Loading the jenkins shared library shows known host error

Hi,

I am using the jenkins/jenkins:2.375.1-lts-jdk11 image as my jenkins instance. When I am using shared library, it gives me this:

After I ran git clone xxxx.git, typed yes and saved the known host inside the container and the host, it could pull the code but still gives me this notification.

BR
longkang

Is there anyone who can help?

Hi @longkang :wave:

Are you using docker-compose or a simple docker command?
What are your volumes?

Hi @poddingue

Thanks for your reply, I am using docker compose and this is my compose file:

version: ‘3’
services:
jenkins:
image: jenkins/jenkins:2.375.1-lts-jdk11
user : root
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone/timezone:/etc/timezone:ro
- /home/jenkins_home:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 8080:8080
- 50000:50000
restart: always
privileged: true
environment:
- “JENKINS_JAVA_OPTS=-Xmx8g -Xms8g”

1 Like

Thanks @longkang .

Where is your agent, and how is it defined?
Is it the agent which is bundled with the controller?

1 Like

Hi @poddingue

This is the configuration of my agent:



And I am not quite sure what this “Is it the agent which is bundled with the controller?” means…Sorry about that.

1 Like

“is it the Built-In Node?” is probably a better description

In this case it looks like no, its 33.168

I can’t cite anything because you used a screenshot instead of code, but the bluetext in your screenshot tells you whats going on.

(agent or Controller, but i don’t think agent is assigned yet) first tries to get branches/tags/etc from the remote, but known_hosts (either $HOME/.ssh/known-hosts or /etc/ssh/known_hosts) doesn’t exist on the controller.

You either want to have that file populated properly (ssh-keyscan will work), or as the error message says, setup host keys globally.

1 Like

Hi @halkeye

Sorry about the screen shoots.

Same here I think the blue text part had not reached the agent part and it happened on the mast node( or controller). So I tried to get the ssh keys and known hosts ready both in the host and container.

Which now you can see I could clone/pull the code locally:

on container:
root@4295fae0bd74:~# git clone ssh://git@192.168.111.48:23/roger/pipelines.git
Cloning into ‘pipelines’…
remote: Enumerating objects: 15701, done.
remote: Counting objects: 100% (196/196), done.
remote: Compressing objects: 100% (82/82), done.
remote: Total 15701 (delta 93), reused 184 (delta 81), pack-reused 15505
Receiving objects: 100% (15701/15701), 1.75 MiB | 2.87 MiB/s, done.
Resolving deltas: 100% (8752/8752), done.
root@4295fae0bd74:~# cd .ssh/
root@4295fae0bd74:~/.ssh# ls
authorized_keys id_rsa id_rsa.pub id_rsa.pub_back id_rsa_back known_hosts pipelines

on host:
[root@localhost ~]# git clone ssh://git@192.168.111.48:23/roger/pipelines.git
Cloning into ‘pipelines’…
remote: Enumerating objects: 15701, done.
remote: Counting objects: 100% (196/196), done.
remote: Compressing objects: 100% (82/82), done.
remote: Total 15701 (delta 93), reused 184 (delta 81), pack-reused 15505
Receiving objects: 100% (15701/15701), 1.75 MiB | 937.00 KiB/s, done.
Resolving deltas: 100% (8752/8752), done.
[root@localhost ~]# cd .ssh/
[root@localhost .ssh]# ls
authorized_keys id_rsa id_rsa_back id_rsa.pub id_rsa.pub_back known_hosts pipelines

After this, I restarted Jenkins but I still got the same error.

1 Like

How certain are you that jenkins is running as root?

I would check your assumptions on the system info page. Or configure it globally inside jenkins

1 Like

OH! I forgot. Not sure about the user part but I remembered it run as the jenkins user? So do I need to create a user named ‘jenkins’ and then set up the known host and ssh key then give it a try?

1 Like

I tried to assign the controller’s label as master, and run ‘whoami’.

this is the output:
Started by user roger Replayed #63 [Pipeline] Start of Pipeline [Pipeline] node Running on Jenkins in /var/jenkins_home/workspace/simulator-setup [Pipeline] { [Pipeline] sh + whoami root [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS

image

1 Like

Hi @halkeye

Sorry, I missed your point, I am not sure which part of the info you want to confirm… So here is all of it:




I think at least you don’t want to see the plugins part. So no more pics…

it does say user.home is /root, and user.name is root, so its probably needing the known hosts on the agent, not the controller.

@MarkEWaite probably knows more.

I again suggest setting up the known hosts config in your global manage jenkins settings, instead of depending on whatever your agent is setup. Makes it easier to add and remove agents.

1 Like

Running the Jenkins controller as the root user is a disaster waiting to happen. Don’t do that. Run the Jenkins controller as a normal user or as a service user so that your system cannot be destroyed by a mistake in a Jenkins job.

Don’t allow jobs to run on the Jenkins controller. That is also a disaster waiting to happen.

The combination of allowing jobs on the controller and running as the root user means that if a job made the mistake of running rm -rf / your system would be destroyed.

There are a few different solutions to the message about host keys.

If you’re running on an operating system with OpenSSH 7.6 or newer (FreeBSD, macOS, any supported Linux except CentOS 7), then you can configure the git plugin security settings to “Accept first connection” strategy for the “Git Host Key Verification Configuration” in the “Configure Global Security” settings.

If you’re running CentOS 7 or one of its derivatives, I recommend an operating system upgrade. If that’s not possible, then see the git client plugin documentation for other alternatives.

If you want to define the contents of your own known_hosts file, you are welcome to do that as well. Here are the host keys for some common git providers:

bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
1 Like

I’m following these steps to make it work

curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

Next, verify that /var/lib/jenkins/.ssh exists. If it doesn’t, then create it like this:

# create directory
sudo mkdir /var/lib/jenkins/.ssh

# ensure the directory is owned by the Jenkins user
chown -R jenkins:jenkins /var/lib/.ssh

Copy your known_hosts file over:

sudo cp ~/.ssh/known_hosts /var/lib/jenkins/.ssh

At this point, your Jenkins pipeline job has access to the new known_hosts file so you should be able to run it without any problem.

1 Like