Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49566

credentials-plugin 2.1.16 breaks ssh-private-key connection to docker slaves

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • credentials-plugin
    • None
    • jenkins 2.98
      ssh-credentials 1.13
      credentials 2.1.16
      docker-plugin 1.1.2
      ssh-slaves 1.25.1

      I was running a Jenkins setup with above plugins at indicated versions except credentials=2.1.14, with a docker cloud set up, connecting to agent docker container via ssh with a com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey and non-verifying verification strategy, successfully. Builds were working fine.

      An upgrade of credentials plugin to 2.1.16 immediately resulted in existing working jobs running on docker slaves no longer progressing at all.

      The job would wait for the node to come online forever. The docker container machine is running, and a "docker ps -a" shows the containers starting up.  The jenkins master log shows the container being provisioned and nothing happens after that, for hours and hours (some info redacted like <node-label> <full-path-for-docker-image> <cloud-name> <docker-host>):

      Feb 12, 2018 6:42:53 PM com.nirima.jenkins.plugins.docker.DockerCloud provision
INFO: Asked to provision 1 slave(s) for: <node-label>
Feb 12, 2018 6:42:53 PM com.nirima.jenkins.plugins.docker.DockerCloud provision
INFO: Will provision '<full-path-for-docker-image>', for label: '<node-label>', in cloud: '<cloud-name>'
Feb 12, 2018 6:42:53 PM com.nirima.jenkins.plugins.docker.DockerCloud addProvisionedSlave
INFO: Provisioning '<full-path-for-docker-image>' number '0' on '<cloud-name>'; Total containers: '0'
Feb 12, 2018 6:42:53 PM hudson.slaves.NodeProvisioner$StandardStrategyImpl apply
INFO: Started provisioning Image of <full-path-for-docker-image> from <cloud-name> with 1 executors. Remaining excess workload: 0
Feb 12, 2018 6:42:53 PM com.nirima.jenkins.plugins.docker.DockerTemplate pullImage
INFO: Pulling image '<full-path-for-docker-image>:latest'. This may take awhile...
Feb 12, 2018 6:42:54 PM com.nirima.jenkins.plugins.docker.DockerTemplate pullImage
INFO: Finished pulling image '<full-path-for-docker-image>:latest', took 534 ms
Feb 12, 2018 6:42:54 PM com.nirima.jenkins.plugins.docker.DockerTemplate provisionNode
INFO: Trying to run container for <full-path-for-docker-image>
Feb 12, 2018 6:42:55 PM com.nirima.jenkins.plugins.docker.utils.PortUtils$ConnectionCheckSSH execute
INFO: SSH port is open on <docker-host>:32800
Feb 12, 2018 6:42:55 PM hudson.slaves.NodeProvisioner$2 run
INFO: Image of <full-path-for-docker-image> provisioning successfully completed. We have now 19 computer(s)
Feb 12, 2018 6:42:55 PM com.nirima.jenkins.plugins.docker.DockerCloud provision
INFO: Asked to provision 1 slave(s) for: <node-label>
Feb 12, 2018 6:42:55 PM com.nirima.jenkins.plugins.docker.DockerCloud provision
INFO: Will provision '<full-path-for-docker-image>', for label: '<node-label>', in cloud: '<cloud-name>'
Feb 12, 2018 6:42:55 PM com.nirima.jenkins.plugins.docker.DockerCloud addProvisionedSlave
INFO: Not Provisioning '<full-path-for-docker-image>'. Instance limit of '1' reached on server '<cloud-name>'
[02/12/18 18:42:59] SSH Launch of docker-89e7866632f1 on <docker-host> failed in 3,447 ms

Feb 12, 2018 6:43:03 PM com.nirima.jenkins.plugins.docker.DockerCloud provision
INFO: Asked to provision 1 slave(s) for: <node-label>
Feb 12, 2018 6:43:03 PM com.nirima.jenkins.plugins.docker.DockerCloud provision
INFO: Will provision '<full-path-for-docker-image>', for label: '<node-label>', in cloud: '<cloud-name>'
Feb 12, 2018 6:43:03 PM com.nirima.jenkins.plugins.docker.DockerCloud addProvisionedSlave
INFO: Not Provisioning '<full-path-for-docker-image>'. Instance limit of '1' reached on server '<cloud-name>'

      The last block of 6 lines above (set apart with a blank line) ends up getting repeated over and over.

      I've observed the following:

      • that credentials@2.1.16 likes have a password (the credential configuration webpage shows a form field), which does not apply in my situation - I'm using a ssh username with private key specified directly in the credential entry
      • credentials@2.1.14 does not display a password form field on the configuration page
      • reverting credentials back to 2.1.14, plus recreating the credential, seems to solve the problem, but...
      • * on my jenkins 2.98 system, the credential configuration page always shows a yellow passphrase form field, and if I click submit it will populate the credentials.xml with a passphrase element; I have to repeatedly delete it before clicking ok to ensure no passphrase element is stored
      • * I have another jenkins system running 2.77 and credentials@2.1.14 where the credentials configuration page shows a white empty passphrase form field, and will NOT add any passphrase element to credentials.xml on submit

      I cannot find any error log or debugging output that discusses any cause of failure to connect (apart from the very generic "ssh launch failed", but my hunch is that some interaction with 2.1.16 is forcing a password or passphrase to be used when the original credential entry had none.

            Unassigned Unassigned
            dchsueh Daniel Hsueh
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: