dafyddPrys dafyddPrys - 1 month ago 9
Git Question

Get Jenkins to SSH into server and pull from git - post build

I have a Jenkins instance and I am trying to create a continuous integration workflow. I am struggling to get jenkins to get the code onto the production server.

Here is what I'm trying to do:


  1. on push to master branch (bitbucket), run build (working)

  2. after build passed, SSH into production server (working)

  3. on production server, git pull master to update the project (not working)



I seem to be having the following problem:


  1. jenkins SSHs into the prod server with user
    deploy
    .

  2. Although
    deploy
    has
    id_rsa
    keys in
    ~/.ssh
    , with the contents of
    id_rsa.pub
    in bitbucket's 'deployment keys' setting for the repo, I get a
    Permission denied (publickey).
    error when I run
    git pull
    or
    git clone
    .



So this has left me confused and I'm not sure where I'm going wrong.. For me it could be one or many of these things:


  1. Why aren't deploy's ssh credentials being picked up automatically?

  2. Should the prod server have its own SSH credentials? I think so.

  3. Does this process seem sensible? It did to me until I ran into this trouble...



Any ideas, advice or alternative routes are greatly appreciated.




UPDATE

When running this myself as the same user that jenkins uses, when I run
git clone ...
, I get prompted for the passphrase for id_rsa. This must be where jenkins is tripping up as it cannot decode id_rsa. I will see if I can generate an ssh key that doesnt prompt for a passphrase

UPDATE 2

I generated an ssh key for the production server that did not require a passphrase to use, and this worked fine.

Answer

First of all, you should ensure git clone/pull works as intended on production server when launched manually.

Next, debug why doesn't it works driven by Jenkins.

Most likely reasons comes to my mind are:

  • Jenkins agent populates incorrect ${HOME} environment variable for SSH session (I've suffered this error myself once), depends on how you implemented your job.
  • using wrong git username on production (per-user global config may be set in ~/.gitconfig)
  • using wrong private/public keys to access remote git repository on production (which you may want to configure in ~/.ssh/config)

I had implemented similar logic myself.

In my case production server was configured as Jenkins node, required HOME environment created in job workspace each time, and SSH and git access credentials are configured on Jenkins and populated on production on each run

PS: Using dedicated credentials for production server is absolutely normal (e.g. for security reasons)

Comments