Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jenkins on docker, SSH credentials for SCM does not seems to work #1968

Open
maclarensg opened this issue Dec 11, 2024 · 2 comments
Open

Jenkins on docker, SSH credentials for SCM does not seems to work #1968

maclarensg opened this issue Dec 11, 2024 · 2 comments

Comments

@maclarensg
Copy link

Jenkins and plugins versions report

Environment
ant:511.v0a_a_1a_334f41b_
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7.1-97.v4cc844130d97
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1200.v4b_a_3da_2eb_db_4
build-timeout:1.33
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-folder:6.963.v6edc0fc71472
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
credentials:1389.vd7a_b_f5fa_50a_2
credentials-binding:687.v619cb_15e923f
dark-theme:514.va_3ea_73d65dc1
display-url-api:2.209.v582ed814ff2f
durable-task:581.v299a_5609d767
echarts-api:5.5.1-4
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1861.vdb_d991590994
font-awesome-api:6.6.0-2
git:5.6.0
git-client:6.1.0
github:1.40.0
github-api:1.321-478.vc9ce627ce001
github-branch-source:1807.v50351eb_7dd13
gradle:2.13.1
gson-api:2.11.0-85.v1f4e87273c33
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
jaxb:2.3.9-1
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
joda-time-api:2.13.0-93.v9934da_29b_a_e9
jquery3-api:3.7.1-2
json-api:20240303-101.v7a_8666713110
json-path-api:2.9.0-118.v7f23ed82a_8b_8
junit:1311.v39e1716e4eb_e
ldap:770.vb_455e934581a_
mailer:489.vd4b_25144138f
matrix-auth:3.2.3
matrix-project:840.v812f627cb_578
metrics:4.2.21-458.vcf496cb_839e4
mina-sshd-api-common:2.14.0-133.vcc091215a_358
mina-sshd-api-core:2.14.0-133.vcc091215a_358
okhttp-api:4.11.0-181.v1de5b_83857df
pam-auth:1.11
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:61.v629f2cc41d83
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-graph-view:382.vb_9a_27b_7b_ea_71
pipeline-groovy-lib:744.v5b_556ee7c253
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2218.v56d0cda_37c72
pipeline-model-definition:2.2218.v56d0cda_37c72
pipeline-model-extensions:2.2218.v56d0cda_37c72
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2218.v56d0cda_37c72
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:5.1.0
resource-disposer:0.25
scm-api:698.v8e3b_c788f0a_6
script-security:1369.v9b_98a_4e95b_2d
snakeyaml-api:2.3-123.v13484c65210a_
ssh-credentials:349.vb_8b_6b_9709f5b_
ssh-slaves:2.973.v0fa_8c0dea_f9f
structs:338.v848422169819
theme-manager:262.vc57ee4a_eda_5d
timestamper:1.28
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:4000.v5198556e9cea_
workflow-durable-task-step:1398.vf6c9e89e5988
workflow-job:1472.ve4d5eca_143c4
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:936.v9fa_77211ca_e1
ws-cleanup:0.48

What Operating System are you using (both controller, and any agents involved in the problem)?

I used to separate machines to test

  1. Microsoft Windows 11 Pro (10.0.26100 Build 26100) with WSL(Ubuntu 24.04) - Snapdragron X Elite
  2. Ubuntu 24.04 - AMD Ryzen 7 5800H

Reproduction steps

Steps to reproduce the problem

The following is what I have setup for my homelab

services:
  jenkins:
    image: jenkins/jenkins:lts
    container_name: jenkins
    ports:
      - "8080:8080"       # Jenkins web interface
      - "50000:50000"     # For inbound Jenkins agents
    volumes:
      - jenkins_home:/var/jenkins_home
    restart: unless-stopped

volumes:
  jenkins_home:
    driver: local

Setting up credential steps and Issue

  1. I generate a pair of ssh keys using ssh-keygen -t ed25519 -C "[email protected]"

  2. Push the public key (~/.ssh/id_ed25519.jenkins.pub) to my gitlab settings.

  3. Test the key. GIT_SSH_COMMAND='ssh -i ~/.ssh/id_ed25519.jenkins' git clone [email protected]:<path_to>/myrepo.git and it works.

  4. Go to Dashboard (http://localhost:8080), Manage Jenkins, Credentials.

  5. Under System, Global domain, Add credentials.

  6. Under Scope: Global, Id: git-jenkins, description: git-jenkins, username: [email protected] (This if followed this video. I also tried git).

  7. Copy and Paste my private key (~/.ssh/id_ed25519.jenkins). I tried both on my linux and windows machine. Save.

  8. When create a freestyle project, at the SCM section, I paste in the same git URI which I tested in step 3, and select the credentials from Step 7.

Expected Results

Should be able to clone the project/repo with SSH credentials stored.

Actual Results

Failed to connect to repository : Command "git ls-remote -h -- [email protected]:<path to>/myrepo.git HEAD" returned status code 128:
stdout:
stderr: [email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Anything else?

Debugging with console script

In my script console, I run the following

import jenkins.model.*
import hudson.util.Secret
import com.cloudbees.plugins.credentials.*
import com.cloudbees.plugins.credentials.domains.*

def credentialsStore = Jenkins.instance.getExtensionList('com.cloudbees.plugins.credentials.SystemCredentialsProvider')[0]?.store

def providedPrivateKey = """
-----BEGIN OPENSSH PRIVATE KEY-----
MyPrivateKeyContentHere
-----END OPENSSH PRIVATE KEY-----
""".trim()
  
println "Scanning Global Domain in System Store..."

credentialsStore?.getCredentials(Domain.global())?.each { cred ->
    println "ID: ${cred.id}"
    println "Description: ${cred.description}"
    
    if (cred instanceof com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey) {
        println "Username: ${cred.username}"
        println "Private Key: ${cred.privateKey}"
        println "Passphrase: ${Secret.toString(cred.passphrase)}"
      	
      	def storedPrivateKey = cred.privateKey?.trim()
        
        if (storedPrivateKey == providedPrivateKey) {
            println "Match found for Credential ID: ${cred.id}"
        } else {
            println "No match for Credential ID: ${cred.id}"
        }
    }
    println "-------------------------"
}

and my result

Scanning Global Domain in System Store...
ID: jenkins
Description: jenkins
Username: git
Private Key: -----BEGIN OPENSSH PRIVATE KEY-----
MyPrivateKeyContentHere
-----END OPENSSH PRIVATE KEY-----

Passphrase: 
Match found for Credential ID: jenkins
-------------------------
Result: [com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey@99ee54b6]

The key in my credentials store matches the one I try to compare with. So now I ascertain the key are indeed correct but somehow the keys are not used properly from the store.

Are you interested in contributing a fix?

No response

@maclarensg
Copy link
Author

bump on issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
@maclarensg and others