the repository within that one job, so you'd have to repeat yourself across every job which would violate DRY all over the place.
Generally though, I'd agree with David that having the code owned by root is fine in this case unless you have a specific reason to change
Projects in GitLab are cloned with the GitLab runner helper image, which is using root. It will also use umask 0000 to avoid permission issues, if data is cached.
See this GitLab issue for more details.
To fix your issue, add an environment variable:
FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR=true
This will disable the umask usage and the runner tries to get UID and GID from the image of the build container.
I am in the process of trying to migrate Gerrit and Jenkins to a new datacenter. I have successfully installed the applications on their new hardware, but am having difficulty getting Jenkins to read from a Gerrit repository on the same server.
As the Jenkins user already existed on the server, I updated its ssh keys using one I generated from my account on my laptop (pablo#mena-xps), using the following command:
cat ~/.ssh/id_rsa.pub | ssh -p 29418 pmena#gerrit_host gerrit set-account --add-ssh-key - jenkins
I confirmed that I am able to use this key to interrogate gerrit from my laptop:
pablo#mena-xps=> ssh -p 29418 pmena#gerrit_host gerrit version
gerrit version 2.10
On the Jenkins server, I added the Private key under "Credentials" and then Configured the specific job to use that key to access a specific gerrit repo. That returns the following error in the GUI:
Failed to connect to repository : Command "git -c core.askpass=true ls-remote -h ssh://gerrit_host:29418/my_repo HEAD" returned status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
How do I go about troubleshooting this issue? Thank you in advance.
To make a long story short, this issue is resolved. The Jenkins account on Gerrit was removed and recreated, after which I was able to successfully push the ssh key pair.
I'm trying to configure the git repository in Jenkins, I followed all steps on github documentation but I had the bellow error on my application .
I've configured the agent, then I put the ssh url on jenkins.
I've configured the ssh on github as well.
Failed to connect to repository : Command "git ls-remote -h -- git#github.com:user/maven-project.git HEAD" returned status code 128:
stdout:
stderr: git#github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists
The issue was solved that way
In windows, Jenkins will use the the SSH key of the user it is running as, which is located in the %USERPROFILE%.ssh folder ( on XP, that would be C:\Documents and Settings\USERNAME.ssh, and on 7 it would be C:\Users\USERNAME.ssh). Therefore, you need to force Jenkins to run as the user that has the SSH key configured. To do that, right click on My Computer, and hit "Manage". Click on "Services". Go to Jenkins, right click, and select "Properties". Under the "Log On" tab, choose the user Jenkins will run as, and put in the username and password (it requires one). Then restart the Jenkins service by right clicking on Jenkins (in the services window), and hit "Restart".
Jenkins does not support passphrases for SSH keys. Therefore, if you set one while running the initial Github configuration, rerun it and don't set one.
I'm going to say you don't have the credentials configured properly as you did not mention that.
A similar Stack Overflow response is here, for a slightly different worded error. Similar issue here.
The Jenkins site and others have good examples on setting up Jenkins with GitHub.
I created a job in jenkins and I want to build the project using ansible. I want to run my command on several host (that's why I use ansible). When I try to run the project it fails with some permission error:
/home/ubuntu/install.sh -s -U ubuntu -f 5
FATAL: command execution failed
java.io.IOException: Cannot run program "/usr/bin/ansible" (in directory "/var/lib/jenkins/jobs/Standard Demo/workspace"): error=13, Permission denied
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1047)
at hudson.Proc$LocalProc.<init>(Proc.java:244)
at hudson.Proc$LocalProc.<init>(Proc.java:216)
Do you know what the problem is? I am logged into the jenkins server as admin user.
This is not an Ansible problem, it is a configuration issue in Jenkins. As others have noted, by default Jenkins will run as a "normal user" (typically jenkins). That is the user that jobs and steps (including shell scripts like the one you're calling) will run as. In your case, this user does not have sufficient permissions to run Ansible.
I don't recommend changing this default user because a. there are good security reasons for this setup, and b. it can actually be complex to do right, because you would have to address permissions issues for all of Jenkins to match the new user. However, it's quite easy to do things like run sudo from within a Script build step. Just use that tool (and a properly configured /etc/sudoers) to gain the permissions you need during the build.
My repository url was changed so I updated hgrc file with new url. I also updated new url in jenkins job.
Now when I am building the job, it hangs with the following output
-----------------Console Output-------------------
Started by user user123
Building in workspace D:\jenkins\jobs\api\workspace
[workspace] $ "C:\Program Files\TortoiseHg\hg.exe" showconfig paths.default
[workspace] $ "C:\Program Files\TortoiseHg\hg.exe" pull --rev branch
And it will never move forward. If i run the same command on cmd
"C:\Program Files\TortoiseHg\hg.exe" pull --rev branch
It works fine with following output
pulling from ssh://repos-url/repos-name
no changes found
But jenkins hangs on this command. Need some help to move forward.
Thank you
It sounds to me more a jenkins configuration question than a mercurial one :)
Are you talking about the identical clone of the repository? Does the jenkins user have read permissions on the repository it pulls from? Is it configured to pull via ssh, too and does it have the necessary ssh credentials? Or, if pulling via http, is hgweb running on the repo or another webserver to support hg?
Also, unless your project is called 'api', the URL looks strange to me: Jenkins (by default) has its clones in /jenkins-home-directory/jobs/projectname/workspace
As I mentioned in my question that I recently changed repository url. The issue was that new server's key was not cached in the registry where jenkins was hosted.
Resolution:
I logged in to the administrator account(same account used by jenkins) on my server through RDP and on the other side I started building the job in jenkins. When the console output came to this line
[workspace] $ "C:\Program Files\TortoiseHg\hg.exe" pull --rev branch
RDP window showed me an alert which was
Putty Security Alert
I pressed Yes and I saw jenkins console is now progressing and build was successful after that.