Search code examples
jenkinsjenkins-pipelinessh-agent

Jenkins ssh-agent starts and then stops immediately in pipeline build

I have a simple jenkins pipeline build, this is my jenkinsfile:

pipeline {
    agent any
    stages {
        stage('deploy-staging') {
            when {
                branch 'staging'
            }
            steps {
                sshagent(['my-credentials-id']) {
                    sh('git push joe@repo:project')
                }
            }
        }
    }
}

I am using sshagent to push to a git repo on a remote server. I have created credentials that point to a private key file in Jenkins master ~/.ssh.

When I run the build, I get this output (I replaced some sensitive info with *'s):

[ssh-agent] Using credentials *** (***@*** ssh key)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-cjbm7oVQaJYk/agent.11558
SSH_AGENT_PID=11560
$ ssh-add ***
Identity added: ***
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
$ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 11560 killed;
[ssh-agent] Stopped.
[TDBNSSBFW6JYM3BW6AAVMUV4GVSRLNALY7TWHH6LCUAVI7J3NHJQ] Running shell script
+ git push joe@repo:project
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

As you can see, the ssh-agent starts, stops immediately after and then runs the git push command. The weird thing is it did work correctly once but that seemed completely random.

I'm still fairly new to Jenkins - am I missing something obvious? Any help appreciated, thanks.

edit: I'm running a multibranch pipeline, in case that helps.

Solution

  • I recently had a similar issue though it was inside a docker container. The logs gave the impression that ssh-agent exits too early but actually the problem was that I had forgotten to add the git server to known hosts.

    I suggest ssh-ing onto your jenkins master and trying to do the same steps as the pipeline does with ssh-agent (the cli). Then you'll see where the problem is.

    E.g:

    eval $(ssh-agent -s)
ssh-add ~/yourKey
git clone

    As explained on help.github.com

    Update: Here a util to add knownHosts if not yet added:

    /**
 * Add hostUrl to knownhosts on the system (or container) if necessary so that ssh commands will go through even if the certificate was not previously seen.
 * @param hostUrl
 */
void tryAddKnownHost(String hostUrl){
    // ssh-keygen -F ${hostUrl} will fail (in bash that means status code != 0) if ${hostUrl} is not yet a known host
    def statusCode = sh script:"ssh-keygen -F ${hostUrl}", returnStatus:true
    if(statusCode != 0){
        sh "mkdir -p ~/.ssh"
        sh "ssh-keyscan ${hostUrl} >> ~/.ssh/known_hosts"
    }
}