I have a couple of Jobs that pull code from bitbucket and build it in jenkins.
I'm using Git plugin to specify the repository URL + the git credentials.
Even though I set the credentials in each Job configuration, each time there is a push to bitbucket(that triggers the jenkins job), Mac is asking for "git-credential-osxkeychain wants to user the "login" keychain".
If I enter the password, the job will run and it will not ask again for a couple of hours.
I would like to make it permanent so that message won't be prompted any more.
Any advice ? thank you.
First, that only happens if you are using https URLs, as part of a git credential helper.
Using SSH URLs would bypass that entirely.
If the actual error message is
git-credential-osxkeychain wants to use your confidential information stored in "xxx" in your keychain.
Check out "unable to click always allow on git-credential-osxkeychain popup": delete the bitbucket entry, and do a git ls-remote /url/bitbucket/repo to force the credential helper to ask those credentials again: enter them, then try your Jenkins jobs again.
Related
I've got a webhook setup in GitLab to detect whenever changes are pushed to the project repo. This works as needed, however the URL in use contains my Jenkins credentials and I'd like to make this more secure. e.g.:
https://username:password#jenkins.url.com/project/git-project
Is there a way to generate a token of sorts in Jenkins instead of providing my username and password?
There are access tokens in GitLab, you can use it. From Jenkins part, you can install GitLab plugin and then add new credentials for SSH and GitLab API Token. Please see this and this for more details.
There are lots of question on here about Permission denied (publickey) errors when using the Jenkins git plugin.
Can someone explain the authentication flow this plugin uses to check out a repository? I can't find a good description on the plugin page.
I want to just SSH into the build slave, checkout the repository there, then run my job, but clearly that is not how it works.
I guess I could add my credentials to the jenkins master, but I dont want any code there. I want it on my build slave.
Issue has nothing to do with git really. As their documentation states, it relies on git runtime which in its turn relies on system environment when it comes to secure connections. Ssh requires client to have valid key to connect and fails to that message if client does not provide one. Without any additional actions, key is not injected into environment, so client could not provide any valid key.
What you actually can use is ssh agent plugin. That allows to add key to ssh-agent on slave that will be catched up by git.
I have set up a post build action on Jenkins to notify Stash about the result of the builds. However, I get an error which says:
Failed to notify Stash for commit <sha1> ({"errors":[{"context":null,"message":"CAPTCHA required. Your Stash account has been marked as requiring a CAPTCHA to be solved before you may login again. This is typically caused by too many attempts to login with an incorrect password.\nIf you are currently logged in to Stash via a browser you may need to logout and then log back in in order to clear the CAPTCHA.\n\nVisit Stash at <link> for more details.","exceptionName":null}]})
However, I have set the correct credentials for the Stash repo (under Access Keys) and the private key is on Jenkins. Moreover, when I push a commit into Stash, Jenkins triggers and starts building. So I conclude it's not a credentials issue.
This message indicates your Stash account need to be unlocked (with the CAPTCHA). Maybe you did some attempts with a wrong password (with Jenkins).
Log into Stash with the relevant account (find out which in the global Jenkins settings), enter the correct CAPTCHA.
It will unlock your account and Jenkins will be able to notify Stash.
I've enabled two factor authentication for my bitbucket account.
Now Atlassian Sourcetree app on Osx doesn't works, it is unable to login on bitbucket.
How i can configure SourceTree to use bitbucket two factor auth?
Skip the initial login and from bitbucket.org, click the down arrow next to the repo name (to the left of the ssh/https link) and click 'clone to source tree' and it will work fine assuming you have your ssh keys setup already.
This worked fine for me when I just installed it and ran into the same issue of not allowing me to login initially.
-- update June 2016 --
Bitbucket now allows you to add an app password for specific apps like source tree. It is found under bitbucket settings > access management > app passwords. Once I created one and added the password to my source tree settings then I was able to successfully connect and reconnect to bitbucket to push and pull updates and create new repos.
Madness. Sourcetree supports Github MFA, but not BitBucket :(
Update
#markyk comments that:
The task with Atlassian is "Closed" with no intention of adding support. There is a comment to "user application passwords" as a work around, which is not ideal.
Original issue (closed)
bitbucket/two-step-verification-777023203.html#Two-stepverification-ConfirmapplicationsuseSSH
Workaround
In practice, this means creating the repo on the bitbucket website, then clicking 'I have an existing project' and copy pasting the revealed git commands into the terminal, like:
cd /path/to/my/repo
git remote add origin git#bitbucket.org:username/repo.git
git push -u origin --all # pushes up the repo and its refs for the first time
git push -u origin --tags # pushes up any tags
Then (after a refresh) Sourcetree will display your new remote.
There's a known bug around SourceTree and 2FA: https://confluence.atlassian.com/bitbucket/two-step-verification-777023203.html#Two-stepverification-Troubleshootingtwo-stepverification
For future reference, the ones who have configured their accounts to use OAuth and ssh to log in, but still run into the "There was an error authenticating the request. The account is configured to use Basic Auth with HTTPS but may have 2FA enabled on the server. Please edit your account to use OAuth."
Go to the main view of Sourcetree (I.E. where you add repositories). Right click your repository and select "Convert to OAuth".
SourceTree for Windows 1.10.x and SourceTree for Mac 2.4.x both now support using OAuth over HTTPS for REST api interactions and Git/Hg calls.
In both cases this means its possible to turn 2FA on Bitbucket but continue to use HTTPS rather than SSH for the Git/Hg remote urls.
I've just setup Jenkins and i have some Repositories in my Stash.
I installed the "Git plugin" in jenkins.
I can now enter the repository url but there is nothing to enter my credentials.
It's possible using
http://username:password#mydomain/xx/yy.git
but that is something i dont want to do.
What else can i do to authenticate?
I am the author of this stash plugin that might help you: https://github.com/palantir/stashbot
Taking selectively from the readme:
To work with Jenkins, you MUST install the following jenkins plugins first.
Jenkins GIT plugin
Post build task
Next, build and install the plugin using the plugin SDK (more details in the readme)
Next, the stash admin goes into the Stashbot Admin page and creates a jenkins server config - here you give it the URL, username/password, etc details of the jenkins server.
Next, for each repository a "Stashbot CI Admin" link shows up for repo admins. From there you can check the "enabled" checkbox and tell it what branches you want build (via a regex) and what command it should run to do the build (optionally verifies and publishes).
After this point, the remainder is completely self-service. Any repo admin can ask for their project to "have CI" by filling out that form, and the jobs will automatically be created in the jenkins server.
Hope that helps.
Set up an SSH key for the user that runs your Jenkins builds and add it to the repository's SSH keys in Stash. See the Stash docs for instructions.
Two things to add to Gareth's answer.
While I agree that using SSH keys are definitely better than hard-coding the username/password, it's worth mentioning that Stash (currently) scales better with HTTP when it comes to CI. If you have quite a few builds we generally recommend using HTTP. We are currently extending our Git cache support to support SSH so this no longer an issue.
Somewhat related, you might be interested in watching and voting for the following feature which will make it easier to create CI specific keys.
Lastly having build icons show up in Stash is surprisingly handy, and you should have a look at the following plugin if you haven't already:
https://github.com/jenkinsci/stashNotifier-plugin
Since version 2.0 of "Git Plugin" for jenkins you should be able to directly add the required credentials for both ssh and username/password (based on credentials plugin).
See changelog of Git plugin: https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin#GitPlugin-Changelog for details.
For further integration of git and stash regarding pull requests you additionally need the "Stash Webhook for jenkins" add-on in stash and the "Stash Notifier" plugin for jenkins to connect each other.