Artifactory release management, git, ssh, TeamCity, Windows

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Artifactory release management, git, ssh, TeamCity, Windows

thebroz
We're using TeamCity 9.1.3 with the latest Artifactory plugin. The TeamCity server is on Linux, but the build agents are Windows, for this particular problem. The Windows build agents are running as a Windows service, so they're running as the System user. Our git code is checked out on the agent via ssh, and the authentication is done with ssh keys. Our git server is Atlassian Stash. TeamCity works just fine for the checkout and the build.
Artifactory does not work correctly, however. It's ignoring the private key, or something. The logs are not that helpful.
TeamCity is using an uploaded Private key to do its checkout. That works just dandy. The private key is uploaded to the server, and propagated to the build agent, which then uses it to check out code to its mirror. Artifactory does not use this private key, apparently. Their documentation is not entirely clear about how this works. https://www.jfrog.com/confluence/display/RTF/TeamCity+Artifactory+Plugin+-+Release+Management
"Git support
When using Release Management - Git should be configured via SSH."
Nice. What does that mean? Git IS CONFIGURED via SSH. The above documentation is incomplete, and irritating.
Here's what I tried
Given that the build agent is running as the System user, I've tried adding the private key manually to the Systems's .ssh directory: /c/windows/system32/config/systemprofile/.ssh
I set the permissions to .ssh to 700 and its contents to 600 via cygwin. The files are owned by System. I added a known_hosts file with the public key from Atlassian Stash. Atlassian Stash has the public key matching the private key on the agent. I was unable to figure out a way to open an SSH session as the System user, or I would have tried that.
I see this error in the build log:
"[Step 6/10] Git command '[cmd, /c, git, push, ssh://git@stash.our.perfectly.good.server:7999/qvc/repository.git, refs/heads/master]' returned status code '128': Permission denied (publickey).
fatal: Could not read from remote repository."

So, the system user it executing git, and trying to connect to the server, which it can get to, and the git server says no. Why? The git server has the public key, and my build agent has the private key and the known_hosts file has it too.
Reply | Threaded
Open this post in threaded view
|

Re: Artifactory release management, git, ssh, TeamCity, Windows

thebroz
SOLVED, I think.

While I SAID I set the owner of the files in the .ssh directory to SYSTEM, I had forgotten to set the owner of  the private key. Sheesh. So I set the owner to SYSTEM. I ran another build yesterday before I left work and it succeeded. I'll need to examine the results, but I suspect it will be good results.

The JFrog-Artifactory documentation for using ssh keys rather stinks, but I figured it out. I get that they didn't want to go too deeply into the process, but they might have pointed me at some Windows - SYSTEM docs that described how this is done. Further, JetBrains handles code checkout differently, and better. With TeamCity, there's no need to learn where to put keys and known_hosts files and such on EACH AGENT. I had hoped the Artifactory plugin would work with TeamCity, and deal with the code in the same manner.