Configuration-as-Code compatibility: cannot connect to containers using SSH

[robinbanbury]

When configuring this plugin using the Configuration as Code plugin, SSH connections to containers are failing.

On closer inspection, it seems that the Yet Another Docker plugin is doing the following:

• ignoring the credentialsId defined in the dockerComputerSSHLauncher section
• adding a brand new SSH credential to Jenkins, containing no SSH key but specifying 'jenkins' as the relevant user (see attached images)
• using this new credential to manage the SSH connection to the build agent - which fails

jenkins:
  # ...
  clouds:
  - docker:
      connector:
        serverUrl: "tcp://10.11.12.13:2375"
      containerCap: 5
      name: "docker-build-host-01"
      templates:
      - dockerContainerLifecycle:
          createContainer:
            bindAllPorts: false
            cpuShares: 512
            hostname: ""
            memoryLimit: 0
            privileged: true
            shmSize: 0
            tty: false
            volumes:
            - "/home/agent/.ssh:/home/agent/.ssh:ro"
            volumesString: "/home/agent/.ssh:/home/agent/.ssh:ro"
          image: "my.docker.registry.io/my-build-image:latest"
          pullImage:
            pullStrategy: PULL_NEVER
            registriesCreds:
            - registryAddr: "my.docker.registry.io"
              credentialsId: "registry-creds-defined-in-credentials-section"
          removeContainer:
            removeVolumes: false
        id: "12abcdef-3456-7890-abcd-123456789000"
        labelString: "docker-build-agent"
        launcher:
          dockerComputerSSHLauncher:
            sshConnector:
              credentialsId: "ssh-key-defined-in-credentials-section"
              maxNumRetries: 0
              port: 22
              retryWaitTime: 0
              sshHostKeyVerificationStrategy: "nonVerifyingKeyVerificationStrategy"
        maxCapacity: 5
        osType: LINUX
        remoteFs: "/home/agent"

credentials:
  system:
    domainCredentials:
    - credentials:
      - dockerRegistryAuth:
          id:       "registry-creds-defined-in-credentials-section"
          scope:    GLOBAL
          description: "Jenkins credentials for my Docker registry"
          email:    "[email protected]"
          username: "robincsmith"
          password: "${somePassword}"
      - basicSSHUserPrivateKey:
          id:       "ssh-key-defined-in-credentials-section"
          scope:    GLOBAL
          description: "SSH private key used to connect to Docker build agents"
          username: "agent"
          passphrase: ""
          privateKeySource:
            directEntry:
              privateKey: "${privateKey}"

logs:

Feb 14, 2019 4:39:10 PM INFO com.github.kostyasha.yad.DockerCloud provision
Asked to provision load: '1', for: 'docker-build-agent' label
Feb 14, 2019 4:39:10 PM INFO com.github.kostyasha.yad.DockerCloud provision
Will provision 'my.docker.registry.io/my-build-image:latest', for label: 'docker-build-agent', in cloud: 'docker-build-host-01'
Feb 14, 2019 4:39:12 PM INFO com.github.kostyasha.yad.DockerCloud addProvisionedSlave
Provisioning 'my.docker.registry.io/my-build-image:latest' number '3' on 'docker-build-host-01'; Total containers: '3'
Feb 14, 2019 4:39:13 PM INFO com.github.kostyasha.yad.utils.HostAndPortChecker bySshWithEveryRetryWaitFor
SSH port is open on 10.11.12.13:43819
Feb 14, 2019 4:39:13 PM INFO com.github.kostyasha.yad.launcher.DockerComputerSSHLauncher getSSHLauncher
Creating slave SSH launcher for '10.11.12.13:43819'. Cloud: 'docker-build-host-01'. Template: 'my.docker.registry.io/my-build-image:latest'
Feb 14, 2019 4:39:13 PM WARNING hudson.plugins.sshslaves.SSHLauncher 
This constructor is deprecated and will be removed on next versions, please do not use it.
Feb 14, 2019 4:39:20 PM INFO hudson.slaves.NodeProvisioner$2 run
my.docker.registry.io/my-build-image:latest provisioning successfully completed. We have now 2 computer(s)

The new SSH credential created:

Its contents:

[robinbanbury]

I should add, once logged in to Jenkins, it is possible to navigate in the UI to the YADP configuration and set the SSH credential back from the 'fake' SSH credential back to the intended one - the connection works fine after doing that

[KostyaSha]

I think you need compare config.xml on file system before and after. try cp it and diff after save

[robinbanbury]

On second inspection, it looks like it's just not recognising the credentialId - in the UI, the credentials field is 'none'. I now can't reproduce the error I had before (something creating a new SSH credential)

Once I select the relevant credential from the drop-down, the config diff is (old <-> new):

128a129,131
>               <credentialsId>ssh-key-defined-in-credentials-section</credentialsId>
>               <jvmOptions></jvmOptions>
>               <javaPath></javaPath>
144a148
>               <credentialsId></credentialsId>
152a157
>               <command></command>
154,155c159,167
<               <volumes>
<                 <string>/home/agent/.ssh:/home/agent/.ssh:ro</string>
---
>               <dnsHosts class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list"/>
>                 <list reference="../c"/>
>               </dnsHosts>
>               <volumes class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list">
>                   <string>/home/agent/.ssh:/home/agent/.ssh:ro</string>
>                 </c>
>                 <list reference="../c"/>
167a180,188
>               <volumesFrom class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list"/>
>                 <list reference="../c"/>
>               </volumesFrom>
>               <environment class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list"/>
>                 <list reference="../c"/>
>               </environment>
>               <bindPorts></bindPorts>
172a194,211
>               <extraHosts class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list"/>
>                 <list reference="../c"/>
>               </extraHosts>
>               <devices class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list"/>
>                 <list reference="../c"/>
>               </devices>
>               <cpusetCpus></cpusetCpus>
>               <cpusetMems></cpusetMems>
>               <links class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list"/>
>                 <list reference="../c"/>
>               </links>
>               <dockerLabels class="java.util.Collections$UnmodifiableRandomAccessList" resolves-to="java.util.Collections$UnmodifiableList">
>                 <c class="list"/>
>                 <list reference="../c"/>
>               </dockerLabels>
177a217,218
>               <workdir></workdir>
>               <user></user>
188a230
>               <containerId></containerId>
191a234
>               <dockerHost></dockerHost>
214a258
>         <credentialsId></credentialsId>

[robinbanbury]

It's tricky to reproduce, but I'm seeing one of the symptoms every time I start up Jenkins (no SSH credential loaded into YetAnotherDocker configuration / new empty credential added to Jenkins and loaded into YetAnotherDocker configuration). Either way, the correct credential is not appearing in the YetAnotherDocker config in Jenkins UI.

I've checked my jenkins.yaml and the credentialsId in the YetAnotherDocker section matches the corresponding SSH Key in the credentials section (ssh-key-defined-in-credentials-section).