Master Node <> Worker Node: SSH relationship

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Master Node <> Worker Node: SSH relationship

Thor Waway
Hello, 

I am having a hard time understanding the relationship between master and worker nodes - specifically, how things work with git. 

The way I understand things at the moment, Master Node is able to pass-on/share ssh keys and passphrases with worker nodes via Credential Plugin. This is why worker nodes are able to run git clone and git init in the repos sent to them from the Master Node. Is this correct? 

If so, I would like to understand why this: 
      steps{
        sh
('git remote -v')
        sshagent
(credentials: ['some-cred']) {
          sh
('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
          sh
('git push origin HEAD:development --tags')
       
}
     
}

 produces the errors below: 


[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git remote -v
origin
https://github.com/OrgName/SampleRepo.git (fetch)
origin
https://github.com/OrgName/SampleRepo.git (push)
[Pipeline] sshagent
FATAL
: [ssh-agent] Could not find specified credentials
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh
-agent
SSH_AUTH_SOCK
=/tmp/ssh-5mWVQddQ47JG/agent.4864
SSH_AGENT_PID
=4866
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git tag -a feature-jenkinsfile.19 -m git sha is a12ea59545db96fc8681dbdd5d44923108c01b40
[Pipeline] sh
$ ssh
-agent -k
unset SSH_AUTH_SOCK
;
unset SSH_AGENT_PID
;
echo
Agent pid 4866 killed;
[ssh-agent] Stopped.
[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git push origin +refs/heads/feature-jenkinsfile --tags
error
: src refspec refs/heads/feature-jenkinsfile does not match any.
error
: failed to push some refs to 'https://github.com/OrgName/SampleRepo.git'
Is this because I am using ssh as opposed to https? I am not sure. 

When I attempt to switch to https protocol by making use of withCredentials() function: 
steps{
  sh
('git remote -v')
  withCredentials
([string(credentialsId:'github-org-credential')]) {
    sh
('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
    sh
('git push origin HEAD:development --tags')
 
}
}



I get this error:
org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: Credentials 'github-org-credential' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:164) at org.jenkinsci.plugins.credentialsbinding.impl.StringBinding.bindSingle(StringBinding.java:62) at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:150) at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114) at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224) at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150) at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108) at sun.reflect.GeneratedMethodAccessor440.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)


I am confused. I don't understand where/how git authentication happens.  Also when do we use sshagent vs credential plugins? 

Appreciate any feedback/insight. Thank you

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f369e901-5d94-4b01-b408-789e7f460937%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Master Node <> Worker Node: SSH relationship

Mark Waite-2


On Sunday, October 8, 2017 at 12:38:31 PM UTC-6, Thor Waway wrote:
Hello, 

I am having a hard time understanding the relationship between master and worker nodes - specifically, how things work with git. 

The way I understand things at the moment, Master Node is able to pass-on/share ssh keys and passphrases with worker nodes via Credential Plugin. This is why worker nodes are able to run git clone and git init in the repos sent to them from the Master Node. Is this correct? 

Yes, that is correct.
 

If so, I would like to understand why this: 
      steps{
        sh
('git remote -v')
        sshagent
(credentials: ['some-cred']) {
          sh
('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
          sh
('git push origin HEAD:development --tags')
       
}
     
}

 produces the errors below: 


[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git remote -v
origin
<a onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" href="https://github.com/GashiandKinks/GK-Front.git" target="_blank" rel="nofollow">https://github.com/OrgName/SampleRepo.git (fetch)
origin
<a onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" href="https://github.com/GashiandKinks/GK-Front.git" target="_blank" rel="nofollow">https://github.com/<a onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" href="https://github.com/GashiandKinks/GK-Front.git" target="_blank" rel="nofollow">OrgName/SampleRepo.git (push)
[Pipeline] sshagent
FATAL
: [ssh-agent] Could not find specified credentials
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh
-agent
SSH_AUTH_SOCK
=/tmp/ssh-5mWVQddQ47JG/agent.4864
SSH_AGENT_PID
=4866
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git tag -a feature-jenkinsfile.19 -m git sha is a12ea59545db96fc8681dbdd5d44923108c01b40
[Pipeline] sh
$ ssh
-agent -k
unset SSH_AUTH_SOCK
;
unset SSH_AGENT_PID
;
echo
Agent pid 4866 killed;
[ssh-agent] Stopped.
[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git push origin +refs/heads/feature-jenkinsfile --tags
error
: src refspec refs/heads/feature-jenkinsfile does not match any.
error
: failed to push some refs to '<a onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" href="https://github.com/GashiandKinks/GK-Front.git" target="_blank" rel="nofollow">https://github.com/<a onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FGashiandKinks%2FGK-Front.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEeu0Z-2ioiLEmk_1FEv1ZO2kzTIw&#39;;return true;" href="https://github.com/GashiandKinks/GK-Front.git" target="_blank" rel="nofollow">OrgName/SampleRepo.git'
Is this because I am using ssh as opposed to https? I am not sure. 


Yes, the ssh agent will only authenticate access which uses ssh protocol.  You're using https protocol in that URL.  The ssh credentials won't be used.

You could switch to clone with ssh protocol, or you could define a "push URL" for that remote using ssh protocol.  Clone and fetch would then continue to use https, while push would use ssh.

The git plugin does not (yet) directly support the concept of a push URL, but command line git does.  Refer to https://git-scm.com/docs/git-push for the "pushurl" description.

 
When I attempt to switch to https protocol by making use of withCredentials() function: 
steps{
  sh
('git remote -v')
  withCredentials
([string(credentialsId:'github-org-credential')]) {
    sh
('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
    sh
('git push origin HEAD:development --tags')
 
}
}



I get this error:
org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: Credentials 'github-org-credential' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:164) at org.jenkinsci.plugins.credentialsbinding.impl.StringBinding.bindSingle(StringBinding.java:62) at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:150) at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114) at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224) at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150) at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108) at sun.reflect.GeneratedMethodAccessor440.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)


I am confused. I don't understand where/how git authentication happens.  Also when do we use sshagent vs credential plugins? 

I think that is failing because your call to withCredentials is using the wrong syntax.  Refer to https://www.cloudbees.com/blog/workflow-integration-credentials-binding-plugin for an example.

Mark Waite
 

Appreciate any feedback/insight. Thank you

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c0f8e0ec-e153-4474-b2e2-c706094053e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Master Node <> Worker Node: SSH relationship

Thor Waway
Hi Mark!  Thanks for the feedback. 

Got things to work by keeping https protocol and correcting the syntax for withCredentials like this: 


            withCredentials
([usernamePassword(credentialsId: 'username-with-password',
              passwordVariable
: 'GIT_PASS', usernameVariable: 'GIT_USER')]) {
                sh
('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
                sh
('git push https://$GIT_USER:$[hidden email]/OrgName/SampleRepo.git' --tags')
            }

For others: 
Using the Snippet Generator was key for me given that there are a couple of different syntaxes floating on the web for withCredentials() function. 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fcc98693-93bd-4325-96ed-33a0053349a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.