circleci local execute --checkout-key cannot find the file even though it exists

[samsalisbury]

• [x] I have read Contribution Guidelines.
• [x] I have checked for similar issues and haven't found anything relevant.
• [x] This is not a security issue (which should be reported here: https://circleci.com/security/)

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

The --checkout-key=PATH flag is always unable to find the path specified, even when the path definitely exists.

Can you provide an example?

$ circleci version 
0.1.4786+bad101f

$ circleci help local execute | grep checkout-key
      --checkout-key string   Git Checkout key (default "~/.ssh/id_rsa")

# ~/.ssh/id_rsa seems like a reasonable default, I have a file there, see:

$ stat -l ~/.ssh/id_rsa 
-rw------- 1 ssalisbury (513) 3326 Apr 12 14:04:51 2017 /Users/ssalisbury/.ssh/id_rsa

$ circleci local execute --checkout-key ~/.ssh/id_rsa
Docker image digest: sha256:627a3ccc6a69281fc4c8a69b39f156d45c3e2ccafbb6323414688ba02424c5c4
Error: invalid argument "/Users/ssalisbury/.ssh/id_rsa" for "--checkout-key" flag: open /Users/ssalisbury/.ssh/id_rsa: no such file or directory
ERRO[0000] invalid argument "/Users/ssalisbury/.ssh/id_rsa" for "--checkout-key" flag: open /Users/ssalisbury/.ssh/id_rsa: no such file or directory

What is the expected behavior?

To use the file specified as the checkout key.

Which version of the CLI and OS are you using? Did this work in previous versions?

$ circleci version 
0.1.4786+bad101f
$ uname -a 
Darwin mbpssalisbury 18.2.0 Darwin Kernel Version 18.2.0: Thu Dec 20 20:46:53 PST 2018; root:xnu-4903.241.1~1/RELEASE_X86_64 x86_64

Please provide the output of circleci version and circleci diagnostic.

$ circleci version 
0.1.4786+bad101f

$ circleci diagnostic 

---
CircleCI CLI Diagnostics
---
Debugger mode: false
Config found: /Users/ssalisbury/.circleci/cli.yml
API host: https://circleci.com
API endpoint: graphql-unstable
OK, got a token.
Trying an introspection query on API... 
Ok.
Hello, Sam Salisbury.

If you have any questions, feel free to ping us at @CircleCI-Public/dx-clients.

[samsalisbury]

A wider issue seems to be that the reported "default" isn't really true, as using the so-called default value fails.

[garak]

It looks like it's a permission problem. I had same issue, I tried to make a copy of my key and change permissions to 644, then the copied file is read correctly

[royvandewater]

The docker process is usually run as the user docker, which would not have access to that file by default. However, changing the key's permissions away from 600 will usually cause SSH to refuse to use it. Ideally, I think the key would be copied and the chown'd to docker. That would make it so only docker & root would be able to do anything with that key.

[marcomorain]

cc @KunalJain

[mt3593]

I'm using version 0.1.8302+a7a3bc9 (release) and getting this issue. The work around suggested by @garak doesn't work for me sadly.

[mt3593]

Interesting, so I cp out my id_rsa file into the current project directory and ran:

circleci local execute --job fmt --checkout-key id_rsa

This now get's past the above issue of not finding the rsa file and fails with:

Docker image digest: sha256:ea6c856572603d47e8f5e8013f8a0b45c0fb91267a6a80ff51068a25e97ed6cd
====>> Spin Up Environment
Build-agent version  ()
Docker Engine Version: 19.03.12
Kernel Version: Linux 02b8c4d514d2 4.15.0-36-generic #39~16.04.1-Ubuntu SMP Tue Sep 25 08:59:23 UTC 2018 x86_64 Linux
Starting container circleci/clojure:openjdk-8-lein-2.9.1
  image is cached as circleci/clojure:openjdk-8-lein-2.9.1, but refreshing...
openjdk-8-lein-2.9.1: Pulling from circleci/clojure
Digest: sha256:9f8e75014a206dc7a5e01bbfe08c9c4741cd6f26a17acf60bf152b82a919a51f
Status: Image is up to date for circleci/clojure:openjdk-8-lein-2.9.1
  pull stats: N/A
  time to create container: 81ms
  using image circleci/clojure@sha256:9f8e75014a206dc7a5e01bbfe08c9c4741cd6f26a17acf60bf152b82a919a51f
Time to upload agent and config: 1.026581791s
Time to start containers: 1.281264124s
====>> Preparing Environment Variables
Using build environment variables:
  BASH_ENV=/tmp/.bash_env-localbuild-1593165850
  CI=true
  CIRCLECI=true
  CIRCLE_BRANCH=circle-ci-begin
  CIRCLE_BUILD_NUM=
  CIRCLE_JOB=fmt
  CIRCLE_NODE_INDEX=0
  CIRCLE_NODE_TOTAL=1
  CIRCLE_REPOSITORY_URL=git@github.com:gresham-computing/ccm.git
  CIRCLE_SHA1=0e74c3c10ed575c2f3d8cf3f51c657a231f65fb3
  CIRCLE_SHELL_ENV=/tmp/.bash_env-localbuild-1593165850
  CIRCLE_WORKING_DIRECTORY=~/project

The redacted variables listed above will be masked in run step output.====>> Checkout code
  #!/bin/bash -eo pipefail
mkdir -p /home/circleci/project && cd /tmp/_circleci_local_build_repo && git ls-files | tar -T - -c | tar -x -C /home/circleci/project && cp -a /tmp/_circleci_local_build_repo/.git /home/circleci/project
/bin/bash: line 0: cd: /tmp/_circleci_local_build_repo: Permission denied
Error: 
Exited with code exit status 1

Step failed
Error: runner failed (exited with 101)
Task failed
Error: task failed

[Dunedan]

I'm running into the same issue as well. From my testing I believe it's not related to the file permissions of the key file, but instead fails as soon as the path of the key is outside of the project directory.

While this is also true for the "default" value of ~/.ssh/id_rsa, and therefore should fail even when not providing the --checkout-key command line option, as already mentioned by @samsalisbury, that default isn't used.

[anden-akkio]

Also seeing this happen. Even if ~/.ssh/id_rsa exists, says it can't find it. Copying file into directory and adjusting --checkout-key path causes it to find the file.