There are lots of question on here about Permission denied (publickey) errors when using the Jenkins git plugin.
Can someone explain the authentication flow this plugin uses to check out a repository? I can't find a good description on the plugin page.
I want to just SSH into the build slave, checkout the repository there, then run my job, but clearly that is not how it works.
I guess I could add my credentials to the jenkins master, but I dont want any code there. I want it on my build slave.
Issue has nothing to do with git really. As their documentation states, it relies on git runtime which in its turn relies on system environment when it comes to secure connections. Ssh requires client to have valid key to connect and fails to that message if client does not provide one. Without any additional actions, key is not injected into environment, so client could not provide any valid key.
What you actually can use is ssh agent plugin. That allows to add key to ssh-agent on slave that will be catched up by git.
Related
I'm trying to configure the git repository in Jenkins, I followed all steps on github documentation but I had the bellow error on my application .
I've configured the agent, then I put the ssh url on jenkins.
I've configured the ssh on github as well.
Failed to connect to repository : Command "git ls-remote -h -- git#github.com:user/maven-project.git HEAD" returned status code 128:
stdout:
stderr: git#github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists
The issue was solved that way
In windows, Jenkins will use the the SSH key of the user it is running as, which is located in the %USERPROFILE%.ssh folder ( on XP, that would be C:\Documents and Settings\USERNAME.ssh, and on 7 it would be C:\Users\USERNAME.ssh). Therefore, you need to force Jenkins to run as the user that has the SSH key configured. To do that, right click on My Computer, and hit "Manage". Click on "Services". Go to Jenkins, right click, and select "Properties". Under the "Log On" tab, choose the user Jenkins will run as, and put in the username and password (it requires one). Then restart the Jenkins service by right clicking on Jenkins (in the services window), and hit "Restart".
Jenkins does not support passphrases for SSH keys. Therefore, if you set one while running the initial Github configuration, rerun it and don't set one.
I'm going to say you don't have the credentials configured properly as you did not mention that.
A similar Stack Overflow response is here, for a slightly different worded error. Similar issue here.
The Jenkins site and others have good examples on setting up Jenkins with GitHub.
I have a couple of Jobs that pull code from bitbucket and build it in jenkins.
I'm using Git plugin to specify the repository URL + the git credentials.
Even though I set the credentials in each Job configuration, each time there is a push to bitbucket(that triggers the jenkins job), Mac is asking for "git-credential-osxkeychain wants to user the "login" keychain".
If I enter the password, the job will run and it will not ask again for a couple of hours.
I would like to make it permanent so that message won't be prompted any more.
Any advice ? thank you.
First, that only happens if you are using https URLs, as part of a git credential helper.
Using SSH URLs would bypass that entirely.
If the actual error message is
git-credential-osxkeychain wants to use your confidential information stored in "xxx" in your keychain.
Check out "unable to click always allow on git-credential-osxkeychain popup": delete the bitbucket entry, and do a git ls-remote /url/bitbucket/repo to force the credential helper to ask those credentials again: enter them, then try your Jenkins jobs again.
When I try to run my build on a slave node using jenkins I get the following error:
Could not find a suitable ssh-agent provider
Does anyone know why and how I can avoid the error?
Assuming you've installed Windows Git on Windows slave, it comes with ssh-agent binary (e.g. C:\Program Files\Git\usr\bin). Try adding its path to system variable PATH.
Alternatively generate personal API token (OAuth) for that GitHub user and specify along with your repository address, e.g.
git clone https://4UTHT0KEN#github.com/foo/bar
If you have Windows slave and SSH Credentials plugin that is because Windows doesn't provide ssh-agent. If you're using SSH Credentials plugin for provide key to git to check out a repo in comand-line step, you can provide key to git client on each agent (because git have ssh-agent). If your case not that I supposed, you need to follow steps described here in second comment.
I've just setup Jenkins and i have some Repositories in my Stash.
I installed the "Git plugin" in jenkins.
I can now enter the repository url but there is nothing to enter my credentials.
It's possible using
http://username:password#mydomain/xx/yy.git
but that is something i dont want to do.
What else can i do to authenticate?
I am the author of this stash plugin that might help you: https://github.com/palantir/stashbot
Taking selectively from the readme:
To work with Jenkins, you MUST install the following jenkins plugins first.
Jenkins GIT plugin
Post build task
Next, build and install the plugin using the plugin SDK (more details in the readme)
Next, the stash admin goes into the Stashbot Admin page and creates a jenkins server config - here you give it the URL, username/password, etc details of the jenkins server.
Next, for each repository a "Stashbot CI Admin" link shows up for repo admins. From there you can check the "enabled" checkbox and tell it what branches you want build (via a regex) and what command it should run to do the build (optionally verifies and publishes).
After this point, the remainder is completely self-service. Any repo admin can ask for their project to "have CI" by filling out that form, and the jobs will automatically be created in the jenkins server.
Hope that helps.
Set up an SSH key for the user that runs your Jenkins builds and add it to the repository's SSH keys in Stash. See the Stash docs for instructions.
Two things to add to Gareth's answer.
While I agree that using SSH keys are definitely better than hard-coding the username/password, it's worth mentioning that Stash (currently) scales better with HTTP when it comes to CI. If you have quite a few builds we generally recommend using HTTP. We are currently extending our Git cache support to support SSH so this no longer an issue.
Somewhat related, you might be interested in watching and voting for the following feature which will make it easier to create CI specific keys.
Lastly having build icons show up in Stash is surprisingly handy, and you should have a look at the following plugin if you haven't already:
https://github.com/jenkinsci/stashNotifier-plugin
Since version 2.0 of "Git Plugin" for jenkins you should be able to directly add the required credentials for both ssh and username/password (based on credentials plugin).
See changelog of Git plugin: https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin#GitPlugin-Changelog for details.
For further integration of git and stash regarding pull requests you additionally need the "Stash Webhook for jenkins" add-on in stash and the "Stash Notifier" plugin for jenkins to connect each other.
We are using Hudson as a CI tool. At present we are needed to use Jenkins, to deploy the build to Stage, Prod environment. What is the best aproach we should follow.
I know about promote buld plugin, but the issue is authentication. I want whevener we need to promote a build to deploy to Stage or Prod, it should ask for netqwork credential first. And then the promote job should execute the Batch command using the creadential supplied. At present, the promote plugin, runs using the credentials which the Tomcat server is configured to run.
Same issue with Build Pipeline plugin.
I want only dev or even hudson admin also should not be able to execute the promote build unless credential supplied. (We have windows 2008 r2 OS)
Can you please help me in resolving the issue. so that basically whenever a user click on Promote build to QA\Stage\Prod the plugin should ask for credential or should use the logged on users credential and execute the batch script using the logged users credential only and not by using the credentials of the account with which the tomcat server is configured.
Can you please help me?
Please suggests us the best aproach for making automated build on prod\stage.
For deployment I normally use SSH, Private/Public keys takes care of the authentication problems normally associated with running commands on other servers.
SSH is normally associated with unix based systems, but it does support windows.
Finally, I would recommend considering decoupling your build system (jenkins) from the system performing the deployment by using an intermediate repository. See the following answer for more details:
Jenkins : how to check out artifact from Nexus and Deploy on Tomcat-