search

jenkinsci / docker-ssh-agent

Docker image for Jenkins agents connected over SSH
https://hub.docker.com/repository/docker/jenkins/ssh-agent
MIT License
188 stars 175 forks source link

Unable to clone from Github due to ca cert missing #265

Closed smdrager closed 1 year ago

smdrager commented 1 year ago

Jenkins and plugins versions report

Environment ``` Not relevant to issue ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Both controller and agent are running on an Ubuntu VPS in Docker containers. Controller is running jenkins/jenkins:lts. Agent is running jenkins/ssh-agent:jdk11.

Reproduction steps

On the agent container, run git clone https://github.com/smdrager/repo (this can be done either directly in interactive shell, or through a command from the controller via SSH.

Expected Results

Clones the repo.

Actual Results

ERROR: Error cloning remote repo 'origin'
hudson.plugins.git.GitException: Command "git fetch --tags --force --progress -- https://github.com/smdrager/repo/ +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout: 
stderr: fatal: unable to access 'https://github.com/smdrager/repo/': server certificate verification failed. CAfile: none CRLfile: none

Anything else?

The ca-certificates package seems to be missing from the image. If I manually install it within the container via apt update apt install ca-certificates, the clone works fine. Is this an expected need for the image to talk to any https-enable repo?

Thank you!

MarkEWaite commented 1 year ago

Thanks for reporting that issue. The container image seems to no longer be including the ca-certificates package in its installation, even though it is including the git package as expected. I can duplicate the problem with the jenkins/ssh-agent:latest but cannot duplicate the problem with jenkins/ssh-agent:5.4.0-alpina-jdk11. Will need to explore more containers to understand where the issue is visible and where it is not visible.

Containers that fail with docker run jenkins/ssh-agent:${VER} git clone https://github.com/smdrager/snippets.git include:

Containers that work with docker run jenkins/ssh-agent:${VER} git clone https://github.com/smdrager/snippets.git include:

MarkEWaite commented 1 year ago

I'm surprised that the git-lfs package that is installed does not have a mandatory dependency on the ca-certificates package. Most operations by git-lfs are performed over https, so the ca-certificates package seems like it should be a requirement.

smdrager commented 1 year ago

Thank you for looking into that so quickly. For a while I thought I was going crazy doing something wrong with the setup.

MarkEWaite commented 1 year ago

In the short term, you could switch to the alpine container image. I have a failing test written that shows the issue and should have a fix in a pull request later today.

smdrager commented 1 year ago

This caused me to make my first dockerfile with a fix, so it was a good learning experience.

FROM jenkins/ssh-agent:jdk11
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
dduportal commented 1 year ago

This caused me to make my first dockerfile with a fix, so it was a good learning experience.

FROM jenkins/ssh-agent:jdk11
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*

Would you be willing to contribute to the repository ? This codeblock (https://github.com/jenkinsci/docker-ssh-agent/blob/ed17bf574e54ebf84e8928f8abf460b27837a6af/debian/Dockerfile#L55-L62) looks like a good place to start, and it would help us a lot!

smdrager commented 1 year ago

I would but I wouldn't be able to until Wednesday. It looks like you have it! Thank you again.