Get Jenkins to SSH into server and pull from git - post build

Question

I have a Jenkins instance and I am trying to create a continuous integration workflow. I am struggling to get jenkins to get the code onto the production server.

Here is what I'm trying to do:

1. on push to master branch (bitbucket), run build (working)
2. after build passed, SSH into production server (working)
3. on production server, git pull master to update the project (not working)

I seem to be having the following problem:

1. jenkins SSHs into the prod server with user deploy.
2. Although deploy has id_rsa keys in ~/.ssh, with the contents of id_rsa.pub in bitbucket's 'deployment keys' setting for the repo, I get a Permission denied (publickey). error when I run git pull or git clone.

So this has left me confused and I'm not sure where I'm going wrong.. For me it could be one or many of these things:

1. Why aren't deploy's ssh credentials being picked up automatically?
2. Should the prod server have its own SSH credentials? I think so.
3. Does this process seem sensible? It did to me until I ran into this trouble...

Any ideas, advice or alternative routes are greatly appreciated.

---

UPDATE

When running this myself as the same user that jenkins uses, when I run git clone ..., I get prompted for the passphrase for id_rsa. This must be where jenkins is tripping up as it cannot decode id_rsa. I will see if I can generate an ssh key that doesnt prompt for a passphrase

UPDATE 2

I generated an ssh key for the production server that did not require a passphrase to use, and this worked fine.

Answer 1

The specific problem here was that the SSH key that I had made on the production server required a passphrase to use. The jenkins script couldn't handle this, so it sent the git pull request with an encoded key so it got rejected.

I created SSH keys that required no passphrase and this solved my problem. This is the command I used:

ssh-keygen -t rsa -C "your_email@example.com" -N ''

The -N flag sets a passphrase on the key.

Answer 2

You should be using the Jenkins Publish over SSH plugin to talk to the target server from your Jenkins job. You can use it to run commands or scripts on the target. The SSH public/private key trust needs to be configured beforehand and configured in the plugin for the target server.

Answer 3

First of all, you should ensure git clone/pull works as intended on production server when launched manually.

Next, debug why doesn't it works driven by Jenkins.

Most likely reasons comes to my mind are:

• Jenkins agent populates incorrect ${HOME} environment variable for SSH session (I've suffered this error myself once), depends on how you implemented your job.
• using wrong git username on production (per-user global config may be set in ~/.gitconfig)
• using wrong private/public keys to access remote git repository on production (which you may want to configure in ~/.ssh/config)

I had implemented similar logic myself.

In my case production server was configured as Jenkins node, required HOME environment created in job workspace each time, and SSH and git access credentials are configured on Jenkins and populated on production on each run

PS: Using dedicated credentials for production server is absolutely normal (e.g. for security reasons)