Problem when using 'Advanced sub-modules behaviours'

Jenkins setup: Version 2.395. Using Jenkins docker image (Linux host).

I am using Multibranch Pipeline job to build some source scanning github.
I have some submodules and I am using credentials with full access of the github repos.

About my Jenkins agent, I am using ubuntu docker images and connects with the Jenkins controller via cloud.

When I enable submodules processing, I have below error.

hudson.plugins.git.GitException: Command "git submodule update --remote my_submodule" returned status code 1:
stderr: Cloning into 'my_submodule'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'my_github_repo' into submodule path 'my_submodule' failed
Failed to clone 'my_submodule'. Retry scheduled

Where does this error come from?

When I connect the Jenkins controller directly with the Jenkins agent host except using docker images
(using nodes, not clouds), there is no problem with the submodule issues. But I need to use docker images to set up various environments.

So, is there any additional options that I have to check when using docker image Jenkins agent cloud when enabling submodules processing?

Thank you.

See the git client plugin documentation section on host key verification. You have several choices:

  • If using reasonably newer operating systems for controller and agents (no Red Hat 7, no CentOS 7), you can configure the “accept first” strategy to accept and remember the ssh host key on first connection
  • Provide the ssh host keys for the git repository hosts in the “manually provided keys” strategy
  • Place the ssh host keys in the ~/.ssh/known_hosts on all agents and use the “known hosts” strategy
  • Disable ssh host key verification with the “no verification” strategy (not recommended)

I’m surprised that the message is reported on some agents and not on other agents. That may indicate there is a bug in the git plugin handling of host key verification.

Can you provide more details about the configuration of the repository that is being used for submodule update?

  • Is the repository initially cloned with HTTPS or SSH protocol?
  • Are the submodule URLs HTTPS or SSH protocol? (based on the message, I assume they are SSH)
  • Are the submodule URLs using a different host than the initial repository?
  • Is the hostname of the submodule repository listed in the global host keys configuration on the Jenkins controller?

I’ve checked my job configuration and found out that I was cloning with https protocol while other submodules were cloning with ssh. I added Checkout over SSH filter to use ssh protocol and added a credential using ssh key registered in github.

Thank you for your time!
PS. The reason why static agent had no problem was, the ssh key of the static agent was already registered in github.