2

I'm running Jenkins agent in K8s nodes. I add git config --global http.sslVerify false in dockerfile. I also add ~/.gitconfig in dockerfile too. I try to use Jenkins checkout and git in pipeline to fetch codes, but I got following error:

 stderr: fatal: unable to access 'https://gitlab-ops.prod.hccn/iac/gitops/vsphere_linux.git/': SSL certificate problem: unable to get local issuer certificate

But if I replace them by sh git clone command, it's ok.

So here are my questions:

  1. git config --global http.sslVerify false is only works for git command, don't work for Jenkins checkout and git, right? Because git command is a sh command, but Jenkins checkout git is some kind of Java plugin?
  2. Is Jenkins checkout also reference git or gitclient plugin?
  3. How to disable Jenkins checkout and git plugin SSL verify? I don't find them on jenkins git-client plugin or jenkins git plugin or jenkins scm plugin

Supplement:

  1. I run git config --global http.sslVerify false on each k8s node
  2. Jenkins Version is 2.277.4
  3. Jenkins Git Plugin Version is 4.7.1
  4. Jenkins Git Client Plugin Version is 3.7.1

Supplement 2:

I have 2 git project. The Jenkinsfile is in the first one, which configure in the Jenkins Job. The default checkout is working well. During the pipeline running, it will try to pull another git project on the Jenkins agent, this is where the problem arises.

Bryan Chen
  • 139
  • 1
  • 13

1 Answers1

0

Using the Jenkins Git client plugin, I would avoid JGit (set in this setting)

https://cdn.jsdelivr.net/gh/jenkinsci/git-client-plugin@master/images/enable-jgit.png

I would:

  • select Git
  • Make sure git is in the $PATH of the Jenkins Controller (formerly known as "master")

Then the global setting http.sslVerify would be enforced.
Although, as seen here, JGit should also be able to read the same setting.

From the comments/discussion, the OP Bryan Chen adds:

I have two git project.
The Jenkinsfile is in the first one, which configure in the Jenkins Job. The default checkout is working well.
During the pipeline running, it will try to pull another git project on the Jenkins agent, this is where the problem arises.

That means the root cause seems to be within the container executing the job as an agent (in a container), not in the main Jenkins controller.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Hello, @VonC. My current git selection is `git`, `.gitconfig` location is /root/ and it has taken effect. I can see it by `git config --list`,and Jenkins progress UID is root. At the same time, I run `git config --list` in the docker(Jenkins agent in K8s node), it's take effect too. As I mentioned, `sh git` is ok but Jenkins `checkout` and `git` function are not. – Bryan Chen Nov 12 '21 at 09:00
  • @BryanChen Then double-check with which account the Jenkins controller is running, and try to make a job executed on the controller, with a simple script step `git config --global -l` – VonC Nov 12 '21 at 09:02
  • Hello @Vonc, Here is the command output: `ps -ef | grep jenkins`: `root 2362 1 0 Nov04 ? 00:46:46 /etc/alternatives/java ........Omit some parameters`. Git config is has taken effect: `git config --global -l`: `http.sslverify=false` – Bryan Chen Nov 12 '21 at 09:09
  • Here is full output: `root 2362 1 0 Nov04 ? 00:46:46 /etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized -Xmx4096m -Dorg.csanchez.jenkins.plugins.kubernetes.pipeline.ContainerExecDecorator.websocketConnectionTimeout=60 -Djava.awt.headless=true -DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=9080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 ` – Bryan Chen Nov 12 '21 at 09:14
  • @BryanChen Why running Jenkins as root though? This is usually a cause for reading the wrong global Git config. – VonC Nov 12 '21 at 09:24
  • Hello @Vonc, I compare of my Jenkins config and origin Jenkins config from rpm. The different is only Jenkins user, port and JVM params. Sadly I change user back to jenkins, restart jenkins and then test, same result… – Bryan Chen Nov 12 '21 at 09:58
  • @BryanChen That is why doing a test job with in it a `sh` step `git config --global -l; pwd; id -a` would help. – VonC Nov 12 '21 at 10:28
  • Hello @VonC, here is the script brief output: `git config --global -l`: `http.sslverify=false` ... `whoami`: `root`... `cat /root/.gitconfig`: `[http] sslVerify =false`. (There is no `id -a` in the docker) I'm afriad `root` is defined in the dockerfile(or omitted as `root`). If I change Jenkins agent `root` to `jenkins`, I'm afriad I had to rewrite a lot of code because in fact there is terraform rely on root default terraform settings. – Bryan Chen Nov 12 '21 at 10:57
  • @BryanChen Root inside a docker container is not surprising. But keep in mind, the checkout is generally done on the Jenkins controller, not on the agent. Was you test job executed on the main controller? – VonC Nov 12 '21 at 11:04
  • I have agent statement, at the begainning of pipeline. So checkout step is actually run on the specific agent. I don't write a real pipeline to test on the jenkins master, but by way of the snippet generator, after I chose the correct credential, it shows no error. So I suppose Jenkins master is ok. – Bryan Chen Nov 15 '21 at 05:58
  • Hello @VonC, I think you misunderstanding something: I have **2 git project**. The `Jenkinsfile` is in the first one, which configure in the Jenkins Job. The default checkout is working well. During the pipeline running, it will try to pull another git project on the Jenkins agent, this is where the problem arises. – Bryan Chen Nov 15 '21 at 06:20
  • @BryanChen OK. That wasn't clear from your original question, indeed. In the docker container, JGit or "Jenkins Git client" is not a factor at all. Only the local GIt installed in the container is. – VonC Nov 15 '21 at 06:58
  • So it is very weird that `git config --global` doesn't make any sense, right? – Bryan Chen Nov 15 '21 at 09:58
  • @BryanChen Yes, if it is done inside the container. – VonC Nov 15 '21 at 09:59
  • @Hello VonC, And one more thing I want to make sure. Jenkins `checkout` and `git` actually invoke `git` command, right? Perhaps this is a bug… – Bryan Chen Nov 15 '21 at 10:04
  • @BryanChen Yes. But in your case, the issue seems to be within the container executing the job as an agent. – VonC Nov 15 '21 at 10:35
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/239262/discussion-between-bryan-chen-and-vonc). – Bryan Chen Nov 16 '21 at 02:25